{ "offset_errors": [], "duplicate_texts": [ { "count": 3, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to Synthient, Gaganode is a decentralized bandwidth monetization service that enables both", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "WebShell.", "cross_file": false }, { "count": 7, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Ransomware", "cross_file": false }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BADCALL is a Trojan malware variant used by the group Lazarus Group.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "ALPHV, also known as BlackCat or Noberus, is a ransomware family that is deployed as part of Ransomw", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to Trend Micro, this ransomware has significant code overlap with Royal Ransomware.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Chisel is an open-source project by Jaime Pillora (jpillora) that allows tunneling TCP and UDP conne", "cross_file": false }, { "count": 3, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to PCrisk, Dacls is the name of a remote access Trojan (RAT), a malicious program that all", "cross_file": false }, { "count": 44, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Ransomware.", "cross_file": false }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HiddenWasp is a Linux-based Trojan used to target systems for remote control. It comes in the form o", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to Sekoia, this is the ransomware used by the Interlock ransomware intrusion set, which wa", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to Trend Micro, KTLVdoor is a highly obfuscated malware that masquerades as different syst", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Cisco Talos compared this RAT to Cobalt Strike and Sliver. Written in Rust.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to the author, Nimbo-C2 is yet another (simple and lightweight) C2 framework. The agent cu", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Part of Mythic C2, written in Golang.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to STRIKE, ShortLeash is a custom backdoor used to create an ORB network. It generates uni", "cross_file": false }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to the author, this is a JavaScript based Empire launcher that runs with its own embedded ", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to eSentire, NightshadeC2 demonstrates an extensive capability set, including: Reverse she", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Downloader used in suspected APT attack against Vietnam.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extension.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Was previously wrongly tagged as PoweliksDropper, now looking for additional context.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Keylogger.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Potential Lazarus sample.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Ransomware written in Go.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Downloader.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Donot malware is a sophisticated, high-level malware toolkit designed to collect and exfiltrate info", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Infostealer", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "This malware is part of the Eternity Malware \"Framework\".", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Recently, Check Point researchers spotted a targeted attack against officials within government fina", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "An information stealer written in .NET.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "This malware was seen during the cyberattacks on Ukrainian state organizations. It is one of two use", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Warsaw trojan is a new banking trojan based on the Hours Eyes RAT core engine.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "BeforeCrypt describes that MAKOP Ransomware first appeared in 2020 as an offshoot of the PHOBOS vari", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to Mandiant, this is a custom backdoor that provides a more flexible code-execution interf", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via regis", "cross_file": false }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over remova", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Ransomware used by threat actor group DEV-0530, attributed by MSTIC to North Korean origin.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "According to Mandiant, SUGARUSH is a backdoor written to establish a connection with an embedded C2 ", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl" ], "text_preview": "Information stealer.", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations;", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Indrik Spider is a Russia-based cybercriminal group that has been active since at least 2014. Indrik", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkis", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BlackByte is a ransomware threat actor operating since at least 2021. BlackByte is associated with s", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SideCopy is a Pakistani threat group that has primarily targeted South Asian countries, including In", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting tele", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT17 is a China-based threat group that has conducted network intrusions against U.S. government en", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT3 is a China-based threat group that researchers have attributed to China's Ministry of State Sec", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mustard Tempest is an initial access broker that has operated the SocGholish distribution network si", "cross_file": true }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-c", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kimsuky is a North Korea-based cyber espionage group that has been active since at least 2012. The g", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "EXOTIC LILY is a financially motivated group that has been closely linked with Wizard Spider and the", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TA577 is an initial access broker (IAB) that has distributed QakBot and Pikabot, and was among the f", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AppleJeus is a North Korean state-sponsored threat group attributed to the Reconnaissance General Bu", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Patchwork is a cyber espionage group that was first observed in December 2015. While the group has n", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group th", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Salt Typhoon is a People's Republic of China (PRC) state-backed actor that has been active since at ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Evilnum is a financially motivated threat group that has been active since at least 2018.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "menuPass is a threat group that has been active since at least 2006. Individual members of menuPass ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been activ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Strider is a threat group that has been active since at least 2011 and has targeted victims in Russi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People\u2019s ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RedEcho is a People\u2019s Republic of China-related threat actor associated with long-running intrusions", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforce", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Moafee is a threat group that appears to operate from the Guandong Province of China. Due to overlap", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Gallmaker is a cyberespionage group that has targeted victims in the Middle East and has been active", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Storm-1811 is a financially-motivated entity linked to Black Basta ransomware deployment. Storm-1811", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Leafminer is an Iranian threat group that has targeted government organizations and business entitie", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The grou", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Machete is a suspected Spanish-speaking cyber espionage group that has been active since at least 20", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT18 is a threat group that has operated since at least 2009 and has targeted a range of industries", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. An", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CURIUM is an Iranian threat group, first reported in September 2019 and active since at least July 2", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sidewinder is a suspected Indian threat actor group that has been active since at least 2012. They h", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations sinc", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ZIRCONIUM is a threat group operating out of China, active since at least 2017, that has targeted in", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Rocke is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking,", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Scattered Spider is a native English-speaking cybercriminal group active since at least 2022. The ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Inte", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting de", "cross_file": true }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Contagious Interview is a North Korea\u2013aligned threat group active since 2023. The group conducts bot", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, man", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Akira is a ransomware variant and ransomware deployment entity active since at least March 2023. Aki", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 20", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victim", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "The Windigo group has been operating since at least 2011, compromising thousands of Linux and Unix s", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Higaisa is a threat group suspected to have South Korean origins. Higaisa has targeted government, p", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions si", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Ta", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Orangeworm is a group that has targeted organizations in the healthcare sector in the United States,", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sea Turtle is a T\u00fcrkiye-linked threat actor active since at least 2017 performing espionage and serv", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Suckfly is a China-based threat group that has been active since at least 2014.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Putter Panda is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including criti", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TA459 is a threat group believed to operate out of China that has targeted countries including Russi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Aquatic Panda is a suspected China-based threat group with a dual mission of intelligence collection", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Aoqin Dragon is a suspected Chinese cyber espionage threat group that has been active since at least", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ferocious Kitten is a threat group that has primarily targeted Persian-speaking individuals in Iran ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 thr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, g", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People\u2019s Liberation", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DarkHydrus is a threat group that has targeted government agencies and educational institutions in t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile pe", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MoustachedBouncer is a cyberespionage group that has been active since at least 2014 targeting forei", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Group5 is a threat group with a suspected Iranian nexus, though this attribution is not definite. Th", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Blue Mockingbird is a cluster of observed activity involving Monero cryptocurrency-mining payloads i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Winter Vivern is a group linked to Russian and Belorussian interests active since at least 2020 targ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Servic", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Storm-0501 is a financially motivated cyber criminal group that uses commodity and open-source tools", "cross_file": true }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The g", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequen", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BITTER is a suspected South Asian cyber espionage threat group that has been active since at least 2", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DarkVishnya is a financially motivated threat actor targeting financial institutions in Eastern Euro", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of l", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT-C-23 is a threat group that has been active since at least 2014. APT-C-23 has primarily focused ", "cross_file": true }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FIN5 is a financially motivated threat group that has targeted personally identifiable information a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mofang is a likely China-based cyber espionage group, named for its frequent practice of imitating a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Lotus Blossom is a long-standing threat group largely targeting various entities in Asia since at le", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journal", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR). They ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying mu", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Chimera is a suspected China-based threat group that has been active since at least 2018 targeting t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Silent Librarian is a group that has targeted research and proprietary data at universities, governm", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware g", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BRONZE BUTLER is a cyber espionage group with likely Chinese origins that has been active since at l", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TA551 is a financially-motivated threat group that has been active since at least 2018. The group h", "cross_file": true }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has b", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Equation is a sophisticated threat group that employs multiple remote access tools. The group is kno", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BackdoorDiplomacy is a cyber espionage threat group that has been active since at least 2017. Backdo", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Star Blizzard is a cyber espionage and influence group originating in Russia that has been active si", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, governm", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TA578 is a threat actor that has used contact forms and email to initiate communications with victim", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Deep Panda is a suspected Chinese threat group known to target many industries, including government", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 20", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, pri", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Windshift is a threat group that has been active since at least 2017, targeting specific individuals", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Volatile Cedar is a Lebanese threat group that has targeted individuals, companies, and institutions", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ToddyCat is a sophisticated threat group that has been active since at least 2020 using custom loade", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targe", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LuminousMoth is a Chinese-speaking cyber espionage group that has been active since at least October", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper ope", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Water Galura are the operators of the Qilin Ransomware-as-a-Service (RaaS) who handle payload genera", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directo", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Malteiro is a financially motivated criminal group that is likely based in Brazil and has been activ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Metador is a suspected cyber espionage group that was first reported in September 2022. Metador has ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance. The group", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Fox Kitten is threat actor with a suspected nexus to the Iranian government that has been active sin", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT12 is a threat group that has been attributed to China. The group has targeted a variety of victi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT-C-36 is a suspected South America espionage group that has been active since at least 2018. The ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Winnti Group is a threat group with Chinese origins that has been active since at least 2010. The gr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Tonto Team is a suspected Chinese state-sponsored cyber espionage threat group that has primarily ta", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GOLD SOUTHFIELD is a financially motivated threat group active since at least 2018 that operates the", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "INC Ransom is a ransomware and data extortion threat group associated with the deployment of INC Ran", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Earth Lusca is a suspected China-based cyber espionage group that has been active since at least Apr", "cross_file": true }, { "count": 4, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FIN4 is a financially-motivated threat group that has targeted confidential information related to t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Silence is a financially motivated threat actor targeting financial institutions in different countr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sowbug is a threat group that has conducted targeted attacks against organizations in South America ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contra", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT16 is a China-based threat group that has launched spearphishing campaigns targeting Japanese and", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ special", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The gr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cobalt Group is a financially motivated threat group that has primarily targeted financial instituti", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Wizard Spider is a Russia-based financially motivated threat group originally known for the creation", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Molerats is an Arabic-speaking, politically-motivated threat group that has been operating since 201", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Velvet Ant is a threat actor operating since at least 2021. Velvet Ant is associated with complex pe", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Transparent Tribe is a suspected Pakistan-based threat group that has been active since at least 201", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian gover", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Inception is a cyber espionage group active since at least 2014. The group has targeted multiple ind", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Play is a ransomware group that has been active since at least 2022 deploying Playcrypt ransomware ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PROMETHIUM is an activity group focused on espionage that has been active since at least 2012. The g", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to ove", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly ha", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Rancor is a threat group that has led targeted campaigns against the South East Asia region. Rancor ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WIRTE is a threat group that has been active since at least August 2018. WIRTE has targeted governme", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PLATINUM is an activity group that has targeted victims since at least 2009. The group has focused o", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Magic Hound is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber e", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ajax Security Team is a group that has been active since at least 2010 and believed to be operating ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The g", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FIN10 is a financially motivated threat group that has targeted organizations in North America since", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FIN8 is a financially motivated threat group that has been active since at least January 2016, and k", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hos", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PittyTiger is a threat group believed to operate out of China that uses multiple different types of ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Centr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HDoor is malware that has been customized and used by the Naikon group.