[ { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure." }, { "role": "assistant", "content": "T1583.001 - Domains" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "reg query HKLM /f password /t REG_SZ /s" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pay2Key can stop the MS SQL service at the end of the encryption process to release files locked by the service." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Although the developers attempt to use a denylist of files and directories to skip, it was observed encrypting core Windows operating system files, which caused the operating system to become unstable and crash. This was observed when running the ransomware on a Windows 2012 machine" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WIRTE has obtained and used Empire for post-exploitation activities." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy uses cmd.exe to execute commands on the system." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "njRAT can browse file systems using a file manager module." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access." }, { "role": "assistant", "content": "T1090.001 - Proxy: Internal Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HIDEDRV is a rootkit that hides certain operating system artifacts." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has gathered information about local network connections using ." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Deep Panda has updated and modified its malware, resulting in different hash values that evade detection." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The impact of finding this implant on your network is severe and most likely indicates the presence of other footholds or compromised systems. This backdoor provides ample capability for the attacker to propagate and compromise other hosts and critical data using this as a very stealthy beachhead" }, { "role": "assistant", "content": "T1556.004 - Network Device Authentication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carberp has connected to C2 servers via HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS." }, { "role": "assistant", "content": "T1018 - Remote System Discovery', 'T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The first stage implant that is nested in the DOTM file, is using triple base64 encoding in the Visual Basic Macro - The extracted DLL (desktop.dat) is packed with the Themida packer attempting to make analysis more difficult" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filename Part-I.doc File Size 11349102 bytes MD5 92942c54224cd462dd201ae11a560bb8 SHA1 85a21624df2211af3daf05c86a3fbea8271059d3 Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Here, we show an example of a PDF campaign as seen from the point of view of the affected user. This malicious PDF only contains a URL to entice the user to view the file. If the user chooses to click on the URL link and to read the actual content of the file, the browser will open a legitimate Google location which will redirect the browser to a malicious document. Browser redirection Finally, the malicious Word document is opened and the VBA macro code is run after the user allows for the editing of the content within Word. This eventually kickstarts the rest of the infection chain, terminates the Word process to hide the original file and opens a new Word instance to display a non-malicious decoy document dropped to the disk drive by one of the previous stages. Malicious Word document The decoy document remains constant throughout the campaign and is likely a side effect of the Threadkit exploit toolkit and cannot be relied upon for attribution. Decoy document opened in Word" }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot has retrieved PuTTY credentials by querying the \"Software\\SimonTatham\\Putty\\Sessions\" registry key" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For C0011, Transparent Tribe established SSL certificates on the typo-squatted domains the group registered." }, { "role": "assistant", "content": "T1587.003 - Digital Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Forensic analysis indicates that many of these tools were executed during the timeframe in which the actor was accessing the system. Of note, the threat actors installed Python 2.7 on a compromised host of one staging victim, and a Python script was seen at C:\\Users\\<Redacted Username>\\Desktop\\OWAExchange" }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has exfiltrated stolen victim data through C2 communications." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It mimics the icon Finder usually applies to JPEG or text files to increase the likelihood the recipient will double-click the file" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors have been known to copy files to the network shares of other computers to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Proxysvc uses HTTP over SSL to communicate commands with the control server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Putty to access compromised systems." }, { "role": "assistant", "content": "T1021 - Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT supports file encryption (AES with the key \"lolomycin2017\")." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pony can download additional files onto the infected system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to download files from the infected host to the command and control (C2) server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actors operate a Kubernetes cluster, which allows them to conduct distributed and large-scale targeting using password spray and password guessing" }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of performing keylogging." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Regarding to downloading and executing a tool, Flagpro stores the downloaded file in file path “%Temp%\\~MY[0-9A-F].tmp” first. Then, Flagpro adds extension “.exe” to the name of stored file and executes the file" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses reg add to add a Registry Run key for persistence." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has sent spearphishing attachments attempting to get a user to open them." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has deleted arbitrary Registry values." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The state command sets a global variable containing a series of Boolean values represented as ASCII values ‘0’ or ‘1’ and also adds itself to the configuration file" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cryptoistic can engage in encrypted communications with C2." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Python/TeleBot malware uses exactly the same approach; the Python backdoor code is obfuscated and packed into a standalone executable using PyInstaller. In addition, the Python code is ROT13 encoded, AES encrypted, compressed using zlib library and then Base64 encoded" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has enumerated the host machine’s IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The batch-files appear to be used to load the Cobalt Strike beacon, but also to perform discovery commands on the compromised system" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT12 has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611)." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dyre has a command to download and executes additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crutch can monitor for removable drives being plugged into the compromised machine." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command Functionality Init Create a reverse shell Write Write a file to the compromised system from the C2 server List List the files in a directory Upload Upload a file from the compromised system to the C2 server Table 2" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, web servers, and any other open resources. The aim was to harvest information about the network, above all, servers and workstations used for making payments. If the firewall blocked access from one segment of the network to another, but allowed a reverse connection, the attackers used a different payload to build tunnels" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can write and execute PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Destover-like variant used by uses a batch file mechanism to delete its binaries from the system." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET identifies the macOS version and uses \"ioreg\" to determine serial number." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER can use base64 encoded C2 communications." }, { "role": "assistant", "content": "T1001 - Data Obfuscation', 'T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerDuke has commands to get the time the machine was built, the time, and the time zone." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel can upload files from a compromised host over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shlayer is perhaps the most talked about macOS malware at the moment and hit the news again recently after being caught sneaking past Apple’s macOS Notarization checks. That version of Shlayer was an interesting diversion: using a Mach-O binary written in C++ to execute a Bash shell script in memory. That might well suggest that Apple’s Notarization checks are static rather than dynamic as the telltale Shlayer code is only evident once the packed binary runs" }, { "role": "assistant", "content": "T1059.004 - Command and Scripting Interpreter: Bash" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can exfiltrate collected documents through C2 channels." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can check the name of the window displayed on the system." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious DLL is also responsible for terminating the cliconfg.exe process and deleting the malicious NTWDBLIB.dll using: cmd /c taskkill /im cliconfg.exe /f /t && del /f /q NTWDBLIB.DLL All the following capabilities described are implemented by the malicious service DLL implant unless specified.   Variant using North Korean Red Cross Another variant (hash: 9e2c0bd19a77d712055ccc0276fdc062e9351436) of the malicious Word dropper uses the same Base64-decoding scheme with a different custom key" }, { "role": "assistant", "content": "T1055 - Process Injection', 'T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The crimeware toolkit has refined its detection of sandbox analysis environments by inspecting the process list and Registry." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keydnap uses the keychaindump project to read securityd memory." }, { "role": "assistant", "content": "T1555.002 - Securityd Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 obtained information about the configured Exchange virtual directory using \"Get-WebServicesVirtualDirectory\"." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel has used a keylogger." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "stages collected data in a text file." }, { "role": "assistant", "content": "T1074 - Data Staged', 'T1074 - Data Staged" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks . Get Free Account . Join Now . Introduction . TeamTNT is a cybercrime group that targets cloud environments including Docker and Kubernetes instances. TeamTNT has also been spotted using a malicious Docker image which can be found on Docker Hub to infect its victims’ servers. The uniqueness of the recent attack observed by Intezer is the group abuses a legitimate open source tool called Weave Scope to gain full control over the victim’s cloud infrastructure. By installing a legitimate tool such as Weave Scope the attackers reap all the benefits as if they had installed a backdoor on the server, with significantly less effort and without needing to use malware. To install Weave Scope on the server the attackers use an exposed Docker API port and create a new privileged container with a clean Ubuntu image. Once installed, the attackers can connect to the Weave Scope dashboard via HTTP on port 4040 and gain full visibility and control over the victim’s infrastructure. To protect yourself from this attack we recommend to: - Close exposed Docker API ports: This attack takes advantage of a common misconfiguration of the Docker API which gives the attacker full control over the Docker service. Therefore, Docker API ports should be closed or contain restricted access policies in the firewall. Block incoming connections to port 4040: Weave Scope uses default port 4040 to make the dashboard accessible and anyone with access to the network can view the dashboard. Update from Weave Works . Weave Works has since provided this in-depth article on how to prevent malicious attacks using Weave Scope" }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Snippets of HOLMIUM PowerShell backdoor (POWERTON) implementing two different persistence mechanisms: WMI event subscription (T1084) and Registry run keys or Startup folder (T1060" }, { "role": "assistant", "content": "T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 has used various open-source tools for privilege escalation purposes." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist can collect the username on a targeted system." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "text= from= ai= ags= oe= aq= btnG= oprnd= ai= utm= channel= The page address in the domain of the command and control server is chosen randomly from the list" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY contains a number of modules that can bypass UAC, including through Window's Device Manager, Manage Optional Features, and an image hijack on the `.msc` file extension." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Some additional log file analysis reveals that a dotm file hosted with a. jpg extension was accessed by an Israeli IP address. This IP address likely belongs to a victim in Israel that executed the main DOCX. Based on the analysis of the user-agent string belonging to the Israel IP address Microsoft+Office+Existence+Discovery indicates that the dotm file in question was downloaded from within Microsoft Office (template injection" }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can register a device to Azure AD." }, { "role": "assistant", "content": "T1098.005 - Device Registration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Custom tools such as REDTRIP, PINKTRIP, and BLUETRIP have also been used to create SOCKS5 proxies between infected hosts" }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used direct Windows system calls by leveraging Dumpert." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Command & Control The malware communicates with the Naver email platform in order to communicate with the operator" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used tmp files to stage gathered information." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 continued distributing Dridex through early June 2017 using a range of email attachments. Most recently these included PDF attachments with embedded Microsoft Word documents bearing malicious macros that call PowerShell commands that install Dridex" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used the RAT, which communicates over HTTP with a payload encrypted with RC4." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration." }, { "role": "assistant", "content": "T1114 - Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can delete files and optionally overwrite with random data beforehand." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to search for a given filename on a victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After encrypting C2 data, BADNEWS converts it into a hexadecimal representation and then encodes it into base64." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyZBot contains keylogger functionality." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using `/c cd /d c:\\windows\\temp\\ & copy \\\\\\c$\\windows\\system32\\devmgr.dll \\\\\\c$\\windows\\temp\\LMAKSW.ps1 /y` and then deleting the overwritten file using `/c cd /d c:\\windows\\temp\\ & del \\\\\\c$\\windows\\temp\\LMAKSW.ps1`." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once gaining a foothold, the threat actors use off-the-shelf tools to ensure persistence, including Remote Desktop Protocol (RDP) to maintain access. While GDPR requirements prevented us from pivoting on Registrant information, the actors reused IP space, reused a certificate, and the aforementioned domain mimicking technique allowed for some pivoting. Toolset . Once gaining a foothold on a user’s system, the threat actors behind STOLEN PENCIL use Microsoft’s Remote Desktop Protocol (RDP) for remote point-and-click access. This means a human is behind the keyboard interacting with a compromised system, and not using a RAT (Remote Access Trojan) with a command-and-control site acting as a proxy between the threat actor and the compromised system. A compromised or stolen certificate was used to sign several PE files used in STOLEN PENCIL for two sets of tools: - MECHANICAL Logs keystrokes to %userprofile%\\appdata\\roaming\\apach. GREASE a tool to add a Windows administrator account with a specific username/password and enable RDP, circumventing any firewall rules. defaultes/1qaz2wsx#EDC - a tool to add a Windows administrator account with a specific username/password and enable RDP, circumventing any firewall rules. Figure 5: Certificate used to sign MECHANICAL/GREASE While the threat actors did use a few tools to automate intrusions, we also found a ZIP archive of tools that demonstrate their propensity for password theft to propagate. Using a combination of stolen passwords, backdoor accounts, and a forced-open RDP service, the threat actors are likely to retain a foothold on a compromised system. Conclusion . While we were able to gain insight into the threat actor’s TTPs (Tools, Techniques, & Procedures) behind STOLEN PENCIL, this is clearly just a small window into their activity" }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NavRAT copies itself into a running Internet Explorer process to evade detection." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has sent spearphishing attachments attempting to get a user to open them." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several malware families are capable of downloading and executing binaries from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates scheduled tasks to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRatReporter sent collected system and network information compiled into a report to an adversary-controlled C2." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has used brute force techniques to obtain credentials." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SpeakUp uses the \"ifconfig -a\" command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly deleted system, security, terminal services, remote services, and audit logs from a victim." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XCSSET downloads browser specific AppleScript modules using a constructed URL with the \"curl\" command, \"https://\" & domain & \"/agent/scripts/\" & moduleName & \".applescript\"." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GrimAgent has sent data related to a compromise host over its C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peirates can use stolen service account tokens to perform its operations. It also enables adversaries to switch between valid service accounts." }, { "role": "assistant", "content": "T1550.001 - Application Access Token" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc()." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has deployed malware that has copied itself to the startup directory for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When it first starts, crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may collect network configuration data by running \"ipconfig /all\" on a victim." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A key trait of NOBELIUM’s ongoing activity over the last year has been the abuse of indirect paths and trust relationships to target and gain access to victims of interest for intelligence gain. In the most recent campaign, this has manifested in a compromise-one-to-compromise-many approach—exploiting the service providers’ trust chain to gain broad access to multiple customer tenants for subsequent attacks. NOBELIUM leverages established standard business practices, to target downstream customers across multiple managed tenants. These delegated administrative privileges are often neither audited for approved use nor disabled by a service provider or downstream customer once use has ended, leaving them active until removed by the administrators. If NOBELIUM has compromised the accounts tied to delegated administrative privileges through other credential-stealing attacks, that access grants actors like NOBELIUM persistence for ongoing campaigns" }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script itself works as a downloader for additional files needed for loading the malware into the system, which are hosted separately as a ZIP package. We confirmed two different techniques used for distributing the Melcoz backdoor: the AutoIt loader script and DLL Hijack" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TAINTEDSCRIBE has used \"FileReadZipSend\" to compress a file and send to C2." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used Cain & Abel to crack password hashes." }, { "role": "assistant", "content": "T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Endpoint Protection . The Trojan.Hydraq Incident . It has been about a week since news of the mysterious Hydraq Trojan (also known as Aurora) attack broke with the unveiling of a threat by Google to pull its operations out of China. Although concrete details of the attacks are not yet public, Google made reference to a number of Gmail accounts that were compromised during or after the attacks. In the more sophisticated attacks, the attacker will use a new zero day vulnerability, as obviously this will have a greater success rate. In this attack a PDF file was used to exploit the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (CVE-2009-1862/BID35759). This PDF installed a Trojan horse which was an earlier version of the current Trojan.Hydraq. Considering the efforts that the attackers put into staging the attack as a whole, the end malware is not so sophisticated. This means the remote attacker has the ability to see in real time any user interface activity as if they were sitting right next to the user. The backchannel URL addresses have been changed by the Dynamic DNS sites to resolve to a loopback address (127.0.0.2). This in effect severs the connection to the control servers. As described in the previously posted blog (Hydraq - An Attack of Mythical Proportions), an unpatched Internet Explorer vulnerability (BID 37815) was used as one of the propagation vectors for this particular Trojan.Hydraq attack. This security hole allows remote exploitation, which means that attackers can run any malicious code of their liking on a victim’s machine by taking advantage of the vulnerability. The use of browsers other than Internet Explorer by an increasingly large number of people may have helped limit the “attack surface” by reducing the number of computers vulnerable to the Internet Explorer vulnerability used in this attack" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN5 has cleared event logs from victims." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel can automatically scan for and collect files with specific extensions." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to identify running processes and associated plugins on an infected host." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant has the ability to list the names of all open windows on the infected host." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrifeWater can collect the user name from the victim's machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains the getFirefoxPassword function to attempt to locate Firefox passwords." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GuLoader can download further malware for execution on the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather the victim user name." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The ScreenUtil module, which was first reported in 2017, takes a screenshot of the current user's desktop. All variants analyzed by CTU researchers were hard-coded to drop the captured image files to %APPDATA%\\Update\\Tmp" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CreepySnail can use Base64 to encode its C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script will send the specified number of DNS queries using the following format, each of which the C2 will respond with an IPv6 address that the script will treat as a string of data:   www...   The payload will treat the data provided by the C2 as a message, which will have the following structure:   hello   The message will start with the string hello followed by a 35-character UUID string" }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As described in other blog posts, Remcos appears to be developed in C++. As the release notes show, it is actively maintained. 