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TrickBot is a Trojan spyware program written in C++ that first emerged in September 2016 as a possib", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "cd00r is an open-source backdoor for UNIX and UNIX-variant operating systems that was orginally rele", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PowerDuke is a backdoor that was used by APT29 in 2016. It has primarily been delivered through Micr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "EKANS is ransomware variant written in Golang that first appeared in mid-December 2019 and has been ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at lea", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ninja is a malware developed in C++ that has been used by ToddyCat to penetrate networks and control", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pikabot is a backdoor used for initial access and follow-on tool deployment active since early 2023.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Wiarp is a trojan used by Elderwood to open a backdoor on compromised hosts.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Spark is a Windows backdoor and has been in use since as early as 2017.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SynAck is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Bumblebee is a custom loader written in C++ that has been used by multiple threat actors, including ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MURKYTOP is a reconnaissance tool used by Leviathan.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AcidRain is an ELF binary targeting modems and routers using MIPS architecture. AcidRain is associat", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GRIFFON is a JavaScript backdoor used by FIN7.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Amadey is a Trojan bot that has been used since at least October 2018.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "JumbledPath is a custom-built utility written in GO that has been used by Salt Typhoon since at leas", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NICECURL is a VBScript-based backdoor used by APT42 to download additional modules.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Proxysvc is a malicious DLL used by Lazarus Group in a campaign known as Operation GhostSecret. It h", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Orz is a custom JavaScript backdoor used by Leviathan. It was observed being used in 2014 as well as", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NOKKI is a modular remote access tool. The earliest observed attack using NOKKI was in January 2018.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "yty is a modular, plugin-based malware framework. The components of the framework are written in a v", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DOGCALL is a backdoor used by APT37 that has been used to target South Korean government and militar", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Stuxnet was the first publicly reported piece of malware to specifically target industrial control s", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Downdelph is a first-stage downloader written in Delphi that has been used by APT28 in rare instance", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RotaJakiro is a 64-bit Linux backdoor used by APT32. First seen in 2018, it uses a plugin architectu", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AvosLocker is ransomware written in C++ that has been offered via the Ransomware-as-a-Service (RaaS)", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SEASHARPEE is a Web shell that has been used by OilRig.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Get2 is a downloader written in C++ that has been used by TA505 to deliver FlawedGrace, FlawedAmmyy,", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "POWRUNER is a PowerShell script that sends and receives commands to and from the C2 server.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 s", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RobbinHood is ransomware that was first observed being used in an attack against the Baltimore city ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MEDUSA is an open-source rootkit that is capable of dynamic linker hijacking, command execution, and", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "VersaMem is a web shell designed for deployment to Versa Director servers following exploitation. Di", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Power Loader is modular code sold in the cybercrime market used as a downloader in malware families ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TDTESS is a 64-bit .NET binary backdoor used by CopyKittens.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaig", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SharpStage is a .NET malware with backdoor capabilities.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PAKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 2024", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 20", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sardonic is a backdoor written in C and C++ that is known to be used by FIN8, as early as August 202", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Smoke Loader is a malicious bot application that can be used to load other malware.\nSmoke Loader has", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HALFBAKED is a malware family consisting of multiple components intended to establish persistence in", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WindTail is a macOS surveillance implant used by Windshift. WindTail shares code similarities with H", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Misdat is a backdoor that was used in Operation Dust Storm from 2010 to 2011.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "reGeorg is an open-source web shell written in Python that can be used as a proxy to bypass firewall", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FLIPSIDE is a simple tool similar to Plink that is used by FIN5 to maintain access to victims.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from Augus", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "adbupd is a backdoor used by PLATINUM that is similar to Dipsind.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Emissary is a Trojan that has been used by Lotus Blossom. It shares code with Elise, with both Troja", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Exaramel for Linux is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KEYMARBLE is a Trojan that has reportedly been used by the North Korean government.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BUBBLEWRAP is a full-featured, second-stage backdoor used by the admin@338 group. It is set to run w", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HAWKBALL is a backdoor that was observed in targeting of the government sector in Central Asia.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TAMECAT is a malware that is used by APT42 to execute PowerShell or C# content.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PS1 is a loader that was used to deploy 64-bit backdoors in the CostaRicto campaign.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ursnif is a banking trojan and variant of the Gozi malware observed being spread through various aut", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CASTLETAP is an ICMP port knocking backdoor that has been installed on compromised FortiGate firewal", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ThreatNeedle is a backdoor that has been used by Lazarus Group since at least 2019 to target cryptoc", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RansomHub is a ransomware-as-a-service (RaaS) offering with Windows, ESXi, Linux, and FreeBSD versio", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ZLib is a full-featured backdoor that was used as a second-stage implant during Operation Dust Storm", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Miner-C is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "POWERSOURCE is a PowerShell backdoor that is a heavily obfuscated and modified version of the public", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LITTLELAMB.WOOLTEA is a backdoor that was used by UNC5325 during Cutting Edge to deploy malware on t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Felismus is a modular backdoor that has been used by Sowbug.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Zeus Panda is a Trojan designed to steal banking information and other sensitive credentials for exf", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GeminiDuke is malware that was used by APT29 from 2009 to 2012.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Havoc is an open-source post-exploitation command and control (C2) framework first released on GitHu", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CARROTBAT is a customized dropper that has been in use since at least 2017. CARROTBAT has been used ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. I", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems th", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor b", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WEBC2 is a family of backdoor malware used by APT1 as early as July 2006. WEBC2 backdoors are design", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Prestige ransomware has been used by Sandworm Team since at least March 2022, including against tran", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "InvisibleFerret is a modular python malware that is leveraged for data exfiltration and remote acces", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Bankshot is a remote access tool (RAT) that was first reported by the Department of Homeland Securit", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SharpDisco is a dropper developed in C# that has been used by MoustachedBouncer since at least 2020 ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "StrongPity is an information stealing malware used by PROMETHIUM.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HAPPYWORK is a downloader used by APT37 to target South Korean government and financial victims in N", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "xCaon is an HTTP variant of the BoxCaon malware family that has used by IndigoZebra since at least 2", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PLAINTEE is a malware sample that has been used by Rancor in targeted attacks in Singapore and Cambo", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pony is a credential stealing malware, though has also been used among adversaries for its downloade", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WinMM is a full-featured, simple backdoor used by Naikon.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Nebulae Is a backdoor that has been used by Naikon since at least 2020.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Janicab is an OS X trojan that relied on a valid developer ID and oblivious users to install it.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AuditCred is a malicious DLL that has been used by Lazarus Group during their 2018 attacks.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted at", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TONESHELL is a custom backdoor that has been used since at least Q1 2021. TONESHELL malware has pr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "UPSTYLE is a Python-based backdoor associated with exploitation of Palo Alto firewalls using CVE-202", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kasidet is a backdoor that has been dropped by using malicious VBA macros.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at le", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OceanSalt is a Trojan that was used in a campaign targeting victims in South Korea, United States, a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Playcrypt is a ransomware that has been used by Play since at least 2022 in attacks against against ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Brave Prince is a Korean-language implant that was first observed in the wild in December 2017. It c", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Medusa Ransomware has been utilized in attacks since at least 2021. Medusa Ransomware has been known", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RainyDay is a backdoor tool that has been used by Naikon since at least 2020.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ecipekac is a multi-layer loader that has been used by menuPass since at least 2019 including use as", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AppleSeed is a backdoor that has been used by Kimsuky to target South Korean government, academic, a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BUSHWALK is a web shell written in Perl that was inserted into the legitimate querymanifest.cgi file", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "macOS.OSAMiner is a Monero mining trojan that was first observed in 2018; security researchers asses", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LOWBALL is malware used by admin@338. It was used in August 2015 in email messages targeting Hong Ko", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used b", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TinyTurla is a backdoor that has been used by Turla against targets in the US, Germany, and Afghanis", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff sin", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "J-magic is a custom variant of the cd00r backdoor tailored to target Juniper routers that was first ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PowerExchange is a PowerShell backdoor that has been used by OilRig since at least 2023 including ag", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BOOKWORM is a modular trojan known to be leveraged by Mustang Panda and was first observed utilized ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HyperStack is a RPC-based backdoor used by Turla since at least 2018. HyperStack has similarities to", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "iKitten is a macOS exfiltration agent .", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HAMMERTOSS is a backdoor that was used by APT29 in 2015.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OLDBAIT is a credential harvester used by APT28.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Bad Rabbit is a self-propagating ransomware that affected the Ukrainian transportation sector in 201", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CosmicDuke is malware that was used by APT29 from 2010 to 2015.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPa", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "EnvyScout is a dropper that has been used by APT29 since at least 2021.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SslMM is a full-featured backdoor used by Naikon that has multiple variants.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "STATICPLUGIN is a downloader known to be leveraged by Mustang Panda and was first observed utilized ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "IMAPLoader is a .NET-based loader malware exclusively associated with CURIUM operations since at lea", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GreyEnergy is a backdoor written in C and compiled in Visual Studio. GreyEnergy shares similarities ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Gomir is a Linux backdoor variant of the Go-based malware GoBear, uniquely assoicated with Kimsuky o", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Aria-body is a custom backdoor that has been used by Naikon since approximately 2017.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Emotet is a modular malware variant which is primarily used as a downloader for other malware varian", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SNUGRIDE is a backdoor that has been used by menuPass as first stage malware.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Olympic Destroyer is malware that was used by Sandworm Team against the 2018 Winter Olympics, held i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BOLDMOVE is a type of backdoor malware written in C linked to People\u2019s Republic of China operations ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Crimson is a remote access Trojan that has been used by Transparent Tribe since at least 2016.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Tomiris is a backdoor written in Go that continuously queries its C2 server for executables to downl", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TEARDROP is a memory-only dropper that was discovered on some victim machines during investigations ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DUSTTRAP is a multi-stage plugin framework associated with APT41 operations with multiple components", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Turian is a backdoor that has been used by BackdoorDiplomacy to target Ministries of Foreign Affairs", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "THINCRUST is a Python-based backdoor tool that has been used by UNC3886 since at least 2023.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BADHATCH is a backdoor that has been utilized by FIN8 since at least 2019. BADHATCH has been used to", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Window", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PowerLess is a PowerShell-based modular backdoor that has been used by Magic Hound since at least 20", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Action RAT is a remote access tool written in Delphi that has been used by SideCopy since at least ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Avenger is a downloader that has been used by BRONZE BUTLER since at least 2019.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DUSTPAN is an in-memory dropper written in C/C++ used by APT41 since 2021 that decrypts and executes", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PUBLOAD is a stager malware that has been observed installing itself in existing directories such as", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Gootloader is a Javascript-based infection framework that has been used since at least 2020 as a del", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PingPull is a remote access Trojan (RAT) written in Visual C++ that has been used by GALLIUM since a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WellMess is lightweight malware family with variants written in .NET and Golang that has been in use", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Dacls is a multi-platform remote access tool used by Lazarus Group since at least December 2019.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DropBook is a Python-based backdoor compiled with PyInstaller.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mafalda is a flexible interactive implant that has been used by Metador. Security researchers assess", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KARAE is a backdoor typically used by APT37 as first-stage malware.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Squirrelwaffle is a loader that was first seen in September 2021. It has been used in spam email cam", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ELMER is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by APT16.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CANONSTAGER is a loader known to be leveraged by Mustang Panda and was first observed utilized in 20", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HexEval Loader is a hex-encoded loader that collects host data, decodes follow-on scripts and acts a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "A Linux rootkit that provides backdoor access and hides from defenders.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AuTo Stealer is malware written in C++ has been used by SideCopy since at least December 2021 to tar", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ShrinkLocker is a VBS-based malicious script that leverages the legitimate Bitlocker application to ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Agent.btz is a worm that primarily spreads itself via removable devices such as USB drives. It repor", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SLOWDRIFT is a backdoor used by APT37 against academic and strategic victims in South Korea.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SHUTTERSPEED is a backdoor used by APT37.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SombRAT is a modular backdoor written in C++ that has been used since at least 2019 to download and ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BlackByte 2.0 Ransomware is a replacement for BlackByte Ransomware. Unlike BlackByte Ransomware, Bla", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in l", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FLASHFLOOD is malware developed by APT30 that allows propagation and exfiltration of data over remov", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FlawedAmmyy is a remote access tool (RAT) that was first seen in early 2016. The code for FlawedAmmy", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Snip3 is a sophisticated crypter-as-a-service that has been used since at least 2021 to obfuscate an", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FYAnti is a loader that has been used by menuPass since at least 2020, including to deploy QuasarRAT", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SUGARUSH is a small custom backdoor that can establish a reverse shell over TCP to a hard coded C2 a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LoFiSe has been used by ToddyCat since at least 2023 to identify and collect files of interest on ta", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cuckoo Stealer is a macOS malware with characteristics of spyware and an infostealer that has been i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GuLoader is a file downloader that has been used since at least December 2019 to distribute a variet", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MobileOrder is a Trojan intended to compromise Android mobile devices. It has been used by Scarlet M", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least Ma", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RegDuke is a first stage implant written in .NET and used by APT29 since at least 2017. RegDuke has ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ProLock is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at leas", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Moneybird is a ransomware variant written in C++ associated with Agrius operations. The name \"Moneyb", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "InvisiMole is a modular spyware program that has been used by the InvisiMole Group since at least 20", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CLAIMLOADER is a malware variant that frequently accompanies legitimate executables that are used fo", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "P.A.S. Webshell is a publicly available multifunctional PHP webshell in use since at least 2016 that", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "QUIETEXIT is a novel backdoor, based on the open-source Dropbear SSH client-server software, that ha", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Naid is a trojan used by Elderwood to open a backdoor on compromised hosts.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Apostle is malware that has functioned as both a wiper and, in more recent versions, as ransomware. ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WINERACK is a backdoor used by APT37.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WhisperGate is a multi-stage wiper designed to look like ransomware that has been used against multi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FruitFly is designed to spy on mac users .", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ZeroT is a Trojan used by TA459, often in conjunction with PlugX.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "This piece of malware steals the content of the user's keychain while maintaining a permanent backdo", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AcidPour is a variant of AcidRain designed to impact a wider range of x86 architecture Linux devices", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RDAT is a backdoor used by the suspected Iranian threat group OilRig. RDAT was originally identified", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Hacking Team UEFI Rootkit is a rootkit developed by the company Hacking Team as a method of persiste", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Skidmap is a kernel-mode rootkit used for cryptocurrency mining.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3ch", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TRANSLATEXT is malware that is believed to be used by Kimsuky. TRANSLATEXT masqueraded as a Google T", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Regin is a malware platform that has targeted victims in a range of industries, including telecom, g", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Bonadan is a malicious version of OpenSSH which acts as a custom backdoor. Bonadan has been active s", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Line Dancer is a memory-only Lua-based shellcode loader associated with the ArcaneDoor campaign. Lin", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SamSam is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Neoichor is C2 malware used by Ke3chang since at least 2019; similar malware families used by the gr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been d", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Raspberry Robin is initial access malware first identified in September 2021, and active through ear", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mispadu is a banking trojan written in Delphi that was first observed in 2019 and uses a Malware-as-", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RemoteCMD is a custom tool used by APT3 to execute commands on a remote system similar to SysInterna", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Megazord is a Rust-based variant of Akira ransomware that has been in use since at least August 2023", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Diavol is a ransomware variant first observed in June 2021 that is capable of prioritizing file type", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "REPTILE is an open-source Linux rootkit with multiple components that provides backdoor access and f", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Raindrop is a loader used by APT29 that was discovered on some victim machines during investigations", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Doki is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first obser", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TEXTMATE is a second-stage PowerShell backdoor that is memory-resident. It was observed being used a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Siloscape is malware that targets Kubernetes clusters through Windows containers. Siloscape was firs", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BlackCat is ransomware written in Rust that has been offered via the Ransomware-as-a-Service (RaaS) ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Fysbis is a Linux-based backdoor used by APT28 that dates back to at least 2014.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "IcedID is a modular banking malware designed to steal financial information that has been observed i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "VERMIN is a remote access tool written in the Microsoft .NET framework. It is mostly composed of ori", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "UBoatRAT is a remote access tool that was identified in May 2017.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Nightdoor is a backdoor exclusively associated with Daggerfly operations. Nightdoor uses common libr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MarkiRAT is a remote access Trojan (RAT) compiled with Visual Studio that has been used by Ferocious", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download an", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kazuar is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framewor", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NavRAT is a remote access tool designed to upload, download, and execute files. It has been observed", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DarkComet is a Windows remote administration tool and backdoor.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NETEAGLE is a backdoor developed by APT30 with compile dates as early as 2008. It has two main varia", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "POORAIM is a backdoor used by APT37 in campaigns since at least 2014.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HUI Loader is a custom DLL loader that has been used since at least 2015 by China-based threat group", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ra", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ragnar Locker is a ransomware that has been in use since at least December 2019.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FatDuke is a backdoor used by APT29 since at least 2016.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread later", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BlackEnergy is a malware toolkit that has been used by both criminal and APT actors. It dates back t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Zeroaccess is a kernel-mode Rootkit that attempts to add victims to the ZeroAccess botnet, often for", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GLASSTOKEN is a custom web shell used by threat actors during Cutting Edge to execute commands on co", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Thoug", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DRATzarus is a remote access tool (RAT) that has been used by Lazarus Group to target the defense an", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BOOSTWRITE is a loader crafted to be launched via abuse of the DLL search order of applications used", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 an", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool vers", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ShimRat has been used by the suspected China-based adversary Mofang in campaigns targeting multiple ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Chrommme is a backdoor tool written using the Microsoft Foundation Class (MFC) framework that was fi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BADFLICK is a backdoor used by Leviathan in spearphishing campaigns first reported in 2018 that targ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ObliqueRAT is a remote access trojan, similar to Crimson, that has been in use by Transparent Tribe ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SHOTPUT is a custom backdoor used by APT3.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Avaddon is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Conficker is a computer worm first detected in October 2008 that targeted Microsoft Windows using th", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SocGholish is a JavaScript-based loader malware that has been used since at least 2017. It has been ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Flagpro is a Windows-based, first-stage downloader that has been used by BlackTech since at least Oc", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a ca", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at l", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "XAgentOSX is a trojan that has been used by APT28 on OS X and appears to be a port of their standar", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Green Lambert is a modular backdoor that security researchers assess has been used by an advanced th", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "China Chopper is a Web Shell hosted on Web servers to provide access back into an enterprise network", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SnappyTCP is a web shell used by Sea Turtle between 2021 and 2023 against multiple victims. SnappyTC", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CALENDAR is malware used by APT1 that mimics legitimate Gmail Calendar traffic.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LockerGoga is ransomware that was first reported in January 2019, and has been tied to various attac", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Chaos is Linux malware that compromises systems by brute force attacks against SSH services. Once in", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ISMInjector is a Trojan used to install another OilRig backdoor, ISMAgent.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PUNCHBUGGY is a backdoor malware used by FIN8 that has been observed targeting POS networks in the h", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GoldMax is a second-stage C2 backdoor written in Go with Windows and Linux variants that are nearly ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HELLOKITTY is a ransomware written in C++ that shares similar code structure and functionality with", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CostaBricks is a loader that was used to deploy 32-bit backdoors in the CostaRicto campaign.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cheerscrypt is a ransomware that was developed by Cinnamon Tempest and has been used in attacks agai", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and en", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KeyBoy is malware that has been used in targeted campaigns against members of the Tibetan Parliament", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a se", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MiniDuke is malware that was used by APT29 from 2010 to 2015. The MiniDuke toolset consists of multi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HyperBro is a custom in-memory backdoor used by Threat Group-3390.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Anchor is one of a family of backdoor malware that has been used in conjunction with TrickBot on sel", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pteranodon is a custom backdoor used by Gamaredon Group.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at leas", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BeaverTail is a malware that has both a JavaScript and C++ variant. Active since 2022, BeaverTail i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ROKRAT is a cloud-based remote access tool (RAT) used by APT37 to target victims in South Korea. APT", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CORESHELL is a downloader used by APT28. The older versions of this malware are known as SOURFACE an", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Wint", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligenc", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SplatDropper is a loader that utilizes native windows API to deliver its payload to the victim envir", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Babuk is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operat", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Exbyte is an exfiltration tool written in Go that is uniquely associated with BlackByte operations. ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations;", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Dyre is a banking Trojan that has been used for financial gain.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BlackMould is a web shell based on China Chopper for servers running Microsoft IIS. First reported i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Javali is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, p", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PACEMAKER is a credential stealer that was used by APT5 as early as 2020 including activity against ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LunarLoader is the loader component for the LunarWeb and LunarMail backdoors that has been used by T", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BBSRAT is malware with remote access tool functionality that has been used in targeted compromises.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PlugX is a remote access tool (RAT) with modular plugins that has been used by multiple threat group", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates v", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Bisonal is a remote access tool (RAT) that has been used by Tonto Team against public and private se", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MultiLayer Wiper is wiper malware written in .NET associated with Agrius operations. Observed sample", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "S-Type is a backdoor that was used in Operation Dust Storm since at least 2013.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Lumma Stealer is an information stealer malware family in use since at least 2022. Lumma Stealer is ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SeaDuke is malware that was used by APT29 from 2014 to 2015. It was used primarily as a secondary ba", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BS2005 is malware that was used by Ke3chang in spearphishing campaigns since at least 2011.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DustySky is multi-stage malware written in .NET that has been used by Molerats since May 2015.