17, 2017 Remcos has the functionalities that are typical of a RAT. It is capable of hiding in the system and using malware techniques that make it difficult for the typical user to detect the existence of Remcos. A good example is the anti-analysis section: It is checking for an outdated artifact, the 'SbieDll.dll'. In our opinion, there are not many analysts using Sandboxie these days anymore. Below you can see the Remcos VMware detection code: The following is a code sample from aldeid.com: The blog referenced above has already described several functions of Remcos features in detail. We would like to focus on Remcos' cryptographic implementation. It uses RC4 pretty much everywhere when there is a need to decode or encode any data. Examples are registry entries, C2 server network communication or file paths shown below: The exepath registry data is base64-encoded, RC4-encrypted data. This can be converted into the typical RC4 pseudo code" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Most samples maintain persistence by setting the Registry Run key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used compromised VPN accounts to gain access to victim systems." }, { "role": "assistant", "content": "T1078 - Valid Accounts', 'T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MechaFlounder begins by entering a loop that will continuously attempt to communicate with its C2 server. The Trojan will use HTTP to send an outbound beacon to its C2 server that contains the user's account name and hostname in the URL. The code, seen in Figure 2, builds the URL by concatenating the username and hostname with two dashes \"--\" between the two strings. The code then creates the URL string by using the username and hostname string twice with the back-slash \"\\\" character between the two and by appending the string \"-sample.html" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used mshta.exe to execute VBScript to execute malicious code on victim systems." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QAKBOT abuses Wscript to execute a Jscript file." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript', 'T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 used GetPassword_x64 to harvest credentials." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tomiris can download files and execute them on a victim's system." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the \"Invoke-PSRemoting\" module." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hides collected data in password-protected .rar archives." }, { "role": "assistant", "content": "T1560 - Archive Collected Data', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT32 backdoor can use HTTP over a non-standard TCP port (e.g 14146) which is specified in the backdoor configuration." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TIN WOODLAWNTIN WOODLAWN is a targeted threat group, active since at least 2014, that CTU researchers assess with moderate confidence is operated or tasked by the Vietnamese government. TIN WOODLAWN is technically capable and uses a range of techniques including template injection, obfuscated macros and steganography for malware delivery, memory-resident malware, use of native command line scripts for Cobalt Strike persistence, and non-standard command and control channels such as DNS and ICMP.ToolsTaegis™ XDR Adversary Software Coverage Tool" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used CVE-2016-7255 to escalate privileges." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerSploit's \"Invoke-TokenManipulation\" Exfiltration module can be used to manipulate tokens." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used VBS and JavaScript scripts to help perform tasks on the victim's machine." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A string with the 5-character length and encoded with BASE64 is added to the beginning of the buffer encoded using the BASE64 algorithm" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro has named malicious browser extensions and update files to appear legitimate." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanHaiShu uses mshta.exe to load its program and files." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT has used HTTP if DNS C2 communications were not functioning." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious processes are marked red (click image to enlarge): The following malicious files are dropped and run: C:\\ProgramData\\{2ED05C38-D464-4188-BC7F-F6915DE8D764}\\OFFLINE\\9A189DFE\\C7B7C186\\main.vbs dcac79d7dc4365c6d742a49244e81fd0 C:\\Users\\Public\\Libraries\\RecordedTV\\DnE.ps1 7fe0cb5edc11861bc4313a6b04aeedb2 C:\\Users\\Public\\Libraries\\RecordedTV\\DnS.ps1 3920c11797ed7d489ca2a40201c66dd4 “C:\\Windows\\System32\\schtasks.exe” /create /F /sc minute /mo 3 /tn “GoogleUpdateTasksMachineUI” /tr C:\\Users\\Public\\Libraries\\RecordedTV\\backup.vbs 7528c387f853d96420cf7e20f2ad1d32 Command and control server is located in the following domain: tecsupport[.]in A detailed analysis of the malware is provided in two posts by Palo Alto networks and in a post by FireEye, which wrote about previous campaigns by this threat agent" }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once run, the wiper will damage the Master Boot Record (MBR) of the infected computer, rendering it inoperable" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has created a directory named \"out\" in the user's %AppData% folder and copied files to it." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This RAT is also known for its keylogging and file transfer functionality. As such, any remote attacker can load any files onto the infected machine or even steal documents" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OutSteel has been distributed as a malicious attachment within a spearphishing email." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BlackEnergy component KillDisk is capable of deleting Windows Event Logs." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult can collect the username from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The main function of the Trojan interacts with its configured C2 server to obtain additional code to execute" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM primarily relies on compromised domain credentials to move through the target network, and as outlined above, uses several credential harvesting tools. Once they have acquired credentials, the activity group uses PsExec extensively to move laterally between hosts in the target network" }, { "role": "assistant", "content": "T1570 - Lateral Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT used TLS to encrypt command and control (C2) communications." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware queries the value for the flag BeingDebugged from PEB to check whether the process is being debugged." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has been disguised as a legitimate executable, including as Windows SDK." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It maintains both code and data in the raw, encrypted blobs of data to be decrypted and used at runtime, and hidden functionality that isn’t exposed until runtime" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used malware to enumerate active processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access." }, { "role": "assistant", "content": "T1491.001 - Defacement: Internal Defacement" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs most of its operations using Windows Script Host (Jscript and VBScript) and runs arbitrary shellcode ." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates with its C2 server over TCP port 3728." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Babuk can enumerate all services running on a compromised host." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ChChes collects the victim's %TEMP% directory path and version of Internet Explorer." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For example, in the previous variant of BADNEWS, the victim’s unique identifier was stored under a variable named ‘uid’, the username was stored in a variable named ‘u’, etc" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can check for the presence of specific security products." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has the ability to enumerate loaded modules for a process.." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used valid VPN credentials to gain initial access." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additional Reading This PowerShell logging blog post contains more information on improving PowerShell visibility in your environment" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperStack can add the name of its communication pipe to \"HKLM\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\lanmanserver\\\\parameters\\NullSessionPipes\"." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems." }, { "role": "assistant", "content": "T1014 - Rootkit', 'T1542.001 - Pre-OS Boot: System Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following commands were used to create and add the DefaultUser account to the local Administrators group, and subsequently hide the account from the Windows logon screen" }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account', 'T1098 - Account Manipulation', 'T1136.001 - Create Account: Local Account', 'T1564.002 - Hide Artifacts: Hidden Users" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching." }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As my analysis in the previous blog showed, Agent Tesla is a spyware. It monitors and collects the victim’s keyboard inputs, system clipboard, screen shots of the victim’s screen, as well as collects credentials of a variety of installed software. So far, through my quick analysis, this version is similar to the older one" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to create a reverse shell." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In october 2016 Group-IB published the report about the Cobalt group. Network penetration In all cases investigated by Group-IB, the Cobalt group used a set of spear phishing emails to gain initial access to the corporate infrastructure. However, some of the email addresses belong to employees that no longer work at the organization, which means that the Cobalt group likely uses out-of-date mailing lists. Therefore, the Cobalt group registered domains are similar to real ones (for example, diebold.pw), and configured their email server to distribute acting as these legitimate domains (fig. Provision of the malware survivability The Cobalt group uses different methods to ensure malware survivability on corporate networks. The goal is to set the startup path to the executable file or program code, launching it with the powershell.exe shell command to access the Internet resource specified in the code in order to download and install Cobalt Strike module. From our experience, the Cobalt group uses a new method to provide its survivability in every attack. Cobalt Strike provides the ability to use the Artifact Kit framework for these purposes and even modify it, as it is distributed in the source code. Use of standard tools Cobalt Strike is publicly accessible, and can be downloaded in order to learn and create detection rules on the network. Conclusion After infecting one computer on an organization's network, the Cobalt group analyzes the programs used on it and search for critical servers and the computers from which they are accessed" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec." }, { "role": "assistant", "content": "T1110.002 - Brute Force: Password Cracking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the attackers identify the files of interest, the module is instrumented for exfiltration of the files.The VBScript-based file recon module used by the attackers is somewhat different. The URL constructed had the following format:http://<attacker_controlled_domain/>report.php" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has used native WINAPI calls." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The following diagram illustrates the changes applied to targeted executables after infection has taken place and how these components interact on execution" }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can turn itself on or off at random intervals." }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the initial computer on the targeted organization’s network is infected with Vcrodat, Whitefly begins mapping the network and infecting further computers. The attackers rely heavily on tools such as Mimikatz to obtain credentials. Using these credentials, the attackers are able to compromise more machines on the network and, from those machines, again obtain more credentials" }, { "role": "assistant", "content": "T1588.002 - Tool', 'T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DOGCALL can download and execute additional payloads." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a Windows service to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flash object in the .docx file, stored in uncompressed format The Flash object contains an ActionScript which is responsible for extracting the exploit using a custom packer seen in other FinSpy exploits" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SideTwist has the ability to collect the domain name on a compromised host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has stored captured credential information in a file named pi.log." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal has the ability to identify the MAC address on an infected host." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper has used the name `postgressql.exe` to mask a malicious payload." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This IP is of particular interest as historical domain resolutions of this IP revealed that it had resolved to the domain hotmai1l[.]com in the past as well, which was a domain we had previously identified as having a high likelihood of association with DarkHydrus infrastructure" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSOURCE is a PowerShell backdoor." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used malware to identify the computer name of a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts command and control communications with RC4." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gazer has commands to delete files and persistence mechanisms from the victim." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has used a Twitter account to communicate with ransomware victims." }, { "role": "assistant", "content": "T1585.001 - Social Media Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When you run the command, it sets all the required information about the AD FS to Azure AD for the federated domain. It also creates a relying party trust for the Azure AD to the local AD FS server. When a user is authenticated on AD FS, it creates a security token including claims about the user’s identity. With Azure AD, two claims are used for authentication; UserPrincipalName and ImmutabledId. Basically, the ImmutableId could be any string, as long as it matches the ImmutableId attribute of the user object in Azure AD. Typically the ImmutableId is a base 64 encoded GUID of the user object in on-premises AD (to convert GUID to immutable ID see the tools page). Converting the domain to federated also creates two claim issuance rules. For short, the rules add the UserPrincipalName and ImmutableId claims of the logged in user to the security token. When security token is delivered to Azure authentication platform, it checks the token signature, and if it matches the trust, the user is granted access" }, { "role": "assistant", "content": "T1484 - Domain or Tenant Policy Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Molerats has delivered compressed executables within ZIP files to victims." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D uses the command \"xattr -d com.apple.quarantine\" to remove the quarantine file attribute used by Gatekeeper." }, { "role": "assistant", "content": "T1553.001 - Subvert Trust Controls: Gatekeeper Bypass" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has a module that can proxy C2 communications." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the malware was persisted and kicked off the launch items, it invokes a function named create_rescue_executable to create yet another copy of itself. This copy will made in the user’s Library directory. Its named starts with a . so that it won’t show up in the UI (i.e. Finder.app), and is then followed via 9 random characters" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can spawn processes with alternate PPIDs." }, { "role": "assistant", "content": "T1134.004 - Access Token Manipulation: Parent PID Spoofing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThreatNeedle has been distributed via a malicious Word document within a spearphishing email." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RCSession has used a file named English.rtf to appear benign on victim hosts." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "executes a binary on the system and logs the results into a temp file by using: cmd.exe /c \" > %temp%\\PM* .tmp 2>&1\"." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "menuPass has used Ntdsutil to dump credentials." }, { "role": "assistant", "content": "T1003.003 - OS Credential Dumping: NTDS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used batch scripts to enumerate network information, including information about trusts, zones, and the domain." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMatter uses EnumServicesStatusExW to enumerate running services on the network." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Various malware enumerates logged-on users." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash can create a Startup item for persistence if it determines it is on a Windows system." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor's dispatcher can execute additional plugins by loading the respective DLLs." }, { "role": "assistant", "content": "T1129 - Server Software Component" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The configuration file for Torisma is encrypted using the algorithm VEST[1] in addition to the communication sent over the C2 channel. From our research this encryption method is not commonly used anywhere, in fact it was a proposed cipher that did not become a standard to be implemented in general technologies[2" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel', 'T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Linux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files." }, { "role": "assistant", "content": "T1546.004 - Event Triggered Execution: .bash_profile .bashrc and .shrc" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DRATzarus can use HTTP or HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actor connected via Remote Desktop from a Domain Controller to a vCenter server and opened a PowerShell console, then used the PowerShell command -ep bypass to circumvent the execution policy. Using the Windows Azure Active Directory PowerShell Module, the threat actor connected to the victim’s O365 tenant and began performing enumeration queries" }, { "role": "assistant", "content": "T1087.002 - Account Discovery: Domain Account', 'T1482 - Domain Trust Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkWatchman can use WMI to execute commands." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Filename The_Four_Traps_for_China.doc File Size 4428595 bytes MD5 7659c41a30976d523bb0fbb8cde49094 SHA1 3f1f3e838a307aff52fbcb5bba5e4c8fe68c30e5 Notes Malicious RTF document that exploits CVE-2017-8570 and drops QuasarRAT file qrat.exe" }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"Uploader\" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 2 Code that issues DNS query to gogle.co if a debugger is detected All DNS requests issued by RogueRobin use the built in nslookup.exe application to communicate to the C2 server and the Trojan will use a variety of regular expressions to extract data from the DNS response" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kobalos can remove all command history on compromised hosts." }, { "role": "assistant", "content": "T1070.003 - Indicator Removal on Host: Clear Command History" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX_OCEANLOTUS.D can run commands through a terminal on the victim’s machine." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Group has used Remote Desktop Protocol to conduct lateral movement." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In December 2019, another version of the AppleJeus malware was identified on Twitter by a cybersecurity company based on many similarities to the original AppleJeus malware. In contrast, open-source reporting stated that the Windows version might have been downloaded via instant messaging service Telegram, as it was found in a “Telegram Downloads” folder on an unnamed victim" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ConnectWise can be used to execute PowerShell commands on target machines." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avaddon bypasses UAC using the CMSTPLUA COM interface." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can download additional malware from the C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "zwShell has been copied over network shares to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware can use process hollowing to inject one of its trojans into another process." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RTM can download additional files." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs service discovery using net start commands." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gorgon Group has used \"-W Hidden\" to conceal PowerShell windows by setting the WindowStyle parameter to hidden." }, { "role": "assistant", "content": "T1564.003 - Hide Artifacts: Hidden Window" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "configured its payload to inject into the rundll32.exe." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program." }, { "role": "assistant", "content": "T1036.006 - Masquerading: Space after Filename" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy performs persistence with a logon script via adding to the Registry key \"HKCU\\Environment\\UserInitMprLogonScript\"." }, { "role": "assistant", "content": "T1037.001 - Boot or Logon Initialization Scripts: Logon Script (Windows)" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For C&C communication, POLONIUM abuses common cloud services such as Dropbox, OneDrive, and Mega." }, { "role": "assistant", "content": "T1136.003 - Create Account: Cloud Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT uses WMI to query the Windows Registry." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group malware has collected Microsoft Office documents from mapped network drives." }, { "role": "assistant", "content": "T1039 - Data from Network Shared Drive" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An APT19 HTTP malware variant decrypts strings using single-byte XOR keys." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has infected victims by tricking them into visiting compromised watering hole websites." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "operates over ports 21 and 20." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The second family of Lazarus malware appearing in recent months has, as far as we are aware, received little to no analysis from researchers, possibly due to its targeted nature and a lack of ITW sightings" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kazuar has used compromised WordPress blogs as C2 servers." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An official website of the United States government . Here’s how you know . Official websites use .gov A .gov website belongs to an official government organization in the United States. Secure .gov websites use HTTPS A lock (LockA locked padlock) or https:// means you’ve safely connected to the .gov website. O’Reilly of the Defense Criminal Investigative Service (DCIS) of the U.S. Among other things, Zhu and Zhang registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations. The indictment alleges that the defendants were part of a group that hacked computers in at least a dozen countries and gave China’s intelligence service access to sensitive business information,” said Deputy Attorney General Rosenstein. It's going to take all of us working together to protect our economic security and our way of life, because the American people deserve no less. The APT10 Group used some of the same online facilities to initiate, facilitate and execute its campaigns during the conspiracy. Earlier, beginning in or about 2006, members of the APT10 Group, including Zhu and Zhang, engaged in an intrusion campaign to obtain unauthorized access to the computers and computer networks of more than 45 technology companies and U.S. To avoid antivirus detection, the malware was installed using malicious files that masqueraded as legitimate files associated with the victim computer’s operating system. Such malware enabled members of the APT10 Group to monitor victims’ computers remotely and steal user credentials" }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has queried the Registry to identify victim information." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Network Downloader The Network Downloader functionality allows the actor to quickly upload user files from remote victim systems" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this version, a shortcut is created in order to launch winnit.exe in the following path %USERPROFILE%\\Start Menu\\Programs\\Startup\\Anti virus service.lnk. As in the previous version, the ID of the infected system is generated with exactly the same method. The C2 is different and the analysed version this time only contains a single domain" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX has a module for enumerating TCP and UDP network connections and associated processes using the \"netstat\" command." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "adbupd can run a copy of cmd.exe." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains code to delete files from the victim’s machine." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Transparent Tribe has crafted malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A C&C address (103.82.52[.]18) which was found in one of MosaicRegressor’s variants (MD5:3B58E122D9E17121416B146DAAB4DB9D) was observed in use by the ‘Winnti umbrella and linked groups’, according to a publicly available report. Since this is the only link between our findings and any of the groups using the Winnti backdoor, we estimate with low confidence that it is indeed responsible for the attacks." }, { "role": "assistant", "content": "T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware initiates its main function of capturing user keystrokes and sending them to the control server using standard Windows networking APIs" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging', 'T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook has used .PNG images within a zip file to build the executable." }, { "role": "assistant", "content": "T1027.003 - Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo can send the data it collects to the C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Along with the JavaScript RAT, DarkWatchman features a C# keylogger. The keylogger is distributed as obfuscated C# source code that is processed and stored in the registry as a Base64-encoded PowerShell command. When the RAT is launched, it executes this PowerShell script which, in turn, compiles the keylogger (using CSC) and executes it. Instead, it writes it’s keylog to a registry key that it uses as a buffer" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Whenever winword makes any graphical call, the shellcode executes. This technique to hijack control flow has also been used by other sophisticated attackers such as FinFisher. Lazarus has also used other novel methods to execute shellcode such as by using the function EnumSystemLocalesA as a callback to shellcode written to executable heap" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1574.013 - KernelCallbackTable', 'T1620 - Reflective Code Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While analyzing this intrusion, we observed further persistence via scheduled tasks associated with post-exploitation activities.. . This scheduled task with name HpSupport executed a Cobalt Strike Beacon kaslose64.dll both on the Domain Controller and the File Server:" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task', 'T1053 - Scheduled Task/Job" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete malware used Python’s urllib library to make HTTP requests to the C2 server." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Interestingly, the delivery document borrowed a technique which was publicized in late 2017 as being used by the Sofacy threat actors, embedding the main malicious code in a EXIF metadata property of the document" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Winnti for Windows can set the timestamps for its worker and service components to match that of cmd.exe." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2)." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Visual Basic macro uses the following command line: cmd /c expand %TEMP%\\setup.cab -F:* %TEMP% && cd /d %TEMP% && del /f /q setup.cab && uacme.exe The control server credential information contained in the CAB files is different: Decoded credential data contained in another ipnet.ini" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Heyoka Backdoor can decrypt its payload prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Several Ke3chang backdoors achieved persistence by adding a Run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to set certain attributes such as creation/modification timestamps on files." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can SSH to a remote service." }, { "role": "assistant", "content": "T1021.004 - Remote Services: SSH" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has exfiltrated data in HTTP POST headers." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "surveys a system upon check-in to discover active local network connections using the netstat -an, net use, net file, and net session commands." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent. Turla RPC backdoors have also searched for files matching the \"lPH*.dll\" pattern." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation North Star C2 infrastructure consisted of compromised domains in Italy and other countries. Compromised domains belonged, for example, to an apparel company, an auction house and printing company. These URLs hosted malicious DOTM files, including a malicious ASP page" }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C# implementation of the CharmPower command execution module can use \"cmd\"." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT has the ability to gather a list of files and directories on the infected system." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has encrypted documents and malicious executables." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "An appetite for stolen code-signing certificates Suckfly has a number of hacktools and malware varieties at its disposal. Figure 1 identifies the malware and tools based on functionality and the number of signed files with unique hashes associated with them" }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Trojan will then use the following regular expression to check the HTTP response to the content upload request for the file identifier value: \\”id\\”:(.*) The Trojan will use this file identifier value to monitor for changes made to the file by the actor by checking for changes to the modification time of the .txt file" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Denis will decrypt important strings used for C&C communication." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. The actors also used batch scripting." }, { "role": "assistant", "content": "T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has stopped the MSExchangeIS service to render Exchange contents inaccessible to users." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sys10 uses an XOR 0x1 loop to encrypt its C2 domain." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Along with the HTTP part, the binary part was also updated. The encryption remained the same, but Emotet dropped Google Protocol Buffer and switched to its own format. The compression algorithm also changed, with zlib replaced by liblzf. More details about the new protocol can be found in the Threat Intel and CERT Polska reports." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has executed malware with \"regsvr32s\"." }, { "role": "assistant", "content": "T1218.010 - Signed Binary Proxy Execution: Regsvr32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains commands to list files and directories, as well as search for files matching certain extensions from a defined list." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERTON can install a Registry Run key for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lokibot has used several packing methods for obfuscation." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can modify file attributes to hide files." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can start SOCKS proxy threads." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NOKKI has used FTP for C2 communications." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In the example, the POWRUNER client sends a random GET request to the C2 server and the C2 server sends the random number (99999999990) as a response. As the response is a random number that ends with ‘0’, POWRUNER sends another random GET request to receive an additional command string. The C2 server sends back Base64 encoded response" }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "(Source: Dell SecureWorks) Passwords, like \"admin-na-google123!@#\" shown in Figure 4, are required to interact with the web shell" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mivast has the capability to open a remote shell and run basic commands." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrailBlazer is a sophisticated malware family that provides modular functionality and a very low prevalence. TrailBlazer persists on a compromised host using WMI event subscriptions4 — a technique also used by SeaDuke — although this persistence mechanism is not exclusive to COZY BEAR.5" }, { "role": "assistant", "content": "T1001.001 - Junk Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet gathers the username from the victim’s machine." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After gaining access to the victim’s environment (presumably by using stolen credentials, either obtained via phishing, or bought on the dark web), the attacker sets up remote tunnelling using a SSH tool. The tool is configured to redirect traffic from a malicious domain to a proxy that is listening on a local port. The tunnel is authenticated using the attacker’s private key" }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "modifies the time of a file as specified by the control server." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reports system hardware and software configuration. This built-in utility is a command line version of the System Information.app (/Applications/Utilities/System Information.app) and is a mainstay of all types of malware, spyware, post-exploitation tools, adware, and PUPs. Because of its deep insight into the entire environment, it can be used for a variety of purposes relating to environment discovery, detection evasion and anti-analysis" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The only way to ensure that deleted files, as well as files that you encrypt with EFS, are safe from recovery is to use a secure delete application. Secure delete applications overwrite a deleted file's on-disk data using techniques that are shown to make disk data unrecoverable, even using recovery technology that can read patterns in magnetic media that reveal weakly deleted files. SDelete (Secure Delete) is such an application. Note that SDelete securely deletes file data, but not file names located in free disk space" }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion', 'T1485 - Data Destruction" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The group has made significant improvements to their arsenal recently and has both developed new tools and modified existing ones. The key observations covered below are based on CrowdStrike® Intelligence analysis of BazarLoader, Conti and Ryuk operations" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOMEFRY uses a command-line interface." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download or upload files from its C2 server." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains junk code in its binary, likely to confuse malware analysts." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has deleted Windows Event Logs to hinder forensic investigation." }, { "role": "assistant", "content": "T1070.001 - Indicator Removal on Host: Clear Windows Event Logs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Scan the network environment of the infected machine; checks for availability of specific ports on servers that share the same internal and external subnet mask (i.e 255.255.0.0\\16)" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron uses AES to encrypt C2 traffic." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Green Lambert has created a new executable named `Software Update Check` to appear legitimate." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can test a connection to a specified network IP address over a specified port number." }, { "role": "assistant", "content": "T1016.001 - System Network Configuration Discovery: Internet Connection Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used the “net view” command to locate mapped network shares." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method" }, { "role": "assistant", "content": "T1056.004 - Input Capture: Credential API Hooking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Further reconnaissance is performed in the environment to identify privileged users. First, the built-in net.exe and nltest.exe are used." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bankshot uploads files and secondary payloads to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IceApple's Credential Dumper module can dump LSA secrets from registry keys, including: `HKLM\\SECURITY\\Policy\\PolEKList\\default`, `HKLM\\SECURITY\\Policy\\Secrets\\*\\CurrVal`, and `HKLM\\SECURITY\\Policy\\Secrets\\*\\OldVal`." }, { "role": "assistant", "content": "T1003.004 - OS Credential Dumping: LSA Secrets" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can dump passwords and save them into \\ProgramData\\Mail\\MailAg\\pwds.txt." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS can sleep for a given number of seconds." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Deleting volume shadow copies is very typical behavior of ransomware. The Nefilim ransomware uses WMIC with the following command to delete all volume shadow copies on the system to prevent recovery. WMIC is a command-line utility to access WMI." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke used scripts which detected and uninstalled antivirus software." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery', 'T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Psylo exfiltrates data to its C2 server over the same protocol as C2 communications." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT39 has used CrackMapExec and a custom port scanner known as BLUETORCH for network scanning." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OilRig has delivered malicious links to achieve execution on the target system." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rifdoor has been distributed in e-mails with malicious Excel or Word documents." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can steal access tokens from exiting processes and make tokens from known credentials." }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems." }, { "role": "assistant", "content": "T1014 - Rootkit', 'T1542.001 - Pre-OS Boot: System Firmware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Before writing to disk, inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections." }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT1 used the commands \"net localgroup\",\"net user\", and \"net group\" to find accounts on the system." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Reaver queries the Registry to determine the correct Startup path to use for persistence." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used Mshta.exe to execute its payload." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A USB data collecting tool that checks for a connected USB drive and steals certain file types, encrypting them into a RAR file." }, { "role": "assistant", "content": "T1025 - Data from Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One variant of uses HTTP and HTTPS for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used RDP to move laterally to systems in the victim environment." }, { "role": "assistant", "content": "T1021.001 - Remote Services: Remote Desktop Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack’s dropper can list all running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Check the email sender, subject, and body for anything suspicious before downloading and opening email attachments. Check the file extension of the attached file and make sure it is the intended file format. Avoid activating macro for any attached Microsoft Office files, especially for emails that request macro activation using an image of the body of the opened file or those that don’t show anything. Subtle changes to a popular URL can be one indicator of malicious content" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `query user` and `whoami` commands as part of their advanced reconnaissance." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The \"Office Test\" persistence mechanism allows threat actors to execute a Trojan each time a user runs any of the Office applications. This persistence mechanism loads a malicious DLL by leveraging a registry key that appears to be used during the development and testing of Microsoft Office applications. The use of this registry key for persistence is quite clever, as it requires user interaction to load and execute the malicious payload, which makes automated analysis in sandboxes challenging. Low awareness of this persistence method, coupled with the sandbox evasion obtained from user interactions, makes this a potentially attractive persistence method that we believe may be used in future attacks. Unit 42 suggests monitoring for systems that have this registry key already created, as it is possible a threat is already using the key for persistence purposes. Microsoft has added the “Office Test” registry keys to its Autoruns tool for detection purposes as well. Also, we suggest disabling this persistence method by creating the “Office test” registry key in read-only mode as outlined in this blog" }, { "role": "assistant", "content": "T1137.002 - Office Application Startup: Office Test" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has sent spearphishing emails with links to harvest credentials and deliver malware." }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet has been observed to hook network APIs to monitor network traffic." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attack typically begins with an attempt – most probably via a spearphishing email – to lure the intended victim into running the malicious dropper, which is attached to the email. In order to increase the likelihood that the unsuspecting victim will actually click on it, the malicious executable masquerades as a document or spreadsheet by displaying a fake icon" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment', 'T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can gather victim drive information." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The SOMBRAT backdoor is packaged as a 64-bit Windows executable. It communicates with a configurable command and control (C2) server via multiple protocols, including DNS, TLS-encrypted TCP, and potentially WebSockets. The backdoor's primary purpose is to download and execute plugins provided via the C2 server. In contrast to the SOMBRAT version published in November 2020, Mandiant observed additional obfuscation and armoring to evade detection, this SOMBRAT variant has been hardened to discourage analysis. Program metadata typically included by the compiler has been stripped and strings have been inlined and encoded via XOR-based routines" }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BAT files were used to download and execute the Cring ransomware on the other systems in the compromised network. It also uses the Windows CertUtil program to help with the said download." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacSpy can steal clipboard contents." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can mimic the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI." }, { "role": "assistant", "content": "T1001.003 - Protocol or Service Impersonation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uploads files and secondary payloads to the victim's machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tropic Trooper used \"netview\" to scan target systems for shared resources." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a command to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has used compromised web servers as part of their operational infrastructure." }, { "role": "assistant", "content": "T1584.004 - Server" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OceanSalt can collect the name and ID for every process running on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The purpose of this malware is to allow the actors to download and execute an executable file, as well as download and run batch files to run commands on the end system" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "1) It uses the application programming interface (API) CreateFileA to \\\\.\\PHYSICALDRIVE0 to retrieve the handle of the hard disk. 2) It overwrites the first sector of the disk (512 bytes) with \"0x00\". The first sector is the disk’s MBR. 3) It will try to perform the routines above (steps 1-2) on \\\\.\\PHYSICALDRIVE1, \\\\.\\PHYSICALDRIVE2, \\\\.\\PHYSICALDRIVE3, and so on, as long as a hard disk is available" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has used various types of scripting to perform operations, including batch scripts." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has required user execution of a malicious MSI installer." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware calls User32.dll's GetKeyboardLayoutList function, inspects the keyboard identifier, and returns true if the result ends in a value between \\x18 thru \\x44 inclusive. This result means the compromised host is whitelisted based on the host's configured keyboard layout. The malware inspects only the lower byte of the full keyboard identifier, so all systems using the keyboard locales listed in Table 4 are immune to REvil. Despite the large number of potential matches, CTU researchers suspect that the malware author intended to identify Russian keyboards based on several other links to the Russia-based GandCrab ransomware" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obfuscates strings using a custom stream cipher." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The TerraLoader code performs several integrity checks before dropping the payload. These checks implement anti-debugging techniques and try to identify anomalies to prevent execution in sandboxed environments. Some of these techniques range from detecting incorrect parameters, filenames and extensions, to detecting hardware breakpoints or identifying specific modules loaded into the subject process. Should these checks all pass, the actual payload is decrypted and executed" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Audit all remote authentications from trusted networks or service providers. Detect mismatches by correlating credentials used within internal networks with those employed on external-facing systems. Log use of system administrator commands such as net, ipconfig, and ping" }, { "role": "assistant", "content": "T1133 - External Remote Services" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A .dll file is digitally signed by a certificate from AirVPN." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once executed, NavRAT will immediately leverage cmd.exe to perform a systeminfo and a tasklist check on the system it is running on while writing the output to a TMP file, once again attempting to hide within an AhnLab folder. Interestingly, the attacker has used the >> method to append to the file so there can be multiple outputs written to their single TMP file" }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LightNeuron contains a function to encrypt and store emails that it collects." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Azorult can capture screenshots of the victim’s machines." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT18 actors deleted tools and batch files from victim systems." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can identify the IP and port numbers for all remote connections from the compromised host." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ke3chang has used credential dumpers or stealers to obtain legitimate credentials, which they used to gain access to victim accounts." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious .lnk files contain a link to a URL (instead of the expected local URI) to grab the next payload" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ServHelper may download additional files to execute." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CHOPSTICK encrypts C2 communications with TLS." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ngrok can tunnel RDP and other services securely over internet connections." }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Strings in the malware are obfuscated using the RC4 algorithm and the decryption key stored inside the sample" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to \"c8:27:cc:c2:37:5a\"." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StoneDrill can check for antivirus and antimalware programs." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has created LNK files in the Startup folder to establish persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has used a \"DCSync\" command with Mimikatz to retrieve credentials from an exploited controller." }, { "role": "assistant", "content": "T1003.006 - OS Credential Dumping: DCSync" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can use Native API for execution and to retrieve active services." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore can open a remote command-line interface and execute commands. NanoCore uses JavaScript files." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has executed malicious JavaScript code." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The frequent checking ensures that any changes made will be quickly followed, and the repeated attempts to run the Revenge RAT binary make it almost certain that even if the process is terminated, the RAT will be running again soon" }, { "role": "assistant", "content": "T1057 - Process Discovery', 'T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can retrieve a list of running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs the tasklist command to list running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf hides collected data in password-protected .rar archives." }, { "role": "assistant", "content": "T1560 - Archive Collected Data', 'T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has created new services for persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has used DNS tunneling for C2 communications." }, { "role": "assistant", "content": "T1071.004 - Application Layer Protocol: DNS" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has created a service on victim machines named \"TaskFrame\" to establish persistence." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Similar to many other ransomware operators, CARBON SPIDER not only encrypted victim files using Darkside, but also exfiltrated data for publication on a dedicated leak site (DLS) hosted on Tor. For exfiltration, CARBON SPIDER primarily leveraged the MEGASync client for hosting provider MEGA but also employed GoToAssist" }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The s.exe (SHA256: 04f48ed27a83a57a971e73072ac5c769709306f2714022770fb364fd575fd462) uploaded to the error2.aspx webshell is a self-extracting 7-zip archive that is an example of the HyperBro backdoor. According to Kaspersky and SecureWorks research, HyperBro is a custom backdoor developed and used by Emissary Panda in their attack campaigns. This sample of HyperBro is similar to the sample discussed in Kaspersky’s research, specifically using a legitimate pcAnywhere application to sideload a DLL to decrypt, decompress and run a payload embedded within a file named ‘thumb.db’. Table 5 shows the three files associated with this HyperBro sample, which have the same file names as the self-extracting 7zip archives mentioned in Kaspersky’s blog (SHA256 hashes: 34a542356ac8a3f6e367c6827b728e18e905c71574b3813f163e043f70aa3bfa and 2144aa68c7b2a6e3511e482d6759895210cf60c67f14b9485a0236af925d8233" }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HDoor scans to identify open ports on the victim." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Malicious obfuscated VBA code is executed when the macro is first enabled" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "establishes persistence by creating the Registry key HKCU\\Software\\Microsoft\\Windows\\Run." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE has used .NET packer tools to evade detection." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has a built-in utility command for netstat, can do net session through PowerView, and has an interactive shell which can be used to discover additional information." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nerex creates a Registry subkey that registers a new service." }, { "role": "assistant", "content": "T1112 - Modify Registry', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cuba can modify services by using the \"OpenService\" and \"ChangeServiceConfig\" functions." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2. Additionally, malware RoyalDNS has used DNS for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Waterbear can use thread injection to inject shellcode into the process of security software." }, { "role": "assistant", "content": "T1055.003 - Thread Execution Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects Keychain storage data and copies those passwords/tokens to a file." }, { "role": "assistant", "content": "T1555.001 - Credentials from Password Stores: Keychain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The VPNpro trojanized application uses an AutoRun registry key, as mentioned in the publication released before July 2019. After that, it will check if ESET or BitDefender antivirus are installed before dropping the malware. If they are installed, nothing will be dropped. We'll now break down the 5kplayer trojanized installer" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ThiefQuest uses the \"kill_unwanted\" function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If none of the C2 servers respond and the end of the configured hosts list is reached, the modulo operation returns zero, thus host_index is equal to zero and the backdoor waits for the number of milliseconds stored in the <TimeLong> registry key. In our case, this was set to one minute. Then, it starts again and tries to reach the configured C2 servers, again host-by-host, until one response. If a connection to one of the configured C2 servers was set up successfully, the backdoor stays in the inner while loop (C2 control loop) and checks for commands every <TimeShort> number of milliseconds. C2_GetCommand_ComHandler handles the communication with the C2 server. It leverages the Windows WinHttp API similar to this Microsoft example and receives the C2 command along with its parameters. The adversaries use SSL/TLS to encrypt the C2 traffic" }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A keylogging tool used by gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 was the hunting for passwords stored in SYSVOL. This technique relies on passwords that are stored as part of Group Policy Preferences. Passwords stored in this way are encrypted using a known scheme that can easily be decrypted. APT29 GPP password datamining C:\\WINDOWS\\system32\\cmd.exe /C findstr /S /I cpassword \\\\DOMAIN\\sysvol\\DOMAIN\\policies\\*.xml" }, { "role": "assistant", "content": "T1003.008 - OS Credential Dumping: /etc/passwd, /etc/master.passwd and /etc/shadow" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can enumerate and collect the properties of domain computers." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Victims receive spear phishing emails with attached malicious zip files - typically password protected or HTML file. That file contains an ISO file." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a collection of Privesc-PowerUp modules that can discover and exploit various path interception opportunities in services, processes, and variables." }, { "role": "assistant", "content": "T1034 - Path Interception" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "esentutl can be used to read and write alternate data streams." }, { "role": "assistant", "content": "T1564.004 - Hide Artifacts: NTFS File Attributes" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT used voStro.exe, a compiled pypykatz (Python version of Mimikatz), to steal credentials." }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When required by the attacker, it is capable of remotely activating the microphone on the compromised computer and capturing sounds. The audio recordings are encoded to MP3 format using a legitimate lame.dll library, which is downloaded and misused by the malware" }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot had used `InstallUtil.exe` to download and deploy executables." }, { "role": "assistant", "content": "T1218.004 - Signed Binary Proxy Execution: InstallUtil" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Nefilim uses WerFault.exe and wermgr.exe for DLL Side Loading, a defense evasion technique used by adversaries to execute malicious payloads by hijacking the library manifest used to load DLLs. Werfault.exe is the Windows Error Reporting binary used by many different programs to report errors." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot has the ability to download additional components and malware." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SECOND STAGE JAVASCRIPT INTO POWERSHELL: The second stage JavaScript creates a PowerShell file with the same name in the same directory" }, { "role": "assistant", "content": "T1064 - Scripting', 'T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy has been installed via `msiexec.exe`." }, { "role": "assistant", "content": "T1218.007 - Signed Binary Proxy Execution: Msiexec" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PROMETHIUM has created self-signed certificates to sign malicious installers." }, { "role": "assistant", "content": "T1587.002 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Further into the infection process, the malware chooses a service name randomly from netsvc in order to use it for the payload creation path. The malware then creates a file named bcdbootinfo.tlp in the system folder containing the infection time and the random service name that is chosen. We’ve discovered that the malware operator checks this file to see whether the remote host was infected and, if so, when the infection happened" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Online news outlets and general websites were breached and weaponized as a vehicle for watering hole attacks" }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dok prompts the user for credentials." }, { "role": "assistant", "content": "T1056.002 - Input Capture: GUI Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 removed evidence of email export requests using \"Remove-MailboxExportRequest\". They temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MCMD has the ability to remove set Registry Keys, including those used for persistence." }, { "role": "assistant", "content": "T1070.009 - Clear Persistence" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "4H RAT has the capability to obtain file and directory listings." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When executed, the .NET Framework wrapper will first check if VMware tools is running in background, this is done via a simple process check, searching for any process named “vmtoolsd. Provided there are no matching processes running, the malware continues execution, creating a registry entry with the name ‘MSASCuiLTasks’ in HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce for persistence. Next, it will copy the first stage shellcode in memory and create a new thread with the shellcode running in it, the code responsible for this execution is shown in Figure 1" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro can utilize web services including Google sites to send and receive C2 data." }, { "role": "assistant", "content": "T1102.002 - Bidirectional Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT can inject malicious code into process created by the “Command_Create&Inject” function." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has leveraged \"rundll32.exe\" to execute malicious DLLs." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore can access the victim's webcam and capture data." }, { "role": "assistant", "content": "T1125 - Video Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Machete used the startup folder for persistence." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sowbug has used credential dumping tools." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Nefilim ransomware queries volume information (disk volume name and serial number) and Cryptographic Machine GUID. Ransomware families use Cryptographic Machine GUID and volume serial number to generate a unique identifier for the host for encryption/decryption processes. Nefilim obtains Cryptographic Machine GUID by querying the value of MachineGuid in the following Registry key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has executed a variety of PowerShell scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate, signed executable (AcroTranscoder)." }, { "role": "assistant", "content": "T1574.002 - Hijack Execution Flow: DLL Side-Loading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sakula obfuscates many of its strings using single-byte XOR obfuscation. Samples with a 2012 compile timestamp use a key value of either 0x88 or 0x56. Samples compiled in 2013 and 2014 use a key value of 0x56, while the lone 2015 sample uses 0x57" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses scheduled tasks typically named \"Watchmon Service\" for persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 has configured payloads to load via LD_PRELOAD." }, { "role": "assistant", "content": "T1574.006 - Hijack Execution Flow: LD_PRELOAD" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget)." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts." }, { "role": "assistant", "content": "T1021.005 - Remote Services:VNC" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "decrypts resources needed for targeting the victim." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The actor has the following demonstrated capabilities:To include exploits (for Hangul and Microsoft Office) in its workflows.To modify its campaigns by splitting the payload in to multiple stages To use compromised web servers or legitimate cloud based platforms" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pteranodon can decrypt encrypted data strings prior to using them." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "XTunnel is capable of accessing locally stored passwords on victims." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT41 deployed rootkits on Linux systems." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "an extra executable; - process hollowing shellcode; - a list of predefined executable names, which the malware uses as a future process name" }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact" }, { "role": "assistant", "content": "T1560 - Archive Collected Data', 'T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used the Ammyy Admin tool as well as TeamViewer for remote access." }, { "role": "assistant", "content": "T1219 - Remote Access Software" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has abused misconfigured AD CS certificate templates to impersonate admin users and create additional authentication certificates." }, { "role": "assistant", "content": "T1649 - Steal or Forge Authentication Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors were observed Base64 encoding files and command strings to evade security measures." }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a backdoor through which remote attackers can download files onto a compromised host." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacSpy persists via a Launch Agent." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RAR archiving – files are transferred to staging servers before exfiltration. They may be encrypted or compressed, to make them easier to extract. Certutil – a command-line utility that can be exploited and used for various malicious purposes, such as to decode information, to download files, and to install browser root certificates. Adfind – a command-line tool that can be used to perform Active Directory queries. Csvde – can be used to extract Active Directory files and data. Ntdsutil – can be used as a credential-dumping tool. WMIExec – can be used for lateral movement and to execute commands remotely. It can be used to find information and execute code, and is frequently abused by malicious actors" }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Torisma can use HTTP and HTTPS for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NanoCore can capture audio feeds from the system." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Industroyer used Tor nodes for C2." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This document was alleged to have been written by the Ministry of Reunification as demonstrated by the logo in the top left.Similar to the \"Golden Time\" campaign, this document exploits an EPS vulnerability in order to download and execute shellcode located on a compromised website:hxxp://60chicken[.]co[.]kr/wysiwyg/PEG_temp/logo1.pngThe fake image usage is a common pattern for this group" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A possible explanation for this is that the document was copied to another system with an incorrectly set system time, then saved with the incorrect time" }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used UPX to pack files." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Amongst the downloaded files,  the fake .gif and .jpg files appear to be dependencies for the malware" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShower, named and previously disclosed by Palo Alto Networks in their blogspot (see above), is a malicious piece of PowerShell designed to receive PowerShell and VBS modules to execute on the local computer. This malware has been used since October 2018 by Cloud Atlas as a validator and now as a second stage" }, { "role": "assistant", "content": "T1218.005 - Signed Binary Proxy Execution: Mshta" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates. In December 2019, GOLD SOUTHFIELD began operating a name-and-shame style website that uses stolen data from intrusions to generate additional leverage against victims; a tactic known as double extortion. Despite GOLD SOUTHFIELD's infrastructure being taken down by law enforcement in October 2021, the REvil leak site re-emerged in April 2022 with several new victims added. GOLD SOUTHFIELD also began recruiting exclusively via their leak site using the peer-to-peer secure messaging software Tox Chat. GOLD SOUTHFIELD's affiliates distribute ransomware through a variety of means including exploit kits, scan-and-exploit attacks, publicly-accessible RDP, remote management and monitoring (RMM) servers, and backdoored software installers. As of May 2022, the group continues to operate REvil as a name-and-shame scheme and uses a leak site to post victim information and recruit affiliates" }, { "role": "assistant", "content": "T1195.002 - Compromise Software Supply Chain" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOWDRIFT collects and sends system information to its C2." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command." }, { "role": "assistant", "content": "T1205 - Traffic Signaling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Use command-line interfaces to interact with systems and execute other software (Command and Scripting Interpreter [T1059]) - Use scripts (e.g. VBScript and PowerShell) to speed up operational tasks, reduce the time required to gain access to critical resources, and bypass process monitoring mechanisms by directly interacting with the operating system (OS) at an Application Programming Interface (API) level instead of calling other programs (Command and Scripting Interpreter: PowerShell [T1059.001], Command and Scripting Interpreter: Visual Basic [T1059.005]) - Rely upon specific user actions, such as opening a malicious email attachment (User Execution [T1204]) - Exploit software vulnerabilities to execute code on a system (Exploitation for Client Execution [T1203]) - Create new services or modify existing services to execute executables, commands, or scripts (System Services: Service Execution [T1569.002]) - Employ the Windows module loader to load Dynamic Link Libraries (DLLs) from arbitrary local paths or arbitrary Universal Naming Convention (UNC) network paths and execute arbitrary code on a system (Shared Modules [T1129]) - Use the Windows API to execute arbitrary code on the victim's system (Native API [T1106]) - Use a system's graphical user interface (GUI) to search for information and execute files (Remote Services [T1021]) - Use the Task Scheduler to run programs at system startup or on a scheduled basis for persistence, conduct remote execution for lateral movement, gain SYSTEM privileges for privilege escalation, or run a process under the context of a specified account (Scheduled Task/Job [T1053]) - Abuse compiled Hypertext Markup Language (HTML) files (.chm), commonly distributed as part of the Microsoft HTML Help system, to conceal malicious code (Signed Binary Proxy Execution: Compiled HTML File [T1218.001]) - Abuse Windows rundll32.exe to execute binaries, scripts, and Control Panel Item files (.CPL) and execute code via proxy to avoid triggering security tools (Signed Binary Proxy Execution: Rundl32 [T1218.001]) - Exploit cron in Linux and launchd in macOS systems to create pre-scheduled and periodic background jobs (Scheduled Task/Job: Cron [T1053.003], Scheduled Task/Job: Launchd [T1053.004" }, { "role": "assistant", "content": "T1106 - Native API', 'T1059.005 - Command and Scripting Interpreter: Visual Basic', 'T1059.001 - Command and Scripting Interpreter: PowerShell', 'T1053.003 - Scheduled Task/Job: Cron', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed using Nbtscan and nmap to scan and enumerate target network information." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This introduction of string obfuscation also suggests a development change aimed at evading detection. The header codes, filename references, and all of the operator commands were obfuscated and only decoded during execution of the KeyBoy DLL. Figure 6 shows a sampling of these strings, after decoding" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE UNION uses various tools for credential theft. In one incident, the threat actor used the Wrapikatz tool (w.exe) with a usage statement that retrieves various passwords and Windows credentials from memory and compiles them in w.txt" }, { "role": "assistant", "content": "T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can download files onto the victim." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "encrypts C2 content with XOR using a single byte, 0x12." }, { "role": "assistant", "content": "T1573 - Encrypted Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack can collect network and active connection information." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE exfiltrates command output and collected files to its C2 server in 1500-byte blocks." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A FinFisher variant uses a custom packer." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA459 has a VBScript for execution." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TG-3390 actors keep track of and leverage existing ASPXTool web shells in their operations, preferring to issue commands via an internally accessible web shell rather than HttpBrowser or PlugX" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "used to remove artifacts from victims." }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet." }, { "role": "assistant", "content": "T1102.003 - One-Way Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Actors used Windows command shell commands to detect and avoid virtualization and analysis environments." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks', 'T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration." }, { "role": "assistant", "content": "T1560.001 - Archive Collected Data: Archive via Utility" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can identify the domain membership of a compromised host." }, { "role": "assistant", "content": "T1069.002 - Permission Groups Discovery: Domain Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Patchwork payload was packed with UPX." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453. Whitelists files, folders and extensions from encryption. Encrypts files on local and network storage. Customizes the name and body of the ransom note, and the contents of the background image. Exfiltrates encrypted information on the infected host to remote controllers. REvil uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers" }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clambling can establish persistence by adding a Registry run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "To establish persistence, Okrum can install itself as a new service named NtmSsvc." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can use Native API including \"CreateProcess\" \"GetProcessById\", and \"WriteProcessMemory\"." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has downloaded second stage malware from compromised websites." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shark can download additional files from its C2 via HTTP or DNS." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Epic compresses the collected data with bzip2 before sending it to the C2 server." }, { "role": "assistant", "content": "T1560.002 - Archive Collected Data: Archive via Library" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can be used to discover current NetBIOS sessions." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Business info at outsidersecurity.nl . Introducing ROADtools - The Azure AD exploration framework . 