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Duqu is a malware platform that uses a modular approach to extend functionality after deployment wit", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Truvasys is first-stage malware that has been used by PROMETHIUM. It is a collection of modules writ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Remsec is a modular backdoor that has been used by Strider and appears to have been designed primari", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Industroyer2 is a compiled and static piece of malware that has the ability to communicate over the ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sykipot is malware that has been used in spearphishing campaigns since approximately 2007 against vi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identif", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Xbash is a malware family that has targeted Linux and Microsoft Windows servers. The malware has bee", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Rover is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted e", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Epic is a backdoor that has been used by Turla.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Peppy is a Python-based remote access Trojan, active since at least 2012, with similarities to Crims", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cuba is a Windows-based ransomware family that has been used against financial institutions, technol", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential ove", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at leas", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Akira ransomware, written in C++, is most prominently (but not exclusively) associated with the rans", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mongall is a backdoor that has been used since at least 2013, including by Aoqin Dragon.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SVCReady is a loader that has been used since at least April 2022 in malicious spam campaigns. Secur", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ThiefQuest is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS sy", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FoggyWeb is a passive and highly-targeted backdoor capable of remotely exfiltrating sensitive inform", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is inte", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "XTunnel a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It wa", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operatio", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SHARPSTATS is a .NET backdoor used by MuddyWater since at least 2019.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ferocious is a first stage implant composed of VBS and PowerShell scripts that has been used by WIRT", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HOMEFRY is a 64-bit Windows password dumper/cracker that has previously been used in conjunction wit", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CreepyDrive is a custom implant has been used by POLONIUM since at least early 2022 for C2 with and ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Netwalker is fileless ransomware written in PowerShell and executed directly in memory.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Elise is a custom backdoor Trojan that appears to be used exclusively by Lotus Blossom. It is part o", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "USBferry is an information stealing malware and has been used by Tropic Trooper in targeted attacks ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Gazer is a backdoor used by Turla since at least 2016.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TSCookie is a remote access tool (RAT) that has been used by BlackTech in campaigns against Japanese", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Latrodectus is a Windows malware downloader that has been used since at least 2023 to download and e", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Saint Bot is a .NET downloader that has been used by Saint Bear since at least March 2021.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pay2Key is a ransomware written in C++ that has been used by Fox Kitten since at least July 2020 inc", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Chaes is a multistage information stealer written in several programming languages that collects log", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Briba is a trojan used by Elderwood to open a backdoor and download files on to compromised hosts.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CharmPower is a PowerShell-based, modular backdoor that has been used by Magic Hound since at least ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TYPEFRAME is a remote access tool that has been used by Lazarus Group.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "3PARA RAT is a remote access tool (RAT) programmed in C++ that has been used by Putter Panda.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Bundlore is adware written for macOS that has been in use since at least 2015. Though categorized as", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "P8RAT is a fileless malware used by menuPass to download and execute payloads since at least 2020.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "VIRTUALPIE is a lightweight backdoor written in Python that spawns an IPv6 listener on a VMware ESXi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "EVILNUM is fully capable backdoor that was first identified in 2018. EVILNUM is used by the APT grou", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry manage", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mori is a backdoor that has been used by MuddyWater since at least January 2022.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "QUADAGENT is a PowerShell backdoor used by OilRig.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sagerunex is a malware family exclusively associated with Lotus Blossom operations, with variants ex", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sys10 is a backdoor that was used throughout 2013 by Naikon.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "pngdowner is malware used by Putter Panda. It is a simple tool with limited functionality and no per", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Royal is ransomware that first appeared in early 2022; a version that also targets ESXi servers was", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BendyBear is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Rus", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Metamorfo is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Embargo is a ransomware variant written in Rust that has been active since at least May 2024. Embar", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source c", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Bandook is a commercially available RAT, written in Delphi and C++, that has been available since at", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PipeMon is a multi-stage modular backdoor used by Winnti Group.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SYNful Knock is a stealthy modification of the operating system of network devices that can be used ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MagicRAT is a remote access tool developed in C++ and exclusively used by the Lazarus Group threat a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KONNI is a remote access tool that security researchers assess has been used by North Korean cyber a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "T9000 is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its pr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Winnti for Linux is a trojan, seen since at least 2015, designed specifically for targeting Linux sy", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RAPIDPULSE is a web shell that exists as a modification to a legitimate Pulse Secure file that has b", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "gh0st RAT is a remote access tool (RAT). The source code is public and it has been used by multiple ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Shamoon is wiper malware that was first used by an Iranian group known as the \"Cutting Sword of Just", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Skeleton Key is malware used to inject false credentials into domain controllers with the intent of ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DnsSystem is a .NET based DNS backdoor, which is a customized version of the open source tool DIG.ne", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MoleNet is a downloader tool with backdoor capabilities that has been observed in use since at least", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CORALDECK is an exfiltration tool used by APT37.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "JHUHUGIT is malware used by APT28. It is based on Carberp source code and serves as reconnaissance m", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SPACESHIP is malware developed by APT30 that allows propagation and exfiltration of data over remova", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BLUELIGHT is a remote access Trojan used by APT37 that was first observed in early 2021.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KGH_SPY is a modular suite of tools used by Kimsuky for reconnaissance, information stealing, and ba", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "down_new is a downloader that has been used by BRONZE BUTLER since at least 2019.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ixeshe is a malware family that has been used since at least 2009 against targets in East Asia.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Micropsia is a remote access tool written in Delphi.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware f", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RARSTONE is malware used by the Naikon group that has some characteristics similar to PlugX.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RedLine Stealer is an information-stealer malware variant first identified in 2020. RedLine Stealer", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BPFDoor is a Linux based passive long-term backdoor used by China-based threat actors. First seen in", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Black Basta is ransomware written in C++ that has been offered within the ransomware-as-a-service (R", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ZeroCleare is a wiper malware that has been used in conjunction with the RawDisk driver since at lea", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Catchamas is a Windows Trojan that steals information from compromised systems.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "StoneDrill is wiper malware discovered in destructive campaigns against both Middle Eastern and Euro", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OopsIE is a Trojan used by OilRig to remotely execute commands as well as upload/download files to/f", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "4H RAT is malware that has been used by Putter Panda since at least 2007.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RogueRobin is a payload used by DarkHydrus that has been developed in PowerShell and C#.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadab", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DealersChoice is a Flash exploitation framework used by APT28.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SQLRat is malware that executes SQL scripts to avoid leaving traditional host artifacts. FIN7 has be", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MegaCortex is ransomware that first appeared in May 2019. MegaCortex has mainly targeted industrial", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "StreamEx is a malware family that has been used by Deep Panda since at least 2015. In 2016, it was d", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NightClub is a modular implant written in C++ that has been used by MoustachedBouncer since at least", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Crutch is a backdoor designed for document theft that has been used by Turla since at least 2015.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Akira _v2 is a Rust-based variant of Akira ransomware that has been in use since at least 2024. Akir", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SDBbot is a backdoor with installer and loader components that has been used by TA505 since at least", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mosquito is a Win32 backdoor that has been used by Turla. Mosquito is made up of three parts: the in", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "QUIETCANARY is a backdoor tool written in .NET that has been used since at least 2022 to gather and ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Derusbi is malware used by multiple Chinese APT groups. Both Windows and Linux variants have been ob", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BlackByte Ransomware is uniquely associated with BlackByte operations. BlackByte Ransomware used a c", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SodaMaster is a fileless malware used by menuPass to download and execute payloads since at least 20", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "StrelaStealer is an information stealer malware variant first identified in November 2022 and active", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Grandoreiro is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WellMail is a lightweight malware written in Golang used by APT29, similar in design and structure t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LiteDuke is a third stage backdoor that was used by APT29, primarily in 2014-2015. LiteDuke used the", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Starloader is a loader component that has been observed loading Felismus and associated tools.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions througho", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RawPOS is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sibot is dual-purpose malware written in VBScript designed to achieve persistence on a compromised s", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ZxxZ is a trojan written in Visual C++ that has been used by BITTER since at least August 2021, incl", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Tarrask is malware that has been used by HAFNIUM since at least August 2021. Tarrask was designed to", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GoBear is a Go-based backdoor that abuses legitimate, stolen certificates for defense evasion purpos", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WINDSHIELD is a signature backdoor used by APT32.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Drovorub is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Shark is a backdoor malware written in C# and .NET that is an updated version of Milan; it has been ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Bazar is a downloader and backdoor that has been used since at least April 2020, with infections pri", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PULSECHECK is a web shell written in Perl that was used by APT5 as early as 2020 including against P", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kobalos is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. Kobalos h", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BadPatch is a Windows Trojan that was used in a Gaza Hackers-linked campaign.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MESSAGETAP is a data mining malware family deployed by APT41 into telecommunications networks to mon", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks target", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SUGARDUMP is a proprietary browser credential harvesting tool that was used by UNC3890 during the C0", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "XLoader is an infostealer malware in use since at least 2016. Previously known and sometimes still r", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SOUNDBITE is a signature backdoor used by APT32.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "hcdLoader is a remote access tool (RAT) that has been used by APT18.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Nidiran is a custom backdoor developed and used by Suckfly. It has been delivered via strategic web ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CorKLOG is a keylogger known to be leveraged by Mustang Panda and was first observed utilized in 202", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ryuk is a ransomware designed to target enterprise environments that has been used in attacks since ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cryptoistic is a backdoor, written in Swift, that has been used by Lazarus Group.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HermeticWiper is a data wiper that has been used since at least early 2022, primarily against Ukrain", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ABK is a downloader that has been used by BRONZE BUTLER since at least 2019.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pysa is a ransomware that was first used in October 2018 and has been seen to target particularly hi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Wiper is a family of destructive malware used in March 2013 during breaches of South Korean banks an", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Final1stspy is a dropper family that has been used to deliver DOGCALL.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MgBot is a modular malware framework exclusively associated with Daggerfly operations since at least", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ccf32 is data collection malware that has been used since at least February 2019, most notably durin", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kapeka is a backdoor written in C++ used against victims in Eastern Europe since at least mid-2022. ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LockBit 2.0 is an affiliate-based Ransomware-as-a-Service (RaaS) that has been in use since at least", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OilCheck is a C#/.NET downloader that has been used by OilRig since at least 2022 including against ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Zebrocy is a Trojan that has been used by APT28 since at least November 2015. The malware comes in s", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Gr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FinFisher is a government-grade commercial surveillance spyware reportedly sold exclusively to gover", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SpeakUp is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in Janua", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LunarMail is a backdoor that has been used by Turla since at least 2020 including in a compromise of", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WARPWIRE is a Javascript credential stealer that targets plaintext passwords and usernames for exfil", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CrossRAT is a cross platform RAT.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cadelspy is a backdoor that has been used by APT39.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as \u201cadversary sim", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SampleCheck5000 is a downloader with multiple variants that was used by OilRig including during the ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "EvilBunny is a C++ malware sample observed since 2011 that was designed to be a execution platform f", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Wingbird is a backdoor that appears to be a version of commercial software FinFisher. It is reported", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cobian RAT is a backdoor, remote access tool that has been observed since 2016.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious Nor", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ServHelper is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typic", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "JCry is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "REvil is a ransomware family that has been linked to the GOLD SOUTHFIELD group and operated as ranso", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RIPTIDE is a proxy-aware backdoor used by APT12.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Valak is a multi-stage modular malware that can function as a standalone information stealer or down", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Samurai is a passive backdoor that has been used by ToddyCat since at least 2020. Samurai allows arb", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PinchDuke is malware that was used by APT29 from 2008 to 2010.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Milan is a backdoor implant based on DanBot that was written in Visual C++ and .NET. Milan has been ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "USBStealer is malware that has been used by APT28 since at least 2005 to extract information from ai", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OSX_OCEANLOTUS.D is a macOS backdoor used by APT32. First discovered in 2015, APT32 has continued to", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OilBooster is a downloader written in Microsoft Visual C/C++ that has been used by OilRig since at l", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner'", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OnionDuke is malware that was used by APT29 from 2013 to 2015.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Taidoor is a remote access trojan (RAT) that has been used by Chinese government cyber actors to mai", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cherry Picker is a point of sale (PoS) memory scraper.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SUPERNOVA is an in-memory web shell written in .NET C#. It was discovered in November 2020 during th", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "P2P ZeuS is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kivars is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by BlackTe", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CaddyWiper is a destructive data wiper that has been used in attacks against organizations in Ukrain", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cyclops Blink is a modular malware that has been used in widespread campaigns by Sandworm Team since", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PoisonIvy is a popular remote access tool (RAT) that has been used by many groups.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Seasalt is malware that has been linked to APT1's 2010 operations. It shares some code similarities ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 s", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NanoCore is a modular remote access tool developed in .NET that can be used to spy on victims and st", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TajMahal is a multifunctional spying framework that has been in use since at least 2014. TajMahal is", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PLEAD is a remote access tool (RAT) and downloader used by BlackTech in targeted attacks in East Asi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Raccoon Stealer is an information stealer malware family active since at least 2019 as a malware-as-", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "IPsec Helper is a post-exploitation remote access tool linked to Agrius operations. This malware sha", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Daserf is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Si", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GoldFinder is a custom HTTP tracer tool written in Go that logs the route a packet takes between a c", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Carbon is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LoJax is a UEFI rootkit used by APT28 to persist remote access software on targeted systems.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cardinal RAT is a potentially low volume remote access trojan (RAT) observed since December 2015. Ca", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DanBot is a first-stage remote access Trojan written in C# that has been used by HEXANE since at lea", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BISCUIT is a backdoor that has been used by APT1 since as early as 2007.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Calisto is a macOS Trojan that opens a backdoor on the compromised machine. Calisto is believed to h", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Solar is a C#/.NET backdoor that was used by OilRig during the Outer Space campaign to download, exe", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pisloader is a malware family that is notable due to its use of DNS as a C2 protocol as well as its ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GoldenSpy is a backdoor malware which has been packaged with legitimate tax preparation software. Go", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Gold Dragon is a Korean-language, data gathering implant that was first observed in the wild in Sout", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RG", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ramsay is an information stealing malware framework designed to collect and exfiltrate sensitive doc", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Neo-reGeorg is an open-source web shell designed as a restructuring of reGeorg with improved usabili", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FakeM is a shellcode-based Windows backdoor that has been used by Scarlet Mimic.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Carberp is a credential and information stealing malware that has been active since at least 2009. C", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FRAMESTING is a Python web shell that was used during Cutting Edge to embed into an Ivanti Connect S", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HARDRAIN is a Trojan malware variant reportedly used by the North Korean government.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NKAbuse is a Go-based, multi-platform malware abusing NKN (New Kind of Network) technology for data ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pillowmint is a point-of-sale malware used by FIN7 designed to capture credit card information.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TrailBlazer is a modular malware that has been used by APT29 since at least 2019.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Revenge RAT is a freely available remote access tool written in .NET (C#).", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MacMa is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ROADSWEEP is a ransomware that was deployed against Albanian government networks during HomeLand Jus", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SUNSPOT is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MOPSLED is a shellcode-based modular backdoor that has been used by China-nexus cyber espionage acto", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "More_eggs is a JScript backdoor used by Cobalt Group and FIN6. Its name was given based on the varia", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SysUpdate is a backdoor written in C++ that has been used by Threat Group-3390 since at least 2020.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TinyZBot is a bot written in C# that was developed by Cleaver.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that h", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PowGoop is a loader that consists of a DLL loader and a PowerShell-based downloader; it has been use", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kwampirs is a backdoor Trojan used by Orangeworm. Kwampirs has been found on machines which had soft", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Nerex is a Trojan used by Elderwood to open a backdoor on compromised hosts.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BoomBox is a downloader responsible for executing next stage components that has been used by APT29 ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has varia", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PUNCHTRACK is non-persistent point of sale (POS) system malware utilized by FIN8 to scrape payment c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Proton is a macOS backdoor focusing on data theft and credential access .", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Trojan.Mebromi is BIOS-level malware that takes control of the victim before MBR.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mango is a first-stage backdoor written in C#/.NET that was used by OilRig during the Juicy Mix camp", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "InnaputRAT is a remote access tool that can exfiltrate files from a victim\u2019s machine. InnaputRAT has", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WIREFIRE is a web shell written in Python that exists as trojanized logic to the visits.py component", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kessel is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal cre", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LookBack is a remote access trojan written in C++ that was used against at least three US utility co", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "STEADYPULSE is a web shell that infects targeted Pulse Secure VPN servers through modification of a ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Clop is a ransomware family that was first observed in February 2019 and has been used against retai", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NetTraveler is malware that has been used in multiple cyber espionage campaigns for basic surveillan", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "YAHOYAH is a Trojan used by Tropic Trooper as a second-stage backdoor.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Lokibot is a widely distributed information stealer that was first reported in 2015. It is designed ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CallMe is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tin", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ROCKBOOT is a Bootkit that has been used by an unidentified, suspected China-based group.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CloudDuke is malware that was used by APT29 in 2015.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Egregor is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Research", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PoetRAT is a remote access trojan (RAT) that was first identified in April 2020. PoetRAT has been us", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CHOPSTICK is a malware family of modular backdoors used by APT28. It has been used since at least 20", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "StealBit is a data exfiltration tool that is developed and maintained by the operators of the the Lo", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FELIXROOT is a backdoor that has been used to target Ukrainian victims.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, parti", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RIFLESPINE is a cross-platform backdoor that leverages Google Drive for file transfer and command ex", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPN", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CoinTicker is a malicious application that poses as a cryptocurrency price ticker and installs compo", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DDKONG is a malware sample that was part of a campaign by Rancor. DDKONG was first seen used in Febr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Penquin is a remote access trojan (RAT) with multiple versions used by Turla to target Linux systems", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cannon is a Trojan with variants written in C# and Delphi. It was first observed in April 2018.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "build_downer is a downloader that has been used by BRONZE BUTLER since at least 2019.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Melcoz is a banking trojan family built from the open source tool Remote Access PC. Melcoz was first", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Winnti for Windows is a modular remote access Trojan (RAT) that has been used likely by multiple gro", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BONDUPDATER is a PowerShell backdoor used by OilRig. It was first observed in November 2017 during t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Troll Stealer is an information stealer written in Go associated with Kimsuky operations. Troll Stea", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BLACKCOFFEE is malware that has been used by several Chinese groups since at least 2013.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BFG Agonizer is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ebury is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts deve", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kinsing is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to ot", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edg", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "njRAT is a remote access tool (RAT) that was first observed in 2012. It has been used by threat acto", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ZIPLINE is a passive backdoor that was used during Cutting Edge on compromised Secure Connect VPNs f", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Maze ransomware, previously known as \"ChaCha\", was discovered in May 2019. In addition to encrypting", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BOOTRASH is a Bootkit that targets Windows operating systems. It has been used by threat actors that", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HIUPAN (aka U2DiskWatch) is a is a worm that propagates through removable drives known to be leverag", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ComRAT is a second stage implant suspected of being a descendant of Agent.btz and used by Turla. The", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "TURNEDUP is a non-public backdoor. It has been dropped by APT33's StoneDrill malware.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ChChes is a Trojan that appears to be used exclusively by menuPass. It was used to target Japanese o", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PowerStallion is a lightweight PowerShell backdoor used by Turla, possibly as a recovery access tool", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Manjusaka is a Chinese-language intrusion framework, similar to Sliver and Cobalt Strike, with an EL", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "IceApple is a modular Internet Information Services (IIS) post-exploitation framework, that has been", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "JPIN is a custom-built backdoor family used by PLATINUM. Evidence suggests developers of JPIN and Di", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "VIRTUALPITA is a passive backdoor with ESXi and Linux vCenter variants capable of command execution,", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "metaMain is a backdoor used by Metador to maintain long-term access to compromised machines; it has ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SideTwist is a C-based backdoor that has been used by OilRig since at least 2021.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KOCTOPUS's batch variant is loader used by LazyScripter since 2018 to launch Octopus and Koadic and,", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MechaFlounder is a python-based remote access tool (RAT) that has been used by APT39. The payload us", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Psylo is a shellcode-based Trojan that has been used by Scarlet Mimic. It has similar characteristic", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Heyoka Backdoor is a custom backdoor--based on the Heyoka open source exfiltration tool--that has b", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HTTPBrowser is malware that has been used by several threat groups. It is believed to be of Chines", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mis-Type is a backdoor hybrid that was used in Operation Dust Storm by 2012.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LunarWeb is a backdoor that has been used by Turla since at least 2020 including in a compromise of ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "XCSSET is a modular macOS malware family delivered through infected Xcode projects and executed when", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Disco is a custom implant that has been used by MoustachedBouncer since at least 2020 including in c", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Dipsind is a malware family of backdoors that appear to be used exclusively by PLATINUM.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "KillDisk is a disk-wiping tool designed to overwrite files with random data to render the OS unboota", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Qilin ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with v", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AppleJeus is a family of downloaders initially discovered in 2018 embedded within trojanized cryptoc", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SoreFang is first stage downloader used by APT29 for exfiltration and to load other malware.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MirageFox is a remote access tool used against Windows systems. It appears to be an upgraded version", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Industroyer is a sophisticated malware framework designed to cause an impact to the working processe", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DownPaper is a backdoor Trojan; its main functionality is to download and run second stage malware.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Socksbot is a backdoor that abuses Socket Secure (SOCKS) proxies.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pcexter is an uploader that has been used by ToddyCat since at least 2023 to exfiltrate stolen files", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HIDEDRV is a rootkit used by APT28. It has been deployed along with Downdelph to execute and hide th", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and i", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, in", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pasam is a trojan used by Elderwood to open a backdoor on compromised hosts.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "httpclient is malware used by Putter Panda. It is a simple tool that provides a limited range of fun", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "POWERSTATS is a PowerShell-based first stage backdoor used by MuddyWater.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "POWERTON is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "StarProxy is custom malware used by Mustang Panda as a post-compromise tool, to enable proxying of t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ECCENTRICBANDWAGON is a remote access Trojan (RAT) used by North Korean cyber actors that was first ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BADNEWS is malware that has been used by the actors responsible for the Patchwork campaign. Its name", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Goopy is a Windows backdoor and Trojan used by APT32 and shares several similarities to another back", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ShadowPad is a modular backdoor that was first identified in a supply chain compromise of the NetSar", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Remexi is a Windows-based Trojan that was developed in the C programming language.