15 minute read . Over the past 1.5 years I’ve been doing quite a lot of exploration into Azure AD and how it works under the hood. So I set myself a few goals: - Provide tooling for both Red teams and Blue teams to explore all Azure AD data in an accessible way. Use asynchronous HTTP calls in Python to dump all available information in the Azure AD graph to this database. Where to get the data . Since Azure AD is a cloud service, there isn’t a way to reverse engineer how it works, or a central repository where all the data is stored that you can access. While researching Azure and looking through the requests in the Azure Portal, at some point I noticed that the portal was calling a different version of the Azure AD Graph, the 1.61-internal version. This internal version of the Azure AD graph exposes much more data than any of the official API’s that are offered by Microsoft. To create the object structure, ROADrecon uses the OData metadata definition that the Azure AD graph exposes. ROADrecon will by default pretend to be the Azure AD PowerShell module and will thus inherit its permissions to access the internal version of the Azure AD graph. Gathering all the data . The second step is data gathering, which the roadrecon gather command does. That being said, there is a setting in the deprecated MSOnline PowerShell module which prevents enumeration using the Azure AD graph, which is documented here" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Config.json\" is a mining config file for XMRig, an open-source Monero miner. The file sets the mining pool as xmr[.]pool[.]MinerGate[.]com:45700 and the actor's wallet as rocke@live.cn. This configuration file contains the same actor pool and wallet information as the first. Lowerv2.sh\" and \"rootv2.sh\" are similar shell scripts that attempt to download and execute the mining malware components \"bashf\" and \"bashg,\" hosted on 118[.]24[.]150[.]172. If the shell scripts do not download a miner from 118[.]24[.]150[.]172, they attempt to download a file called \"XbashY\" from 3g2upl4pq6kufc4m[.]tk. Based on the config file it uses, it appears to be the Monero Silent Miner. This miner can be purchased online for $14 and targets malicious actors. The sample grabs the config file \"xmr.txt,\" which contains the same configuration information as the previous files, from Rocke's command and control (C2) server hosted on sydwzl[.]cn. Intriguingly, this file appears to share some similarities with Cobalt Strike, the popular penetration testing software, which would allow the attacker to have greater control over the infected system. So, while we can asses with high confidence that the payloads share some code base, we are still unsure of the exact relationship between Rocke and Iron Cybercrime Group" }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Enumerates remote open SMB network shares" }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The username appears to be attacker specified and has occurred in 2017 Bankshot samples" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has collected files from victim machines, including certificates and cookies." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Creates 2 objects in the AD forest Configuration partition. Updates the SPN of the computer used to include “GC” (Global Catalog) and “E3514235-4B06-11D1-AB04-00C04FC2DCD2” (AD Replication). More info on Kerberos Service Principal Names in the ADSecurity SPN section. Pushes the updates to DCs via DrsReplicaAdd and KCC" }, { "role": "assistant", "content": "T1207 - Rogue Domain Controller" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Wocao, threat actors used the command `net localgroup administrators` to list all administrators part of a local group." }, { "role": "assistant", "content": "T1069.001 - Permission Groups Discovery: Local Groups" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The SUPERNOVA webshell is an anonymous code C# webshell written in .NET C# that is specifically written for usage on SolarWinds Orion servers" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attacker deception and attribution The deobfuscated PowerShell code used by the MuddyWater group resembles previously seen PowerShell scripts that most likely served as prototypes" }, { "role": "assistant", "content": "T1546.013 - Event Triggered Execution: PowerShell Profile', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rocke has modified /etc/ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists." }, { "role": "assistant", "content": "T1014 - Rootkit', 'T1574.006 - Hijack Execution Flow: LD_PRELOAD" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses HTTP as a transport to communicate with its command server." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One such email that we were able to obtain was targeting users in Turkey, as shown in Figure 4: Figure 4: Sample spear phishing email containing macro-based document attachment The malicious Microsoft Office attachments that we observed appear to have been specially crafted for individuals in four countries: Turkey, Pakistan, Tajikistan and India" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment', 'T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This feature generates a stageless Beacon payload artifact, hosts it on Cobalt Strike’s web server, and presents a one-liner to download and run the artifact" }, { "role": "assistant", "content": "T1197 - BITS Jobs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These privilege escalation modules are the ones we caught when we queried for Jian’s global configuration table. We also found a couple of more Local Privilege Escalation exploits from the NtElevation series" }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wingbird deletes its payload along with the payload's parent process after it finishes copying files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During our initial research into the TwoFace++ loader, we were unable to extract the embedded payload using the same brute forcing technique that we used on the initial TwoFace loader samples" }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can detect the username of the infected host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT37 has access to destructive malware that is capable of overwriting a machine's Master Boot Record (MBR)." }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TeamTNT has modified the permissions on binaries with \"chattr\"." }, { "role": "assistant", "content": "T1222.002 - File and Directory Permissions Modification: FreeBSD, Linux and Mac File and Directory Permissions Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Probably full and active window screenshot quality captureActiveQC 40 CaptureSites VPN*0,0 Login*0,0 mail*0,0 Security*0,0 Window titles of interest for screenshots, using left mouse button and Enter keypress hook important upLog.txt upSCRLog.txt upSpecial.txt upFile.txt upMSLog.txt List of files to send to C2 using bitsadmin.exe from the dedicated thread maxUpFileSizeKByte 1000000 Maximum size of file uploaded to C2 Servers http://108.61.189.174 Control server HTTP URL ZipPass KtJvOXulgibfiHk Password for uploaded zip archives browserPasswordCheckTimeout 300000 Milliseconds to wait between gathering key3.db, cookies.sqlite and other browser files in dedicated thread Most of the parameters are self-explanatory" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti can utilize command line options to allow an attacker control over how it scans and encrypts files." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mapping of TG-3390's interactions with web shells during an intrusion responded to by CTU researchers" }, { "role": "assistant", "content": "T1505.003 - Server Software Component: Web Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI can delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER will send the captured screenshot image file to the C2 server if the “fileupload” command is issued" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT was distributed via malicious Word documents." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Andariel has downloaded additional tools and malware onto compromised hosts." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BBK has the ability to decrypt AES encrypted payloads." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sowbug named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory \"CSIDL_APPDATA\\microsoft\\security\"." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can obtain information on installed anti-malware programs." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "created accounts disguised as legitimate backup and service accounts as well as an email administration account." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dridex contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers." }, { "role": "assistant", "content": "T1090 - Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDAT has executed commands using \"cmd.exe /c\"." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may attempt to connect to systems within a victim's network using net use commands and a predefined list or collection of passwords." }, { "role": "assistant", "content": "T1110 - Brute Force" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While sending to the C2 server, the data is formatted as follows: @{SYSINFO  = $get.ToString(); ACTION = \"REGISTER\";} Ability to take screenshots" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackMould can run cmd.exe with parameters." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working." }, { "role": "assistant", "content": "T1008 - Fallback Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PUNCHBUGGY can establish using a AppCertDLLs Registry key." }, { "role": "assistant", "content": "T1546.009 - Event Triggered Execution: AppCert DLLs" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly has manipulated .lnk files to gather user credentials in conjunction with Forced Authentication." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware can download additional files from C2 servers." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "runs the ifconfig command to obtain the IP address from the victim’s machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can upload files from compromised hosts." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Trojan downloads the contents of this file by crafting an HTTP request to a URL structured as follows: + + “?alt=media” With the contents of the file downloaded, the Trojan sets the modification_time variable to the current modification time so the Trojan knows when the actor makes further changes to the file" }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp', 'T1083 - File and Directory Discovery', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Certutil is a living-off the land command line utility that can be used to obtain certificate authority information and configure certificate services. Threat actors usually utilize certutil to download remote files from a given URL. It also incorporates a built-in function to decode base64-encoded files" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398." }, { "role": "assistant", "content": "T1068 - Exploitation for Privilege Escalation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BUBBLEWRAP can communicate using HTTP or HTTPS." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI has used the command \"cmd /c tasklist\" to get a snapshot of the current processes on the target machine." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RDFSNIFFER hooks several Win32 API functions to hijack elements of the remote system management user-interface." }, { "role": "assistant", "content": "T1056.004 - Input Capture: Credential API Hooking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Apply the Microsoft security updates for MS17-010, including the updates for the Windows XP and Windows Server 2003 legacy operating systems. Disable SMBv1 on systems where it is not necessary (e.g. hosts that do not need to communicate with Windows XP and Windows 2000 systems). Carefully evaluate the need for allowing SMBv1-capable systems on interconnected networks compared to the associated risks. Scan networks for the presence of the DoublePulsar backdoor using plugins for tools such as Nmap. Use network auditing tools to scan networks for hosts that are vulnerable to the vulnerabilities described in MS17-010. Implement a backup strategy that includes storing data using offline backup media. Backups to locally connected, network-attached, or cloud-based storage are often insufficient because ransomware frequently accesses and encrypts files stored on these systems" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the user does not have permissions to add a service, the installation routine attempts to add persistence by creating the following registry key that will run the functional code within Emissary via an exported function named \"DllRegister" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOLMIUM has been observed using various vectors for initial access, including spear-phishing email, sometimes carrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password-spraying. Many of their recent attacks, however, have involved the penetration testing tool Ruler used in tandem with compromised Exchange credentials" }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Naid creates a new service to establish." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NETWIRE can discover and close windows on controlled systems." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used a keylogging tool called KEYPUNCH." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "compromised three Japanese websites using a Flash exploit to perform watering hole attacks." }, { "role": "assistant", "content": "T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Passgrabber module – collects logins and passwords from various sources: Firefox and Chrome files, Microsoft Vault storage, etc. Instead of using Mimikatz as in previous versions, the module collects passwords using its own algorithms" }, { "role": "assistant", "content": "T1555.003 - Credentials from Password Stores: Credentials from Web Browsers" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the ipconfig command." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon attempts to access the \"ADMIN$\", \"C$\\Windows\", \"D$\\Windows\", and \"E$\\Windows\" shares on the victim with its current privileges." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Uploads a file on the victim’s computer to the C&C server" }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A modified EternalBlue exploit, also used by WannaCry.. The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).. An attack against the update mechanism of a third-party Ukrainian software product called MeDoc." }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ramsay can spread itself by infecting other portable executable files on removable drives." }, { "role": "assistant", "content": "T1091 - Replication Through Removable Media" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TYPEFRAME can uninstall malware components using a batch script. TYPEFRAME can execute commands using a shell." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GravityRAT uses the \"netstat\" command to find open ports on the victim’s machine." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Earth Lusca has compromised victims by directly exploiting vulnerabilities of public-facing servers, including those associated with Microsoft Exchange and Oracle GlassFish." }, { "role": "assistant", "content": "T1190 - Exploit Public-Facing Application" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once executed, Vcrodat loads an encrypted payload on to the victim’s computer." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conti ransomware deletes Windows Volume Shadow Copies using vssadmin." }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "launches a scheduled task." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Even simple API calls were obfuscated, and instead of just calling the functions, Siloscape made the effort to use the Native API (NTAPI) version of the same function" }, { "role": "assistant", "content": "T1106 - Native API', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FlawedAmmyy can collect clipboard data." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dtrack has used a dropper that embeds an encrypted payload as extra data." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information', 'T1027.009 - Embedded Payloads" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can produce a sessions report from compromised hosts." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KGH_SPY can collect credentials from WINSCP." }, { "role": "assistant", "content": "T1555 - Credentials from Password Stores" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The tokens for each platform are hardcoded within the sample:November 2016 to January 2017: \"Evil New Year\" CampaignIn the early part of 2017, Group123 started the \"Evil New Year\" campaign" }, { "role": "assistant", "content": "T1134 - Access Token Manipulation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Maze has used the \"WNetOpenEnumW\", \"WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "These commands are also executed when the loadconfig command is issued" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Revenge RAT collects the IP address and MAC address from the system." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Static analysis of this executable shows only two functions, but a regular number of imports. Upon detecting a debugger attached to it, the malware will display the message below and terminate the execution. This packer also hides the calls to API functions. This time instead of using a dispatcher function, the malware pushes the arguments into the stack as usual but will then perform a call to a jump table built during the unpacking, in the .text section memory region. Each entry finishes with a jmp instruction into the respective API function. Effectively the malware doesn't do any call to API functions, it always performs a jump. The end result is the same has in the packer from 2016, but with a simpler mechanism. One of the anti-analysis features included in this packer is the lack of calls to API functions. In the early stages of execution, the malware loads the libraries and retrieves the addresses from functions it needs. Feature-wise, there is no change when compared with the 2016 version, in fact when compared the C2 beaconing functions even share some of the offsets" }, { "role": "assistant", "content": "T1497.003 - Time Based Evasion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In their advisory published on Jan. 26, 2022, CERT-UA asserted that the initial vector for the malware, dubbed WhisperGate, was either a supply-chain attack or exploitation. The first payload in this infection is responsible for the initial attempt at wiping the systems. The malware executable wipes the master boot record (MBR) and replaces it with the code responsible for displaying the ransom note. Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten and has no recovery options. This wiper also tries to destroy the C:\\ partition by overwriting it with fixed data. The additional steps taken to wipe the actual hard drive partition differentiate its behavior from other wiper malware like NotPetya. However, most modern systems today have switched to GUID Partition Table (GPT) from MBR, which allows for larger file systems and has fewer limitations, potentially limiting some of the impacts of this executable" }, { "role": "assistant", "content": "T1542.003 - Bootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WarzoneRAT can include a rootkit to hide processes, files, and startup." }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking." }, { "role": "assistant", "content": "T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses the command line and rundll32.exe to execute." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN7 malware has created scheduled tasks to establish persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As seen with other ransomware cases, Mimikatz is a key player in dumping credentials but LockBit 2.0 has been occasionally seen utilizing MiniDump as well." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping', 'T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Observed Clop samples try to kill several processes and services related to backups and security solutions. Clop also leverages Code Signing to evade detection" }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Okrum was seen using modified Quarks PwDump to perform credential dumping." }, { "role": "assistant", "content": "T1003.005 - OS Credential Dumping: Cached Domain Credentials" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "schtasks is used to schedule tasks on a Windows system to run at a specific date and time." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has a keylogging capability." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emissary has the capability to execute ver and systeminfo commands." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has used compromised local accounts to access victims' networks." }, { "role": "assistant", "content": "T1078.003 - Valid Accounts: Local Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type may create a temporary user on the system named `Lost_{Unique Identifier}`." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC for lateral movement as well as during and post compromise cleanup activities." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation CuckooBees, the threat actors used the `net time` command as part of their advanced reconnaissance." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is capable of enumerating and manipulating files and directories." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Details: One way Qbot steals sensitive information is by extracting browser data from Internet Explorer and Microsoft Edge by using the built-in utility esentutl.exe. Writing an analytic looking for a process of esentutl.exe with Windows\\WebCache in the command line may help you catch this behavior" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The legitimate DLL that would be used in this case has the size of roughly 600 KB, but here we have an obfuscated library that is over 600 MB. The large size of the file is intended to hamper analysis and detection. Once all empty sections have been removed from the library, the final payload is a binary of 27.5 MB" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turian can store copied files in a specific directory prior to exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "LookBack has a C2 proxy tool that masquerades as \"GUP.exe\", which is software used by Notepad++." }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "QakBot can deobfuscate and re-assemble code strings for execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Prikormka encrypts some C2 traffic with the Blowfish cipher." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The algorithm used by Dyre for generating the AES and IV from the first 48 bytes of data based on a rehashing scheme was commonly referred to as Dyre’s derive_key function, this function was slightly changed in the new bot" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution', 'T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldenSpy can create new users on an infected system." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HotCroissant can perform dynamic DLL importing and API lookups using \"LoadLibrary\" and \"GetProcAddress\" on obfuscated strings." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SILENTTRINITY can enumerate processes, including properties to determine if they have the Common Language Runtime (CLR) loaded." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group malware SierraAlfa accesses the \"ADMIN$\" share via SMB to conduct lateral movement." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PcShare has decrypted its strings by applying a XOR operation and a decompression using a custom implemented LZM algorithm." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days." }, { "role": "assistant", "content": "T1584.005 - Botnet', 'T1588.006 - Vulnerabilities', 'T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT3 replaces the Sticky Keys binary \"C:\\Windows\\System32\\sethc.exe\" for persistence." }, { "role": "assistant", "content": "T1546.008 - Event Triggered Execution: Accessibility Features" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A Gamaredon Group file stealer can gather the victim's username to send to a C2 server." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Small Sieve can obtain the id of a logged in user." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This time, the text is from the novel \"The Brothers Karamazov\" by Fyodor Dostoevsky (a Russian writer). The malicious document drops a Python interpreter and PoetRAT. The author made a few changes to the PoetRAT malware, though. First, the malware uses pyminifier to obfuscate the Python script and avoid detection based on string or YARA rules: The obfuscation is a base64 and an LZMA compression algorithm. For example, the variables are stored in a \"Constant.py\" file containing the C2 server and the configuration. The most notable change is the protocol used to download and upload files" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used HTTP requests for command and control." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WindowsDefender.ini – The Base64 encoded and obfuscated PowerShell script" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BISCUIT has a command to periodically take screenshots of the system." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used Windows admin shares to move laterally." }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used HTTP for C2, including sending error codes in Cookie headers." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kwampirs uses a fairly aggressive means to propagate itself once inside a victim's network by copying itself over network shares" }, { "role": "assistant", "content": "T1021.002 - Remote Services: SMB/Windows Admin Shares" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In contrast to the two samples used in these attacks, this one did not use a PE attachment, and instead used a Microsoft Word document containing a malicious macro as the delivery vehicle" }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Conclusion CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing" }, { "role": "assistant", "content": "T1203 - Exploitation for Client Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OilRig group maintains their persistent attacks against government entities in the Middle East region using previously identified tools and tactics. In this instance a spear phishing email was used containing a lure designed to socially engineer and entice the victim to executing a malicious attachment. The attachment was identified as a variant of the OopsIE trojan we identified in February 2018. In this iteration of OopsIE, the general functionality largely remained the same but contained the addition of anti-analysis and anti-virtual machine capabilities to further evade detection from automated defensive systems. Attack Details In July 2018, we reported on a wave of OilRig attacks delivering a tool called QUADAGENT involving a Middle Eastern government agency. During that wave, we also observed OilRig leveraging additional compromised email accounts at the same government organization to send spear phishing emails delivering the OopsIE trojan as the payload instead of QUADAGENT. The OopsIE attack also targeted a government agency within the same nation state, though a different organization than the one targeted delivering QUADAGENT. The email subject was in Arabic, which translated to “Business continuity management training”. The email was sent to an address belonging to a user group, rather than a specific individual’s email address. Evasion Techniques The OopsIE variant delivered in this attack begins its execution by performing a series of anti-VM and sandbox checks. If any of the checks described in Table 1 are successful, the Trojan will exit without running any of its functional code" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It uses the Windows service “winmgmts:\\\\.\\root\\SecurityCenter2 ” to check all AntiVirus products installed on the operating system. As shown below in the figure, it is done by creating the object the service “ winmgmts:\\\\.\\root\\SecurityCenter2 ” and executes the query “ Select * From AntiVirusProduct ” by using the same object that is created of a mentioned service" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Derusbi malware supports timestomping." }, { "role": "assistant", "content": "T1070.006 - Indicator Removal on Host: Timestomp" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IcedID has the ability to download additional modules and a configuration file from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PLEAD has the ability to delete files on the compromised host." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Daserf — This backdoor has the functionality of a remote shell and can be used to execute commands, upload and download data, capture screenshots, and log keystrokes. xxmm (also known as Minzen) — This RAT and likely successor to Daserf AES-encrypts HTTP communications using a one-time encryption key. As of this publication, BRONZE BUTLER demonstrates a preference for concurrently using Datper and xxmm in its operations. Source: Secureworks) - Screen Capture Tool— This tool can capture the desktop of a victim's system (see Figure 5). Figure 5. Screen Capture Tool usage. Source: Secureworks) - RarStar — This custom tool uploads RAR archives to a specified URL as POST data (see Figure 6). RarStar encodes the POST data using Base64 and a custom XOR algorithm. T-SMB Scan — This SMB scanning tool was originally published on a Chinese program-sharing website (pudn.com). BRONZE BUTLER removed its help message functionality. WinRAR — This tool extracts tools for lateral movement and compresses data for exfiltration. Search proxy log files for evidence of web server scanning using the URL patterns associated with BRONZE BUTLER activity. Install a background monitor tool (e.g" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "zwShell can obtain the victim IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can be used to conduct packet captures on target hosts." }, { "role": "assistant", "content": "T1040 - Network Sniffing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses COM hijacking as a method of persistence." }, { "role": "assistant", "content": "T1546.015 - Event Triggered Execution: Component Object Model Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Much of the code inside the script is from the library “js-cookie” version 2.2.1. However, the attackers modified it and integrated a credit card skimmer into the original script. The skimmer binds at the events “mousedown” and “touchstart” of the payment submit button" }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used a brute-force/password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days. APT28 has also used a Kubernetes cluster to conduct distributed, large-scale password guessing attacks." }, { "role": "assistant", "content": "T1110.001 - Brute Force: Password Guessing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads. Versions of OSX/Shlayer pass encrypted and password-protected code to \"openssl\" and then write the payload to the \"/tmp\" folder." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "discovers the current domain information." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The dns.ps1 script is also responsible for communicating with the C2 server, but it uses DNS queries to send data to the server. The DNS queries sent by this script are queries to subdomains on the same domain as the C2 server, which contains system information or the contents of files from the system. The subdomain of the DNS request that acts as the initial C2 beacon has the following structure" }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim." }, { "role": "assistant", "content": "T1059.006 - Command and Scripting Interpreter: Python" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "S-Type uses HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HOPLIGHT has utilized Zlib compression to obfuscate the communications payload." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It seems that the implementation for dynamic import resolution slightly varies in comparison to the one used in Azazel rootkit" }, { "role": "assistant", "content": "T1014 - Rootkit" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can install a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS establishes a backdoor over HTTP." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The CARROTBAT malware family is a somewhat unique dropper and while it supports various types of decoy documents, and employs rudimentary command obfuscation, it should be made clear that it is not sophisticated" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RedLeaves can enumerate drives and Remote Desktop sessions." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The White Company has sent phishing emails with malicious Microsoft Word attachments to victims." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Another batch script run by a scheduled task renames the archives on the file server (see Figure 15)" }, { "role": "assistant", "content": "T1053 - Scheduled Task/Job', 'T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "STARWHALE has relied on victims opening a malicious Excel file for execution." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda has used DropBox URLs to deliver variants of PlugX." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware." }, { "role": "assistant", "content": "T1588.003 - Code Signing Certificates" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "gh0st RAT has the capability to to delete files." }, { "role": "assistant", "content": "T1070.004 - Indicator Removal on Host: File Deletion" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa has used Apple’s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wizard Spider has used HTTP for network communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder', 'T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The websites contain numerous articles and content to make them seem legitimate; in some cases the websites have over 10,000 individual news articles. Volexity has found the content is largely scraped and reposted in full from various other legitimate online news outlets. This appears to be done in an automated fashion and most likely through WordPress plugins. Numerous posted articles and images can be directly tracked back to other online blogs and newspapers; sometimes the byline or even watermark in images show directly where the article was sourced. In some cases, only a small number of pages on the site contains malicious code; in other cases, the profiling code is pervasive" }, { "role": "assistant", "content": "T1608.004 - Drive-by Target" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNBURST collected hostname, OS version, and device uptime." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WellMail can receive data and executable scripts from C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zebrocy uses the \"tasklist\" and \"wmic process get Capture, ExecutablePath\" commands to gather the processes running on the system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SCREEN Takes a PNG screenshot of the main screen and names the file with timestamps, then uploads it to the C2 server using POST at the path “/FeedBack.php”" }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Volgmer can gather the IP address from the victim's machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Limited obfuscation was encountered, where the authors split up strings into smaller sub-strings and used ‘strcpy’ and ‘strcat’ calls to re-build them prior to use. They also used this same technique to generate garbage strings that are never used. Comments have been added to show the fully-generated strings" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "When referring to additional plugins, it is worth noting that in early versions of Valak the plugins were downloaded by the second stage JS via PowerShell. More recent versions of Valak abandoned the popular yet easily detectable PowerShell downloader approach and transitioned to PluginHost as a means of managing and downloading additional payloads. This transition indicates that the Valak authors are looking for stealthier approaches and ways to improve their evasion techniques" }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Patchwork ran a reverse shell with Meterpreter. Patchwork used JavaScript code and .SCT files on victim machines." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TajMahal can set the \"KeepPrintedJobs\" attribute for configured printers in \"SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers\" to enable document stealing." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After that, stage 2 payloads are still retrieved as Bitmap (BMP) images that use Least Significant Bit (LSB) Steganography to hide the real payloads. These images appear normal in image viewers" }, { "role": "assistant", "content": "T1001.002 - Data Obfuscation via Steganography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Table 3: FELIXROOT backdoor parameters Cryptography All data is transferred to C2 servers using AES encryption and the IbindCtx COM interface using HTTP or HTTPS protocol" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has used IMAP, POP3, and SMTP for a communication channel in various implants, including using self-registered Google Mail accounts and later compromised email servers of its victims." }, { "role": "assistant", "content": "T1071.003 - Mail Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chinese state-sponsored cyber actors have been observed exploiting Pulse Secure VPN appliances to view and extract valid user credentials and network information from the servers." }, { "role": "assistant", "content": "T1212 - Exploitation for Credential Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "’s installer is obfuscated with a custom crypter to obfuscate the installer." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It’s located on the hard drive and contains code that can display current volume shadow copy backups and all installed shadow copy writers and providers. Responsible for wiping deleted data from all drives using cipher.exe (cipher.exe is a built-in command-line tool in the Windows operating system that can be used to display or alter the encryption of directories and files on NTFS volumes. It’s located on the hard drive and contains code that can display current volume shadow copy backups and all installed shadow copy writers and providers. 9) Responsible for wiping deleted data from all drives using cipher.exe (cipher.exe is a built-in command-line tool in the Windows operating system that can be used to display or alter the encryption of directories and files on NTFS volumes" }, { "role": "assistant", "content": "T1490 - Inhibit System Recovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KONNI is heavily obfuscated and includes encrypted configuration files." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon." }, { "role": "assistant", "content": "T1547.004 - Boot or Logon Autostart Execution: Winlogon Helper DLL" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MURKYTOP has the capability to identify remote hosts on connected networks." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ursnif has used Tor for C2." }, { "role": "assistant", "content": "T1090.003 - Proxy: Multi-hop Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Dust Storm, the threat actors sent spearphishing emails that contained a malicious Microsoft Word document." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline." }, { "role": "assistant", "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OopsIE uses WMI to perform discovery techniques." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "installation file is an unsigned DMG image under the guise of Intego’s security solution for mac." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "As mentioned, the registry key (HKLM\\SOFTWARE\\Microsoft\\DRM) is where the malicious payload is stored. In this case, this is the Pillowmint Trojan. Pillowmint is stored and compressed in the registry key" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ShadowPad has used FTP for C2 communications." }, { "role": "assistant", "content": "T1071.002 - File Transfer Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Helminth establishes persistence by creating a shortcut." }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "hxxp://www.sanjosemaristas[.]com/app/index.php?{A01BA0AD-9BB3-4F38-B76B-A00AD11CBAAA}, providing the current network adapter’s service name GUID" }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StreamEx has the ability to enumerate drive types." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has been distributed via malicious Microsoft Office documents within spam emails." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Data field is encrypted using a custom stream cipher." }, { "role": "assistant", "content": "T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After “GetExtendedTcpTable” is executed and the process returns back to the second part of the code, it iteratively checks every record in the returned Tcp table. If any record contains the PID Waterbear wants to hide, it will remove the corresponding record, modify the record number inside the table, and continue to check the succeeding records" }, { "role": "assistant", "content": "T1562.006 - Impair Defenses: Indicator Blocking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OilRig group remains highly active in their attack campaigns while they continue to evolve their toolset. On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. The January 8 attack used a variant of the ThreeDollars delivery document, which we identified as part of the OilRig toolset based on attacks that occurred in August 2017. Instead, this attack involved delivering the OopsIE Trojan directly to the victim, most likely using a link in a spear phishing email. Interestingly, the targeted organization in the January 16 attack had already been targeted by the OilRig group a year ago on January 2017. A New Attack On January 8, 2018, the OilRig threat group sent an email with the subject Beirut Insurance Seminar Invitation to an insurance agency in the Middle East. The OilRig group sent two emails to two different email addresses at the same organization within a six minutes time span. The email contained an attachment named Seminar-Invitation.doc, which is a malicious Microsoft Word document we track as ThreeDollars. In this case, the ThreeDollars delivery document was not used and instead an attempt was made to deliver the OopsIE Trojan directly to the targeted organization, likely via a link within an email. As we have observed throughout our tracking of the OilRig group, adopting proven tactics has been a common behavior over time" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In early 2015, a new Emotet modification was released, not all that different from the previous one. Among the changes were: new built-in public RSA key, most strings encrypted, ATS scripts for web injection cleared of comments, targets included clients of Swiss banks." }, { "role": "assistant", "content": "T1592.004 - Client Configurations" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "opens a backdoor on TCP ports 6868 and 7777." }, { "role": "assistant", "content": "T1571 - Non-Standard Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "sent spearphishing emails containing malicious Microsoft Office attachments." }, { "role": "assistant", "content": "T1598.002 - Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWERSTATS has connected to C2 servers through proxies." }, { "role": "assistant", "content": "T1090.002 - External Proxy" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The OsInfo function in collects the current running username." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Anchor can create and execute services to load its payload." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "H1N1 has added a plethora of new functionality in comparison to earlier reports. Throughout this blog series we will be analyzing the capabilities of H1N1 including: obfuscation, a User Account Control (UAC) bypass, information stealing, data exfiltration, loader/dropper, and self-propagation/lateral movement techniques used by this variant.1,2" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "cmd is used to execute programs and other actions at the command-line interface." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has used JavaScript for drive-by downloads and C2 communications." }, { "role": "assistant", "content": "T1059.007 - Command and Scripting Interpreter: JavaScript" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The paths discovered are: • C:\\Users\\leo\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\poopak\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\Vendetta\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd • C:\\Users\\Turk\\AppData\\Local\\Temp\\Word8.0\\MSForms.exd Leo, Poopak, Vendetta and Turk are the usernames of those creating the documents or the templates on which they are based" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1005 - Data from Local System', 'T1087 - Account Discovery', 'T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can steal credentials by leveraging the Windows Vault mechanism." }, { "role": "assistant", "content": "T1555.004 - Credentials from Password Stores: Windows Credential Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PingPull can mimic the names and descriptions of legitimate services such as `iphlpsvc`, `IP Helper`, and `Onedrive` to evade detection." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The threat actor initially conducts system reconnaissance to assess the AV software installed and the user privilege" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If the user clicks on the link, he will be prompted to download a RAR file that contains the stage 1 malware/lure, which he will execute afterwards" }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File', 'T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Additional tools were recovered during the incident, including a network scanning/enumeration tool, the archiving tool WinRAR and a bespoke Microsoft SharePoint enumeration and data dumping tool, known as ‘spwebmember" }, { "role": "assistant", "content": "T1213.002 - Sharepoint', 'T1018 - Remote System Discovery', 'T1213.002 - Sharepoint" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32's macOS backdoor hides the clientID file via a chflags function." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Carbanak lists running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and run command-line shells." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PROMETHIUM has named services to appear legitimate." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "If so, it stops the execution and deletes the folder containing the malicious script from this machine. Download the malicious files onto the machine: the same batch file downloads a cab archive named env.cab from a remote address in the internal network: \\\\railways.ir\\sysvol\\railways.ir\\scripts\\env.cab. The use of specific hostnames and internal paths indicates the attacker had prior knowledge of the environment. It moves wiper-related files to “C:\\temp” and creates a scheduled task named mstask to execute the wiper only once at 23:55:00" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This process executes a command to maliciously use the legitimate wmic.exe to initialize an XSL Script Processing (MITRE Technique T1220) attack. The attack executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain (qnccmvbrh.wilstonbrwsaq[.]pw" }, { "role": "assistant", "content": "T1220 - XSL Script Processing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used PowerShell for execution of a payload." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SLOTHFULMEDIA has downloaded files onto a victim machine." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has delivered and by executing PowerShell commands through DDE in Word documents." }, { "role": "assistant", "content": "T1559.002 - Inter-Process Communication: Dynamic Data Exchange" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.)." }, { "role": "assistant", "content": "T1114.001 - Email Collection: Local Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OnionDuke uses Twitter as a backup C2." }, { "role": "assistant", "content": "T1102.003 - One-Way Communication" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign." }, { "role": "assistant", "content": "T1585.002 - Email Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoleNet can download additional payloads from the C2." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Introduced in macOS 10.11, this utility has only one publicly documented use, which is to return the status of the System Integrity Protection tool. The csrutil tool is commonly used by malware and post-exploitation tools to determine whether certain files and directories on the system are writable or not" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sakula calls cmd.exe to run various DLL files via rundll32." }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "JAVASCRIPT CODE SNIPPETS: The first stage JavaScript copies additional JavaScript code snippets in txt format from the RTF document into a random directory “C:\\Users\\\\\\”" }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may also receive batch commands from the C2 server to collect host information from the system" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery', 'T1057 - Process Discovery', 'T1047 - Windows Management Instrumentation', 'T1049 - System Network Connections Discovery', 'T1016 - System Network Configuration Discovery', 'T1082 - System Information Discovery', 'T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It also allows macro code to access internal VBA objects for stealthier macro code execution in future attacks" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Commands such as net view can be used in to gather information about available remote systems." }, { "role": "assistant", "content": "T1018 - Remote System Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The attackers used the Windows Management Instrumentation Command Line Utility (wmic.exe) to execute commands on remote computers, such as adding a new user or executing additional downloaded PowerShell scripts. Cobalt Strike was also used to carry out credential dumping using ProcDump and to empty log files" }, { "role": "assistant", "content": "T1136 - Create Account', 'T1047 - Windows Management Instrumentation', 'T1070.001 - Indicator Removal on Host: Clear Windows Event Logs', 'T1003.001 - OS Credential Dumping: LSASS Memory" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration." }, { "role": "assistant", "content": "T1560.003 - Archive via Custom Method" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Qakbot has anti-analysis and anti-virtual machine checks. It will not continue to execute if any of the following exists in the system" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Transparent Tribe has directed users to open URLs hosting malicious content." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "NotPetya drops PsExec with the filename dllhost.dat." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has used various forms of spearphishing in attempts to get users to open links or attachments." }, { "role": "assistant", "content": "T1204 - User Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fysbis can perform keylogging." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm." }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Decrypting the Configuration As previously mentioned, the real configuration data is stored in the first stage shellcode but it is not stored in cleartext, but encrypted and compressed" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Frankenstein has run a command script to set up persistence as a scheduled task named \"WinUpdate\", as well as other encoded commands from the command-line." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WastedLocker aims to encrypt the files of the infected host. However before the encryption procedure runs, WastedLocker performs a few other tasks to ensure the ransomware will run properly" }, { "role": "assistant", "content": "T1574.001 - Hijack Execution Flow: DLL Search Order Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has used ASCII encoding for C2 traffic." }, { "role": "assistant", "content": "T1132.001 - Data Encoding: Standard Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can use process hollowing for execution." }, { "role": "assistant", "content": "T1055.012 - Process Injection: Process Hollowing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses Base64 encoding for communication in the message body of an HTTP request." }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has deployed backup web shells and obtained OWA account credentials during intrusions that it subsequently used to attempt to regain access when evicted from a victim network." }, { "role": "assistant", "content": "T1108 - Redundant Access" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We had previously observed this same IP scanning for TCP port 7001 throughout May 2018. This was potentially a scan for Oracle WebLogic servers, which listens on TCP port 7001 by default. In both our samples, as well as the ones that Morpheus Labs described, the hard-coded password was not only identical, but also located at the same offset" }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Attor has automatically collected data about the compromised system." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mustang Panda APT uses a package of binaries to load the actual payload and it is intentionally designed this way to bypass file scanners and sandboxes. Obviously, file scanners or sandboxes can’t detect the PlugX payload without the encrypted DAT file" }, { "role": "assistant", "content": "T1027.001 - Obfuscated Files or Information: Binary Padding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Emotet could be dropping malware with Remote Access Trojan (RAT) capabilities damaging the integrity of the overall network. After reviewing systems for Emotet indicators, reimage and move clean systems to a containment VLAN, segregated from the infected network. It is possible that the Outlook account may now have rules to auto-forward all emails to an external email address, which could result in a data breach. Search base64 encoded network stream data referencing the organization’s email domain. If references are found, perform additional analysis to see if a data breach has occurred" }, { "role": "assistant", "content": "T1114.001 - Email Collection: Local Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once the malware starts it tries to reach a hardcoded C2. The communication takes place using the unmodified HTTP-based protocol, the request and response body are RC4-encrypted, and the encryption key is also hardcoded into the sample" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Meteor can disconnect all network adapters on a compromised host using `powershell -Command \"Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }\" > NUL`." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains a command to collect the victim PC name and operating system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects the victim’s computer name, processor architecture, OS version, and volume serial number." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents." }, { "role": "assistant", "content": "T1546.001 - Event Triggered Execution: Change Default File Association" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The script sets up a new HTTP object and then tries to disable the system's local proxy settings" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "httpclient uses HTTP for command and control." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Squirrelwaffle has used HTTP POST requests for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GreyEnergy modifies conditions in the Registry and adds keys." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FELIXROOT checks for installed security software like antivirus and firewall." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bandook can detect USB devices." }, { "role": "assistant", "content": "T1120 - Peripheral Device Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gorgon Group has obtained and used tools such as QuasarRAT and Remcos." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In order to encrypt network shares, BitPaymer will attempt to enumerate the sessions for each user logged onto the infected host and create a new process, using the token of each user. These new processes will first spawn a net.exe processing with the view argument to gather a list of network accessible hosts. For each host, BitPaymer spawns another net.exe process with command net view <host> using the newly discovered host as a parameter. This will return a list of network shares available to the impersonated user on the host. Once a list of all available shares has been gathered, BitPaymer attempts to mount them to be encrypted" }, { "role": "assistant", "content": "T1135 - Network Share Discovery', 'T1134.001 - Access Token Manipulation: Token Impersonation/Theft" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group chooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to confirm receipt. In 2022, the group started to first profile users and then deliver malware URLs. This may be an attempt by TA416 to avoid having their malicious tools discovered and publicly disclosed. By narrowing the lens of targeting from broad phishing campaigns to focus on targets that have proven to be active and willing to open emails, TA416 increases its chance of success when following up with malicious malware payloads" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "According to the server’s code, the default command that it would issue to newly infected systems was a batch script contained in a file named 0000000000.bat" }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1064 - Scripting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable." }, { "role": "assistant", "content": "T1547.014 - Active Setup" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CosmicDuke exfiltrates collected files automatically over FTP to remote servers." }, { "role": "assistant", "content": "T1020 - Automated Exfiltration" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The other infection chain involves an attached .XLS file containing an Excel formula that utilizes a PowerShell command (Figure 2) to access paste.ee, a Pastebin alternative, that accesses a second encrypted PowerShell command (Figure 3)." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter', 'T1566.001 - Phishing: Spearphishing Attachment', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Shamoon has used HTTP for C2." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Clop can use code signing to evade detection." }, { "role": "assistant", "content": "T1553.002 - Code Signing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malware communicates to its command server using HTTP with an encrypted payload." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has exfiltrated data over the C2 channel." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of \"License.txt\" and exiting." }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can create a task named to appear benign." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Pupy has a built-in utility command for \"netstat\", can do net session through PowerView, and has an interactive shell which can be used to discover additional information." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MuddyWater has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back." }, { "role": "assistant", "content": "T1104 - Multi-Stage Channels" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ComRAT can check the default browser by querying \"HKCR\\http\\shell\\open\\command\"." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used built-in API functions." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "One interesting thing to note is that the Keybase account used by the attacker to chat with their victims has the same logo of the Pay2Key EOSIO smart contract system" }, { "role": "assistant", "content": "T1585 - Establish Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The C2 server sends back Base64 encoded response" }, { "role": "assistant", "content": "T1132 - Data Encoding" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla surveys a system upon check-in to discover Group Policy details using the \"gpresult\" command." }, { "role": "assistant", "content": "T1615 - Group Policy Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mosquito can launch PowerShell Scripts." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MoonWind obtains the victim IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Comnie uses RC4 and Base64 to obfuscate strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "obtains the victim IP address." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "contains base64-encoded strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "actors have used and a modified version of called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers." }, { "role": "assistant", "content": "T1003 - OS Credential Dumping" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "may create a file containing the results of the command cmd.exe /c net user {Username}." }, { "role": "assistant", "content": "T1087 - Account Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, threat actors ran \"sc start\" to start the COMSysApp as part of the service hijacking and \"sc stop\" to stop and reconfigure the COMSysApp." }, { "role": "assistant", "content": "T1569.002 - System Services: Service Execution" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion." }, { "role": "assistant", "content": "T1027.005 - Indicator Removal from Tools" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TA505 has used spearphishing emails with malicious attachments to initially compromise victims." }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HAFNIUM has used web shells to export mailbox data." }, { "role": "assistant", "content": "T1114.002 - Email Collection: Remote Email Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The malicious payload associated with the campaign appears to be a new version of Zeus Panda, a banking trojan designed to stealing banking and other sensitive credentials for exfiltration by attackers. The overall operation of the Zeus Panda banking trojan has been well documented, however Talos wanted to provide additional information about the first stage packer used by the malware. The malware will first query the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects the any of the following keyboard mappings" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Operation Wocao has used PowerShell to add and delete rules in the Windows firewall." }, { "role": "assistant", "content": "T1562.004 - Impair Defenses: Disable or Modify System Firewall" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali has used embedded VBScript to download malicious payloads from C2." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has used VBS scripts throughout its operations." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sandworm Team has sent system information to its C2 server using HTTP." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Operation Honeybee, stolen data was copied into a text file using the format `From (- --).txt` prior to compression, encoding, and exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API)." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "It continues to perform a number of checks for installed security products on the victim machine. The following security platforms are queried by checking entries within the HKLM\\Software\\ registry path" }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "WINDSHIELD C2 traffic can communicate via TCP raw sockets." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Metamorfo has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing." }, { "role": "assistant", "content": "T1119 - Automated Collection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Windshift has used e-mail attachments to lure victims into executing malicious code." }, { "role": "assistant", "content": "T1204.002 - User Execution: Malicious File" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes." }, { "role": "assistant", "content": "T1029 - Scheduled Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Javali has achieved execution through victims clicking links to malicious websites." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BlackTech has used the SNScan tool to find other potential targets on victim networks." }, { "role": "assistant", "content": "T1046 - Network Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Helminth can provide a remote shell. One version of Helminth uses batch scripting." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Iranian government-sponsored APT actors may have established new user accounts on domain controllers, servers, workstations, and active directories. Some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. In addition to unrecognized user accounts or accounts established to masquerade as existing accounts, the following account usernames may be associated with this activity: Support Help elie WADGUtilityAccount" }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account', 'T1136.002 - Create Account: Domain Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, MacMa is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the MacMa only runs when there is a logged in GUI user." }, { "role": "assistant", "content": "T1543.001 - Create or Modify System Process: Launch Agent" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "More_eggs has the capability to gather the OS version and computer name." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "variants have communicated with C2 servers over HTTP and HTTPS." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SombRAT can execute \"getinfo\" to identify the username on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PoetRAT has the ability to hide and unhide files." }, { "role": "assistant", "content": "T1564.001 - Hide Artifacts: Hidden Files and Directories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Executes VBScript using Process.Start. The third-stage DLL proceeds by loading the \"AdvancedRun\" resource into memory, decompressing it and dropping it as \"AdvancedRun.exe\" into the %TEMP% directory. Drops AdvancedRun.exe using File.WriteAllBytes. AdvancedRun.exe\" is a tool provided by Nirsoft to execute a program with different settings. Once the tool is dropped, the third stage DLL will leverage it to execute two commands in the context of the Windows TrustedInstaller group. The TrustedInstaller group was an addition to Windows beginning in Windows 7 with the goal of preventing accidental damage to critical system files. AdvanceRun is one of the tools that can be used to execute commands in the context of the TrustedInstaller user. This functionality is only available via CLI and requires the flag of \"/RunAs 8\", which is shown in the commands below. The tool will be deleted from the %TEMP% directory after executing both commands. The first command leverages the Windows service control application (sc.exe) to disable Windows Defender" }, { "role": "assistant", "content": "T1562.001 - Impair Defenses: Disable or Modify Tools', 'T1078.001 - Valid Accounts: Default Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values." }, { "role": "assistant", "content": "T1480 - Execution Guardrails" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "IRON TWILIGHT’s email credential targeting system allows the threat group to target and exploit accounts for webmail services such as Gmail and Hotmail, as well as corporate email platforms that use webmail interfaces. When targeting email services that provide alternate methods to authenticate account access, such as Gmail’s use of OAuth, the threat actors may abuse this feature to maintain a persistent session with the compromised account" }, { "role": "assistant", "content": "T1566.002 - Phishing: Spearphishing Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT10 has targeted or compromised manufacturing companies in India, Japan and Northern Europe; a mining company in South America; and multiple IT service providers worldwide. Traditional and Novel Methods . This recent APT10 activity has included both traditional spear phishing and access to victim’s networks through service providers. In addition to the spear phishes, FireEye ISIGHT Intelligence has observed APT10 accessing victims through global service providers. Service providers have significant access to customer networks, enabling an attacker who had compromised a service provider to move laterally into the network of the service provider’s customer. In addition, web traffic between a service provider’s customer and a service provider is likely to be viewed as benign by network defenders at the customer, allowing the attacker to exfiltrate data stealthily. A notable instance of this observed by FireEye involved a SOGU backdoor that was set to communicate with its C2 through a server belonging to the victim’s service provider. The actor then tested connectivity to an IP managed by the victim’s service provider. Once connectivity to the service provider IP was verified, the actor established the service provider IP as a proxy for the victim’s SOGU backdoor. This effectively routes SOGU malware traffic through the victim’s service provider, which likely indicates a foothold on the service provider’s network. Their abuse of access to service provider networks demonstrates that peripheral organizations continue to be of interest to a malicious actor – especially those seeking alternative angles of attack" }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lizar can migrate the loader into another process." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "While we can only speculate on the specific reason, it is likely Sofacy packed only the Delphi variants in an attempt to increase evasion as the Delphi variant of Zebrocy is known and has been widely analyzed" }, { "role": "assistant", "content": "T1027.002 - Obfuscated Files or Information: Software Packing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After this information is obtained, the attacker can generate and send a specially crafted HTTP POST request to the Exchange server with an XML SOAP payload to the Exchange Web Services (EWS) API endpoint" }, { "role": "assistant", "content": "T1590 - Gather Victim Network Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After decrypting and decompressing the strings, we can trivially identify aspects of the PlugX configuration" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information', 'T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "MacMa has the ability to record audio." }, { "role": "assistant", "content": "T1123 - Audio Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Aria-body has the ability to identify the username on a compromised host." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has the ability to discover and manipulate Windows services." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kessel's configuration is hardcoded and RC4 encrypted within the binary." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "has deleted Registry keys during post compromise cleanup activities." }, { "role": "assistant", "content": "T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Grandoreiro has used malicious links to gain execution on victim machines." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a Registry subkey that registers a new service." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service', 'T1112 - Modify Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GALLIUM established persistence for PoisonIvy by created a scheduled task." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can access the \"HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData\" Registry key to obtain the System manufacturer value to identify the machine type." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting." }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PipeMon can inject its modules into various processes using reflective DLL loading." }, { "role": "assistant", "content": "T1055.001 - Process Injection: Dynamic-link Library Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Stuxnet attempts to access network resources with a domain account’s credentials." }, { "role": "assistant", "content": "T1078.002 - Domain Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowerShell Cobalt Strike Beacon - New payload + new C2 domain - PowerShell Obfuscator - All the new PowerShell payloads are obfuscated using a publicly available script adapted from a Daniel Bohannon’s GitHub project. Using this tool, the attackers could overcome a password reset. Customized Windows Credentials Dumper - A PowerShell password dumper that is based on a known password dumping tool, using PowerShell bypass and reflective loading. The attackers specifically used it to obtain Outlook passwords. Customized Outlook Credentials Dumper - Inspired by known Outlook credentials dumpers" }, { "role": "assistant", "content": "T1552.002 - Unsecured Credentials: Credentials in Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "RunningRAT captures keystrokes and sends them back to the C2 server." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Chimera has used \"time /t\" and \"net time \\\\ip/hostname\" for system time discovery." }, { "role": "assistant", "content": "T1124 - System Time Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Gelsemium can set persistence with a Registry run key." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "8 Upload the TPX498.dat file, which contains the list of collected keystrokes" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "is installed via execution of rundll32 with an export named \"init\" or \"InitW.\"" }, { "role": "assistant", "content": "T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During C0015, the threat actors used the `tasklist /s` command as well as `taskmanager` to obtain a list of running processes." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can decrypt strings using the victim's hostname as the key." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "creates a suspended svchost process and injects its DLL into it." }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SOUNDBITE is capable of enumerating application windows." }, { "role": "assistant", "content": "T1010 - Application Window Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Wiarp creates a backdoor through which remote attackers can open a command line interface." }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Silence has used environment variable string substitution for obfuscation." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "VBShower has the ability to download VBS files to the target computer." }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "This PowerShell backdoor was observed to be related to the SystemBC malware as a service. The script has a hard coded C&C server IP address and port number to connect to, with data passed to the “Rc4_crypt” function before connection." }, { "role": "assistant", "content": "T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "queries several Registry keys to identify hard disk partitions to overwrite." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After the deletion process, the malware gets the function “Wow64RevertWow64FsRedirection” using the function “GetProcAddress” and calls it in a dynamic way to leave the system in the same state as before" }, { "role": "assistant", "content": "T1070 - Indicator Removal on Host" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "performs data exfiltration over the control server channel using a custom protocol." }, { "role": "assistant", "content": "T1041 - Exfiltration Over C2 Channel" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We have covered recent FIN7 activity in previous public blog posts: FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings FIN7 Evolution and the Phishing LNK To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information on our investigations and observations into FIN7 activity" }, { "role": "assistant", "content": "T1547.009 - Boot or Logon Autostart Execution: Shortcut Modification" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "“Knock” also appears in several strings inside the code of SpeakUp" }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Zeus Panda checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment." }, { "role": "assistant", "content": "T1518.001 - Software Discovery: Security Software Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleSeed can use \"GetKeyState\" and \"GetKeyboardState\" to capture keystrokes on the victim’s machine." }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In another update, the P8RAT sample from August 2020 looks for two process names (“VBoxService.exe” and “vmtoolsd.exe”) on the victim’s system, to detect VMware or VirtualBox environments at the beginning of its main malicious function" }, { "role": "assistant", "content": "T1497.001 - Virtualization/Sandbox Evasion: System Checks" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Next, the third-stage DLL will load the \"Waqybg\" resource into memory. As the resource is stored in reverse byte order, the third-stage DLL will restore it by reversing the bytes and then proceed to decompress it. The decompressed data is the fourth stage wiper payload. After decompressing the data, the third-stage DLL copies a legitimate Windows utility \"InstallUtil.exe\" into the %TEMP% directory, creates a suspended process with it and injects the fourth-stage wiper into the process. Finally, it resumes the process and transfers the execution flow to the fourth-stage wiper. Creates InstallUtil.exe process" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ember Bear has obfuscated malware and malicious scripts to help avoid detection." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Key Points PrivateLoader is a downloader malware family that was first identified in early 2021 The loader’s primary purpose is to download and execute additional malware as part of a pay-per-install (PPI) malware distribution service PrivateLoader is used by multiple threat actors to distribute ransomware, information stealers, banking t" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OSInfo discovers information about the infected machine." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FIN8 has used \"sslip.io\", a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control." }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can spawn remote shells." }, { "role": "assistant", "content": "T1059 - Command and Scripting Interpreter" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "can use HTTP or SMTP for C2." }, { "role": "assistant", "content": "T1071 - Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FANCY BEAR adversary used different tradecraft, deploying X-Agent malware with capabilities to do remote command execution, file transmission and keylogging. It was executed via rundll32 commands such as" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1059 - Command and Scripting Interpreter', 'T1218.011 - Signed Binary Proxy Execution: Rundll32" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HyperStack can enumerate all account names on a remote share." }, { "role": "assistant", "content": "T1087.001 - Account Discovery: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "We observed the threat group issue the following commands: @echo off   dir c:\\ >> %temp%\\download   ipconfig /all >> %temp%\\download   net user >> %temp%\\download   net user /domain >> %temp%\\download   ver >> %temp%\\download   del %0   @echo off   dir \"c:\\Documents and Settings\" >> %temp%\\download   dir \"c:\\Program Files\\   \" >> %temp%\\download   net start >> %temp%\\download   net localgroup administrator >> %temp%\\download   netstat -ano >> %temp%\\download These commands allow the threat group to gain information about the compromised computer and the network to which it belongs" }, { "role": "assistant", "content": "T1007 - System Service Discovery', 'T1105 - Ingress Tool Transfer', 'T1059.001 - Command and Scripting Interpreter: PowerShell" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The RAT, however, had a multitude of functionalities (as listed in the table below) such as to download and execute, compress, encrypt, upload, search directories, etc" }, { "role": "assistant", "content": "T1105 - Ingress Tool Transfer" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Xbash uses HTTP for C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUPERNOVA contained Base64-encoded strings." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ROKRAT can extract clipboard data from a compromised host." }, { "role": "assistant", "content": "T1115 - Clipboard Data" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has used password spraying attacks to obtain valid credentials." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldMax has used scheduled tasks to maintain persistence." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "A variant uses fake TLS to communicate with the C2 server." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SMOKEDHAM created a persistence mechanism for NGROK by adding VirtualHost.vbs to the WindNT value under the current users Run registry key" }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The presence of this credential stealer may partially answer how Kobalos propagates. Anyone using the SSH client of a compromised machine will have their credentials captured. Those credentials can then be used by the attackers to install Kobalos on the newly discovered server later" }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access." }, { "role": "assistant", "content": "T1534 - Internal Spearphishing" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "GoldenSpy can execute remote commands in the Windows command shell using the \"WinExec()\" API." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX has a module to enumerate network shares." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "FatDuke can AES encrypt C2 communications." }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EVILNUM can harvest cookies and upload them to the C2 server." }, { "role": "assistant", "content": "T1539 - Steal Web Session Cookie" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "During Frankenstein, the threat actors used MSbuild to execute an actor-created file." }, { "role": "assistant", "content": "T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Leviathan has used valid, compromised email accounts for defense evasion, including to send malicious emails to other victim organizations." }, { "role": "assistant", "content": "T1078 - Valid Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "communicates over common ports such as TCP 80, 443, and 25." }, { "role": "assistant", "content": "T1043 - Commonly Used Port" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 named tasks \"\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager\" in order to appear legitimate." }, { "role": "assistant", "content": "T1036.004 - Masquerading: Masquerade Task or Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "HALFBAKED can use WMI queries to gather system information." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Lucifer can decrypt its C2 address upon execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX — A remote access tool notable for communications that may contain HTTP headers starting with \"X-\" (e.g. X-Session: 0\"). Its presence on a compromised system allows a threat actor to execute a wide variety of commands, including uploading and downloading files, and spawning a reverse shell. The malware can be configured to use multiple network protocols to avoid network-based detection. DLL side loading is often used to maintain persistence on the compromised system. Antivirus detection for HttpBrowser is extremely low and is typically based upon heuristic signatures. DLL side loading has been used to maintain persistence on the compromised system. More information about HttpBrowser is available in Appendix B. HttpBrowser URI. Source: Dell SecureWorks) - ChinaChopper web shell — A web-based executable script (see Figure 4) that allows a threat actor to execute commands on the compromised system. TG-3390 has used additional web shells containing similarly formatted passwords" }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Final1stspy obtains victim Microsoft Windows version information and CPU architecture." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "malware gathers the Address Resolution Protocol (ARP) table from the victim." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can use `wmic` to gather information from a system." }, { "role": "assistant", "content": "T1047 - Windows Management Instrumentation" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Bazar can collect the IP address and NetBIOS name of an infected machine." }, { "role": "assistant", "content": "T1016 - System Network Configuration Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Confucius has exfiltrated victim data to cloud storage service accounts." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OceanSalt can collect the computer name from the system." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PyDCrypt has used netsh to find RPC connections on remote machines." }, { "role": "assistant", "content": "T1049 - System Network Connections Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Doki uses a previously undocumented method to contact its operator by abusing the Dogecoin cryptocurrency blockchain in a unique way in order to dynamically generate its C2 domain address. The malware has managed to stay under the radar for over six months despite samples being publicly available in VirusTotal" }, { "role": "assistant", "content": "T1102 - Web Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "captures keystrokes and sends them back to the C2 server." }, { "role": "assistant", "content": "T1056 - Input Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Darkhotel malware can collect a list of running processes on a system." }, { "role": "assistant", "content": "T1057 - Process Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "KOCTOPUS has relied on victims clicking on a malicious link delivered via email." }, { "role": "assistant", "content": "T1204.001 - Malicious Link" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "uses a custom binary protocol to beacon back to its C2 server. It has also used XOR for encrypting communications." }, { "role": "assistant", "content": "T1095 - Non-Application Layer Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components." }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once unpacked, the malware creates a copy of its own process with a suspended thread and injects the unpacked code into the new process before calling the ResumeThread API. Breaking on this function call in a debugger allows an analyst to dump the process and extract the unpacked Karagany binary for further analysis" }, { "role": "assistant", "content": "T1055.003 - Thread Execution Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Upon execution, the payload injects into iexplore.exe process and starts encrypting text files and documents of the victim machine" }, { "role": "assistant", "content": "T1055 - Process Injection" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Mis-Type runs tests to determine the privilege level of the compromised user." }, { "role": "assistant", "content": "T1033 - System Owner/User Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf." }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Otherwise, it runs a search for the “/bin/rsyncd” string within the files found in the /etc/ folder" }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kevin can exfiltrate data to the C2 server in 27-character chunks." }, { "role": "assistant", "content": "T1030 - Data Transfer Size Limits" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "After trying to determine whether ports are open and the machine could act as a C2 tier 2 proxy, the proxy module also starts a multithreaded SOCKS5 proxy server. The SOCKS5 protocol is encapsulated into the QakBot proxy protocol composed of: QakBot proxy command (1 byte), version (1 byte), session id (4 bytes), total packet length (dword), data (total packet length-10). Incoming and outgoing packets are stored in the buffers and may be received/transmitted one by one or in multiple packets in a single TCP data segment (streamed" }, { "role": "assistant", "content": "T1572 - Protocol Tunneling" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PowGoop has disguised a PowerShell script as a .dat file (goopdate.dat)." }, { "role": "assistant", "content": "T1036 - Masquerading" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver." }, { "role": "assistant", "content": "T1543.003 - Create or Modify System Process: Windows Service" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TrickBot establishes persistence in the Startup folder." }, { "role": "assistant", "content": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "EvilBunny has executed commands via scheduled tasks." }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In November 2018, Cisco Talos published research on an attack campaign named DNSpionage. It involved attacks using malware to compromise individual endpoints, but most interestingly described an effort to specifically hijack DNS entries of government organizations to redirect visitors to likely malicious, adversary operated systems. Both FireEye and Crowdstrike followed up with their own assessments for the DNS hijacking efforts, and described operations extending back to January 2017. No attribution to any known adversary groups was provided, other than that the target radius was primarily in the Middle East and the adversary was also likely operating out of that region. " }, { "role": "assistant", "content": "T1584.002 - DNS Server', 'T1583.002 - DNS Server', 'T1496 - Resource Hijacking', 'T1189 - Drive-by Compromise" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Besides the stolen data, it sends the Windows product name and version, username, computer name, and domain name to the C&C server" }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Axiom has targeted victims with remote administration tools including RDP." }, { "role": "assistant", "content": "T1563.002 - Remote Service Session Hijacking: RDP Hijacking" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The binary will be saved in the %APPDATA% folder and, for persistence, it creates a scheduled task that will execute every hour" }, { "role": "assistant", "content": "T1053.005 - Scheduled Task/Job: Scheduled Task" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can enumerate services on compromised hosts." }, { "role": "assistant", "content": "T1007 - System Service Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Exaramel for Windows specifies a path to store files scheduled for exfiltration." }, { "role": "assistant", "content": "T1074.001 - Data Staged: Local Data Staging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "CharmPower can send victim data via FTP with credentials hardcoded in the script." }, { "role": "assistant", "content": "T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT28 has collected files from various information repositories." }, { "role": "assistant", "content": "T1213 - Data from Information Repositories" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "APT29 has conducted brute force password spray attacks." }, { "role": "assistant", "content": "T1110.003 - Brute Force: Password Spraying" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PDB Path: C:\\Users\\803\\Desktop\\ytyboth\\yty 2.0\\Release\\vstservice.pdb The vstservice.exe plugin is .NET file responsible for sending a list of the file system to the C2. The malware retrieves the C2 from a Google Docs file like the previous binaries. The file was located at the following location" }, { "role": "assistant", "content": "T1005 - Data from Local System" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "POWRUNER may enumerate user directories on a victim." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "2022–01–15, MSTIC (Microsoft Threat Intelligence Center) identified and unveiled a cyberattack targeting Ukrainian organizations with “WhisperGate” overwrites Master Boot Record(MBR) and files" }, { "role": "assistant", "content": "T1561.002 - Disk Structure Wipe" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BadPatch captures screenshots in .jpg format and then exfiltrates them." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Peirates can use stolen service account tokens to perform its operations." }, { "role": "assistant", "content": "T1078.004 - Valid Accounts: Cloud Accounts" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "In this version, the communication protocol with the C&C server was also upgraded to use AES encryption" }, { "role": "assistant", "content": "T1573.001 - Symmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "searches for files created within a certain timeframe and whose file extension matches a predefined list." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "PlugX uses Pastebin to store C2 addresses." }, { "role": "assistant", "content": "T1102.001 - Dead Drop Resolver" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BabyShark has the ability to decode downloaded files prior to execution." }, { "role": "assistant", "content": "T1140 - Deobfuscate/Decode Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BACKSPACE is capable of enumerating and making modifications to an infected system's Registry." }, { "role": "assistant", "content": "T1012 - Query Registry" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Olympic Destroyer uses the API call \"ChangeServiceConfigW\" to disable all services on the affected system." }, { "role": "assistant", "content": "T1489 - Service Stop" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Thread Name Description Key logger Logs key strokes for configured processes and sends them to the command and control (C2) server Form grabber Monitors HTTP traffic for form data and sends it to the C2 server POS monitor Monitors for changes to logs stored in C:\\NSB\\Coalition\\Logs and nsb.pos.client.log and sends parsed data to the C2 server PST monitor Searches recursively for newly created Outlook personal storage table (PST) files within user directories and sends them to the C2 server HTTP proxy monitor Monitors HTTP traffic for requests sent to HTTP proxies, saves the proxy address and credentials for future use" }, { "role": "assistant", "content": "T1071 - Application Layer Protocol', 'T1090 - Proxy', 'T1041 - Exfiltration Over C2 Channel', 'T1132 - Data Encoding', 'T1486 - Data Encrypted for Impact" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Egregor has used the Windows API to make detection more difficult." }, { "role": "assistant", "content": "T1106 - Native API" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "UNC2452 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline." }, { "role": "assistant", "content": "T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cisco Talos has discovered a new malware campaign based on a previously unknown family we're calling \"PoetRAT. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data. The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically" }, { "role": "assistant", "content": "T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "The Helminth executable variant is able to run batch scripts provided by the C2 server, which is very similar to the script version of this Trojan. The executable variant has one additional capability that is not present in the script version, which involves the ability to log keystrokes via a supplemental keylogger module" }, { "role": "assistant", "content": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell', 'T1115 - Clipboard Data', 'T1056.001 - Input Capture: Keylogging" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "ESTSecurity inspected a malicious lure document discussing North Korean defectors. This lure document contained a UPX packed binary that reached out to wave[.]posadadesantiago[.]com. Based upon their report we believe SHA256: 252d1b7a379f97fddd691880c1cf93eaeb2a5e5572e92a25240b75953c88736c, either is or is strikingly similar to the document discussed in their blog post based on these similarities" }, { "role": "assistant", "content": "T1566.001 - Phishing: Spearphishing Attachment" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Turla has obtained and customized publicly-available tools like Mimikatz." }, { "role": "assistant", "content": "T1588.002 - Tool" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Sliver can use mutual TLS and RSA cryptography to exchange a session key." }, { "role": "assistant", "content": "T1573.002 - Asymmetric Cryptography" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "StrongPity can use HTTP and HTTPS in C2 communications." }, { "role": "assistant", "content": "T1071.001 - Application Layer Protocol: Web Protocols" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Saint Bot has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova." }, { "role": "assistant", "content": "T1614 - System Location Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Once APT28 gained access to the DCCC network, the group then proceeded to use that access to compromise the DNC network." }, { "role": "assistant", "content": "T1199 - Trusted Relationship" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Figure 3: no detections for SpeakUp in Virus Total In an attempt to endure the investigation process by security researchers, the second stage payload was encoded with salted base64" }, { "role": "assistant", "content": "T1027 - Obfuscated Files or Information" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Fox Kitten has created a local user account with administrator privileges." }, { "role": "assistant", "content": "T1136.001 - Create Account: Local Account" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Kimsuky is a highly motivated threat actor targeting a number of entities in South Korea. This group has been relentlessly creating new infection chains to deliver different types of malware to their victims. This campaign relies on the abuse of Blogspot to host attacker-operated blogs serving malicious VB based scripts to their targets. We've found preliminary malicious components from initial access beacons to file exfiltrators being deployed to victims. In many cases, the content of these preliminary components was combined to serve special scripts to victims.The final implants utilized by the actors in this campaign are derivatives of the Gold Dragon/Brave Prince malware families. Such targeted attacks can result in the leak of restricted research, unauthorized access for espionage and even destructive attacks against target organizations" }, { "role": "assistant", "content": "T1608.001 - Upload Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can find shared drives on the local system." }, { "role": "assistant", "content": "T1135 - Network Share Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine." }, { "role": "assistant", "content": "T1552.001 - Unsecured Credentials: Credentials In Files" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "OLDBAIT installs itself in \"%ALLUSERPROFILE%\\\\Application Data\\Microsoft\\MediaPlayer\\updatewindws.exe\"; the directory name is missing a space and the file name is missing the letter \"o.\"" }, { "role": "assistant", "content": "T1036.005 - Masquerading: Match Legitimate Name or Location" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "TinyZBot contains screen capture functionality." }, { "role": "assistant", "content": "T1113 - Screen Capture" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Empire can use Dropbox for data exfiltration." }, { "role": "assistant", "content": "T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion > \"C:\\windows\\TEMP\\[RANDOM].tmp\"." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory." }, { "role": "assistant", "content": "T1083 - File and Directory Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "AveMaria is a new botnet, whose first version we found in September 2018, right after the arrests of the FIN7 members. We have medium confidence that this botnet falls under the FIN7 umbrella. In fact, AveMaria is a classic infostealer bot that collects all possible credentials from various types of software: browsers, email clients, messengers, etc., and can act as a keylogger. Since the beginning of 2019, we have collected more than 1300 samples and extracted more than 130 C2s." }, { "role": "assistant", "content": "T1114 - Email Collection', 'T1587.001 - Malware" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo." }, { "role": "assistant", "content": "T1082 - System Information Discovery" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Cobalt Strike can recover hashed passwords." }, { "role": "assistant", "content": "T1003.002 - OS Credential Dumping: Security Account Manager" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "Flagpro can execute malicious VBA macros embedded in .xlsm files." }, { "role": "assistant", "content": "T1059.005 - Command and Scripting Interpreter: Visual Basic" } ] }, { "messages": [ { "role": "system", "content": "Given a description of an attack technique, tactic, or procedure, return only an accurate MITRE ATT&CK ID and Name in the format: \"ID# - Technique\". " }, { "role": "user", "content": "compressed data with zlib prior to sending it over C2." }, { "role": "assistant", "content": "T1560 - Archive Collected Data" } ] } ]