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Astaroth is a Trojan and information stealer known to affect companies in Europe, Brazil, and throug", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "QakBot is a modular banking trojan that has been used primarily by financially-motivated actors sinc", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SYSCON is a backdoor that has been in use since at least 2017 and has been associated with campaigns", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CookieMiner is mac-based malware that targets information associated with cryptocurrency exchanges a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Hancitor is a downloader that has been used by Pony and other information stealing malware.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Gelsemium is a modular malware comprised of a dropper (Gelsemine), a loader (Gelsenicine), and main ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "jRAT is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Helminth is a backdoor that has at least two variants - one written in VBScript and PowerShell that ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Dridex is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury e", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BBK is a downloader that has been used by BRONZE BUTLER since at least 2019.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Komplex is a backdoor that has been used by APT28 on OS X and appears to be developed in a similar m", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OSX/Shlayer is a Trojan designed to install adware on macOS that was first discovered in 2018.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Denis is a Windows backdoor and Trojan used by APT32. Denis shares several similarities to the SOUND", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "INC Ransomware is a ransomware strain that has been used by the INC Ransom group since at least 2023", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "DEADWOOD is wiper malware written in C++ using Boost libraries. DEADWOOD was first observed in an un", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "GLOOXMAIL is malware used by APT1 that mimics legitimate Jabber/XMPP traffic.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Dok is a Trojan application disguised as a .zip file that is able to collect user credentials and in", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SplatCloak is a malware that disables EDR-related routines used by Windows Defender and Kaspersky to", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Waterbear is modular malware attributed to BlackTech that has been used primarily for lateral moveme", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FIVEHANDS is a customized version of DEATHRANSOM ransomware written in C++. FIVEHANDS has been used ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Comnie is a remote backdoor which has been used in attacks in East Asia.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. Th", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "JSS Loader is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by FIN7 since", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PHOREAL is a signature backdoor used by APT32.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "OSInfo is a custom tool used by APT3 to do internal discovery on a victim's computer and network.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MacSpy is a malware-as-a-service offered on the darkweb .", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Lizar is a modular remote access tool written using the .NET Framework that shares structural simila", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Dtrack is spyware that was discovered in 2019 and has been used against Indian financial institution", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "H1N1 is a malware variant that has been distributed via a campaign using VBA macros to infect victim", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SLOWPULSE is a malware that was used by APT5 as early as 2020 including against U.S. Defense Industr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Seth-Locker is a ransomware with some remote control capabilities that has been in use since at leas", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LoudMiner is a cryptocurrency miner which uses virtualization software to siphon system resources. T", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Azorult is a commercial Trojan that is used to steal information from compromised hosts. Azorult has", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BitPaymer is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. BitP", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BACKSPACE is a backdoor used by APT30 that dates back to at least 2005.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Zox is a remote access tool that has been used by Axiom since at least 2008.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "UPPERCUT is a backdoor that has been used by menuPass.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is gen", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and sprea", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified \"sophis", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "XORIndex Loader is a XOR-encoded loader that collects host data, decodes follow-on scripts and acts ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Small Sieve is a Telegram Bot API-based Python backdoor that has been distributed using a Nullsoft S", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Flame is a sophisticated toolkit that has been used to collect information since at least 2010, larg", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "The Net utility is a component of the Windows operating system. It is used in command-line operation", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Covenant is a multi-platform command and control framework written in .NET. While designed for penet", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credent", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "certutil is a command-line utility that can be used to obtain certificate authority information and ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "at is used to schedule tasks on a system to run at a specified date or time.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "UACMe is an open source assessment tool that contains many methods for bypassing Windows User Accoun", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ShimRatReporter is a tool used by suspected Chinese adversary Mofang to automatically conduct initia", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Sliver is an open source, cross-platform, red team command and control (C2) framework written in Gol", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SILENTTRINITY is an open source remote administration and post-exploitation framework primarily writ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scri", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pacu is an open-source AWS exploitation framework. The tool is written in Python and publicly availa", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Windows Credential Editor is a password dumping tool.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Impacket is an open source collection of modules written in Python for programmatically constructing", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ipconfig is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHC", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AADInternals is a PowerShell-based framework for administering, enumerating, and exploiting Azure Ac", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "The Tasklist utility displays a list of applications and services with their Process IDs (PID) for a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ngrok is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind f", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Lslsass is a publicly-available tool that can dump active logon session password hashes from the lsa", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Arp displays and modifies information about a system's Address Resolution Protocol (ARP) cache.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "spwebmember is a Microsoft SharePoint enumeration and data dumping tool written in .NET.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Empire is an open-source, cross-platform remote administration and post-exploitation framework that ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ifconfig is a Unix-based utility used to gather information about and interact with the TCP/IP setti", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "dsquery is a command-line utility that can be used to query Active Directory for information from a ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PcShare is an open source remote access tool that has been modified and used by Chinese threat actor", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "RawDisk is a legitimate commercial driver from the EldoS Corporation that is used for interacting wi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "netstat is an operating system utility that displays active TCP connections, listening ports, and ne", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PoshC2 is an open source remote administration and post-exploitation framework that is publicly avai", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Fgdump is a Windows password hash dumper.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "xCmd is an open source tool that is similar to PsExec and allows the user to execute applications on", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CSPY Downloader is a tool designed to evade analysis and download additional payloads used by Kimsuk", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Rclone is a command line program for syncing files with cloud storage services such as Dropbox, Goog", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MimiPenguin is a credential dumper, similar to Mimikatz, designed specifically for Linux platforms.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "netsh is a scripting utility used to interact with networking components on local or remote systems.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CARROTBALL is an FTP downloader utility that has been in use since at least 2019. CARROTBALL has bee", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "BITSAdmin is a command line tool used to create and manage BITS Jobs.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AsyncRAT is an open-source remote access tool originally available through the NYANxCAT Github repos", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ROADTools is a framework for enumerating Azure Active Directory environments. The tool is written in", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Brute Ratel C4 is a commercial red-teaming and adversarial attack simulation tool that first appeare", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Peirates is a post-exploitation Kubernetes exploitation framework with a focus on gathering service ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a c", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Systeminfo is a Windows utility that can be used to gather detailed information about a computer.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by thr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "attrib is a Windows utility used to display, set or remove attributes assigned to files or directori", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Imminent Monitor was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, whe", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ruler is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the too", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Forfiles is a Windows utility commonly used in batch jobs to execute commands on one or more selecte", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Winexe is a lightweight, open source tool similar to PsExec designed to allow system administrators ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MCMD is a remote access tool that provides remote command shell capability used by Dragonfly 2.0.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Nltest is a Windows command-line utility used to list domain controllers and enumerate domain trusts", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "sqlmap is an open source penetration testing tool that can be used to automate the process of detect", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "pwdump is a credential dumper.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/M", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pass-The-Hash Toolkit is a toolkit that allows an adversary to \"pass\" a password hash (without knowi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Donut is an open source framework used to generate position-independent shellcode. Donut generated c", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords,", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "gsecdump is a publicly-available credential dumper used to obtain password hashes and LSA secrets fr", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "IronNetInjector is a Turla toolchain that utilizes scripts from the open-source IronPython implement", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "nbtstat is a utility used to troubleshoot NetBIOS name resolution.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "NBTscan is an open source tool that has been used by state groups to conduct internal reconnaissance", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "LaZagne is a post-exploitation, open-source tool used to recover stored passwords on a system. It ha", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Ping is an operating system utility commonly used to troubleshoot and verify network connections.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute ot", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "route can be used to find or change information within the local system IP routing table.", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "esentutl is a command-line tool that provides database utilities for the Windows Extensible Storage ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration t", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Koadic is a Windows post-exploitation framework and penetration testing tool that is publicly availa", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "schtasks is used to schedule execution of programs or scripts on a Windows system to run at a specif", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Cachedump is a publicly-available tool that program extracts cached password hashes from a system\u2019s ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Expand is a Windows utility used to expand one or more compressed CAB files. It has been used by BBS", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Pupy is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Reg is a Windows utility used to interact with the Windows Registry. It can be used at the command-l", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "ftp is a utility commonly available with operating systems to transfer information over the File Tra", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Mythic is an open source, cross-platform post-exploitation/command and control platform. Mythic is d", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "HTRAN is a tool that proxies connections through intermediate hops and aids users in disguising thei", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "SDelete is an application that securely deletes data in a way that makes it unrecoverable. It is par", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "QuasarRAT is an open-source, remote access tool that has been publicly available on GitHub since at ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "cipher.exe is a native Microsoft utility that manages encryption of directories and files on NTFS (N", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020,", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Tor is a software suite and network that provides increased anonymity on the Internet. It creates a ", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "AdFind is a free command-line query tool that can be used for gathering information from Active Dire", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Wevtutil is a Windows command-line utility that enables administrators to retrieve information about", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Havij is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havi", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Quick Assist is a remote assistance tool primarily for Microsoft Windows, although a macOS version a", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_mitre.jsonl", "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is use", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade p", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attach filters to a network socket to monitor then activate backdoors used for persi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Valid Accounts to remotely control machines using Virtual Network Computing (VNC", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and pay", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to take screen captures of the desktop to gather information over the course", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may store data in \"fileless\" formats to conceal malicious activity from defenses. Filele", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use scripts automatically executed at boot or logon initialization to establish pers", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to position themselves between two or more networked devices using an advers", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that co", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice ex", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to discover containers and other resources that are available within a conta", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may purchase and configure serverless cloud infrastructure, such as Cloudflare Workers, ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may encode data with a standard data encoding system to make the content of command and ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherw", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable o", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may revert changes made to a cloud instance after they have performed malicious activit", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's hosts that can be used during targeting. Infor", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search public digital certificate data for information about victims that can be use", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is l", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to hide their file-based artifacts by writing them to specific folders or fi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs)", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries with no prior knowledge of legitimate credentials within the system or environment may g", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may purchase technical information about victims that can be used during targeting. Info", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to dump credentials to obtain account login and credential material, normall", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may collect data related to managed devices from configuration repositories. Configurati", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system;", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of netw", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking environment variables used to load", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePo", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may directly access a volume to bypass file access controls and file system monitoring. ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may obtain access to generative artificial intelligence tools, such as large language mo", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to modify hierarchical structures in infrastructure-as-a-service (IaaS) envi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may deface systems external to an organization in an attempt to deliver messaging, inti", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather the victim's IP addresses that can be used during targeting. Public IP addres", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use rootkits to hide the presence of programs, files, network connections, services,", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a plat", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS inf", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify the lifecycle policies of a cloud storage bucket to destroy all objects store", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applica", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage external-facing remote services to initially access and/or persist within a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by the execution of t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may steal web application or service session cookies and use them to gain access to web", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse task scheduling functionality provided by container orchestration tools such a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destinatio", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file ty", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage messaging services for SMS pumping, which may impact system and/or hosted s", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may compress or encrypt data that is collected prior to exfiltration using a custom met", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may attempt to modify a cloud account's compute service infrastructure to evade defense", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise third-party network devices that can be used during targeting. Network de", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may purchase online advertisements that can be abused to distribute malware to victims. ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to discover group and permission settings. This information can help adversa", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may target user email to collect sensitive information. Emails may contain sensitive dat", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) datab", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search public WHOIS data for information about victims that can be used during targe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) an", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search websites owned by the victim for information that can be used during targetin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permiss", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by servi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search DNS data for information about victims that can be used during targeting. DNS", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may target resource intensive features of applications to cause a denial of service (DoS", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may manipulate software dependencies and development tools prior to receipt by a final c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS cer", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid d", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other s", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary with root access may gather credentials by reading `securityd`\u2019s memory. `securityd` is", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalati", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use bootkits to persist on systems. A bootkit is a malware variant that modifies the", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search connected removable media on computers they have compromised to find files of", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Micro", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may stage collected data in a central location or directory on the local system prior to", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may match or approximate the name or location of legitimate files, Registry keys, or oth", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes o", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext pa", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may target user email on local systems to collect sensitive information. Files containin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS cred", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may configure system settings to automatically execute a program during system boot or l", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secret", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise a network device\u2019s encryption capability in order to bypass encryption th", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's f", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may stop or disable services on a system to render those services unavailable to legitim", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may develop malware and malware components that can be used during targeting. Building m", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to enumerate local device drivers on a victim host. Information about device", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries d", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operat", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a clie", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's business tempo that can be used during targeti", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid d", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's host hardware that can be used during targetin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may deliver payloads to remote systems by adding content to shared storage locations, su", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may add new domain trusts, modify the properties of existing domain trusts, or otherwise", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage databases to mine valuable information. These databases may be hosted on-pr", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of local system accounts. This information can help adversa", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise social media accounts that can be used during targeting. For operations i", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Window", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse netbooting to load an unauthorized network device operating system from a Triv", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part o", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurr", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulne", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to vict", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exploit software vulnerabilities that can cause an application or system to crash an", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage Microsoft Office-based applications for persistence between startups. Micro", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. Instal", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may send spearphishing messages with a malicious link to elicit sensitive information th", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Valid Accounts to log into remote machines using Secure Shell (SSH). The adversa", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to mai", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to make a payload difficult to analyze by removing symbols, strings, and oth", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an int", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse dynamic-link library files (DLLs) in order to achieve persistence, escalate pr", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Once established within a system or network, an adversary may use automated techniques for collectin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may collect data stored in the clipboard from users copying information within or betwee", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pse", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may buy, lease, or rent a network of compromised systems\u00a0that can be used during targeti", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may acquire user credentials from third-party password managers. Password managers are a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts an", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse ESXi administration services to execute commands on guest machines hosted with", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may prepare an operational environment to infect systems that visit a website over the n", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may try to gather information about registered local system services. Adversaries may ob", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may passively sniff network traffic to capture information about an environment, includi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Cod", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may access data from cloud storage.\n\nMany IaaS providers offer solutions for online data", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Wi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sourc", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to gather information about attached peripheral devices and components conne", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may attempt to evade process tree-based analysis by modifying executed malware's parent", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's network topology that can be used during targe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create self-signed code signing certificates that can be used during targeting. Code", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs)", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsof", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may attempt to get detailed information about the operating system and hardware, includ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may communicate using OSI application layer protocols to avoid detection/network filteri", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking how the .NET `AppDomainManager` lo", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may stage data collected from multiple systems in a central location or directory on one", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may add additional roles or permissions to an adversary-controlled user or service acco", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the comma", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's network trust dependencies that can be used du", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network tr", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentica", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse components of Terminal Services to enable persistent access to systems. Micros", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse software extensions to establish persistent access to victim systems. Software", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may target the different network services provided by systems to conduct a denial of ser", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may interact with the native OS application programming interface (API) to execute behav", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). Thes", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may clear or remove evidence of malicious network connections in order to clean up trace", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Pass", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during target", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute commands and perform malicious tasks using AutoIT and AutoHotKey automation ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may reduce the level of effort required to decrypt data transmitted over the network by ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "In addition to clearing system logs, an adversary may clear the command history of a compromised acc", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse utilities that allow for command execution to bypass security restrictions tha", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search local system sources, such as file systems, configuration files, local databa", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise cloud accounts that can be used during targeting. Adversaries can use com", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise email accounts that can be used during targeting. Adversaries can use com", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may add additional local or domain groups to an adversary-controlled account to maintai", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may upload malware to third-party or adversary controlled infrastructure to make it acce", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consu", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially acce", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search for common password storage locations to obtain user credentials. Passwords a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than thei", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may use legitimate remote access tools to establish an interactive command and control ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may acquire domains that can be used during targeting. Domain names are the human readab", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party li", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defens", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content trigg", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search compromised systems to find and obtain insecurely stored credentials. These c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistenc", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email ap", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gain access and continuously communicate with victims by injecting malicious content", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may inject code into processes in order to evade process-based defenses as well as possi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and con", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use traffic signaling to hide open ports or other malicious functionality used for p", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage Valid Accounts to log directly into accessible cloud hosted compute infrast", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious co", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestom", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may host seemingly genuine Wi-Fi access points to deceive users into connecting to malic", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may reflectively load code into a process in order to conceal the execution of malicious", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may constrain execution or actions based on the presence of a mutex associated with malw", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may evade defensive mechanisms by executing commands that hide from process interrupt si", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may break out of a container or virtualized environment to gain access to the underlying", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of backup software or configurations that are installed on ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create or modify shortcuts that can execute a program during system boot or user log", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of open application windows. Window listings could convey i", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse systemctl to execute commands or programs. Systemctl is the primary interface ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dum", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may employ various time-based methods to detect virtualization and analysis environments", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager P", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may hijack a legitimate user's SSH session to move laterally within an environment. Secu", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may schedule data exfiltration to be performed only at certain times of day or at certai", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Valid Accounts to interact with a remote network share using Server Message Bloc", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may implant cloud or container images with malicious code to establish persistence after", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may tunnel network communications to and from a victim system within a separate protocol", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Pane", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may bridge network boundaries by modifying a network device\u2019s Network Address Translatio", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may upload tools to third-party or adversary controlled infrastructure to make it access", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windo", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a le", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, an", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search private data from threat intelligence vendors for information that can be use", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to exfiltrate data over a different network medium than the command and cont", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may access network configuration files to collect sensitive data about the device and th", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's identity that can be used during targeting. In", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may disable or modify system firewalls in order to bypass controls limiting network usag", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and ap", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser sof", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as te", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may communicate using application layer protocols associated with electronic mail delive", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may patch, modify, or otherwise backdoor cloud authentication processes that are tied to", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability sc", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse cloud APIs to execute malicious commands. APIs available in cloud environments", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search freely available technical databases for information about victims that can b", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse components of the Electron framework to execute malicious code. The Electron f", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may disable or modify the Linux audit system to hide malicious activity and avoid detect", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Co", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid i", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may attempt to discover infrastructure and resources that are available within an infra", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may acquire credentials from web browsers by reading files specific to the target browse", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the search order used to load othe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify visual content available internally or externally to an enterprise network, t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create cloud instances in unused geographic service regions in order to evade detect", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configu", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may take control of preexisting sessions with remote services to move laterally in an en", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse bind mounts on file structures to hide their activity and artifacts from nativ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use binary padding to add junk data and change the on-disk representation of malware", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may backdoor web servers with web shells to establish persistent access to systems. A We", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access cont", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may enumerate information about browsers to learn more about compromised environments. D", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search for private key certificate files on compromised systems for insecurely store", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may buy, lease, rent, or obtain physical servers\u00a0that can be used during targeting. Use ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Acce", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signa", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create a local account to maintain access to victim systems. Local accounts are thos", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Threat actors may seek information/indicators from closed or open threat intelligence sources gather", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may simulate keystrokes on a victim\u2019s computer by various means to perform any type of a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries can perform command and control between compromised hosts on potentially disconnected ne", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs ar", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create email accounts that can be used during targeting. Adversaries can use account", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for nam", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs)", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to access credential material stored in the process memory of the Local Secu", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse an integrated development environment (IDE) extension to establish persistent ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute active reconnaissance scans to gather information that can be used during ta", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use junk code / dead code to obfuscate a malware\u2019s functionality. Junk code is code ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level pe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create a new process with an existing token to escalate privileges and bypass access", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may abuse configurations where an application has the setuid or setgid bits set in orde", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. W", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distribut", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use a single or small list of commonly used passwords against many different account", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use an external proxy to act as an intermediary for network communications to a comm", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may install code on externally facing portals, such as a VPN login page, to capture and ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather email addresses that can be used during targeting. Even if internal instances", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use voice communications to elicit sensitive information that can be used during tar", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to access cached domain credentials used to allow authentication to occur in", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify the SSH authorized_keys file to maintain persistence on a victim", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's network security appliances that can be used d", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content trigg", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windo", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use search engines to collect information about victims that can be used during targ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's business relationships that can be used during", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse permission configurations that allow them to gain temporarily elevated access ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may inject malicious code into process via process doppelg\u00e4nging in order to evade proce", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may delete a cloud instance after they have performed malicious activities in an attemp", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search public code repositories for information about victims that can be used durin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content trigg", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage the network bandwidth resources of co-opted systems to complete resource-in", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a syste", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use a connection proxy to direct network traffic between systems or act as an interm", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. The", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may rely on a user installing a malicious library to facilitate execution. Threat actors", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may attempt to block indicators or events typically captured by sensors from being gath", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are th", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse extended attributes (xattrs) on macOS and Linux to hide their malicious data i", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather employee names that can be used during targeting. Employee names be used to d", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by inje", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to gather information on domain trust relationships that may be used to iden", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TG", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's client configurations that can be used during ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Integrated Development Environment (IDE) software with remote development feat", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a stri", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious softwar", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of s", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophist", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may delete or modify artifacts generated within systems to remove evidence of their pres", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Micr", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may rent Virtual Private Servers (VPSs)\u00a0that can be used during targeting. There exist a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage Confluence repositories to mine valuable information. Often found in develo", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may \u201cpass the ticket\u201d using stolen Kerberos tickets to move laterally within an environm", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse a container administration service to execute commands within a container. A c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may enumerate files and directories or may search in specific locations of a host or net", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may dynamically establish connections to command and control infrastructure to evade com", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised i", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify property list files (plist files) to enable other malicious activity, while a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use `JamPlus` to proxy the execution of a malicious script. `JamPlus` is a build uti", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content trigg", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may steal or forge certificates used for authentication to access remote systems or reso", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may register a device to an adversary-controlled account. Devices may be registered in a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of network connections to or from the compromised system th", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastruct", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries disable a network device\u2019s dedicated hardware encryption, which may enable them to lever", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the r", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as th", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise accounts with services that can be used during targeting. For operations ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during tar", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to ex", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search the command history on compromised systems for insecurely stored credentials.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS u", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. T", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/fro", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search local file systems and remote file shares for files containing insecurely sto", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may perform calculations on addresses returned in DNS results to determine which port an", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScrip", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may add login items to execute upon user login to gain persistence or escalate privilege", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may put in place resources that are referenced by a link that can be used during targeti", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create multiple stages for command and control that are employed under different con", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may steal monetary resources from targets through extortion, social engineering, technic", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use execution guardrails to constrain execution or actions based on adversary suppli", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this informat", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may forge web cookies that can be used to gain access to web applications or Internet se", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may enumerate system and service logs to find useful data. These logs may highlight vari", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may duplicate then impersonate another user's existing token to escalate privileges and ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exfiltrate data to a code repository rather than over their primary command and cont", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may log into accessible cloud services within a compromised environment using Valid Acco", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use port knocking to hide open ports used for persistence or command and control. To", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may smuggle commands to download malicious payloads past content filters by hiding them ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may register for web services\u00a0that can be used during targeting. A variety of popular we", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries can steal application access tokens as a means of acquiring credentials to access remote", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive informat", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent acces", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may rely upon specific actions by a user in order to gain execution. Users may be subje", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may deface systems internal to an organization in an attempt to intimidate or mislead u", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Admini", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may make new tokens and impersonate users to escalate privileges and bypass access contr", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are too", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol othe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and con", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get information about running processes on a system. Information obtained", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may impair command history logging to hide commands they run on a compromised system. Va", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may register malicious network provider dynamic link libraries (DLLs) to capture clearte", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence and elevate privileges by executing malicious content triggere", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search content delivery network (CDN) data about victims that can be used during tar", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create accounts with cloud providers that can be used during targeting. Adversaries ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gain access to and use centralized software suites installed within an enterprise to", "cross_file": true }, { "count": 3, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen d", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitor", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's organization that can be used during targeting", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may forge credential materials that can be used to gain access to web applications or In", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to bypass multi-factor authentication (MFA) mechanisms and gain access to ac", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify host software binaries to establish persistent access to systems. Software bi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may directly collect unsecured credentials stored or passed through user communication s", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful intera", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by a file type associ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-ba", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may communicate using application layer protocols associated with transferring files to ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may intentionally exclude certain files, folders, directories, file types, or system com", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's networks that can be used during targeting. In", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exploit remote services to gain unauthorized access to internal systems once inside ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "After they already have access to accounts or systems within the environment, adversaries may use in", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adv", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may breach or otherwise leverage organizations who have access to intended victims. Acce", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search freely available websites and/or domains for information about victims that c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may disable network device-based firewall mechanisms entirely or add, delete, or modify ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account man", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing co", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may employ various time-based methods to evade detection and analysis. These techniques ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may mimic common operating system GUI components to prompt users for credentials with a ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumst", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search and gather information about victims from closed (e.g., paid, private, or oth", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution o", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are e", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary co", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly d", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage the compute resources of co-opted systems to complete resource-intensive ta", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may remove share connections that are no longer useful in order to clean up traces of th", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typical", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary com", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may use legitimate remote access hardware to establish an interactive command and contr", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/to", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command executi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search network shares on computers they have compromised to find files of interest. ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise access to third-party web services\u00a0that can be used during targeting. A v", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may make changes to the operating system of embedded network devices to weaken defenses ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run prog", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to blend in with legitimate traffic by spoofing browser and system attribute", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may remove indicators from tools if they believe their malicious tool was detected, quar", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Service", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create or modify container or container cluster management tools that run as daemons", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Acce", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may communicate using a protocol and port pairing that are typically not associated. For", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create and cultivate social media accounts that can be used during targeting. Advers", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade proces", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation o", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and by", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may interrupt availability of system and network resources by inhibiting access to accou", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to t", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may disable or modify multi-factor authentication (MFA) mechanisms to enable persistent ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive info", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may install malicious components that run on Internet Information Services (IIS) web ser", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceivi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide v", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating code) to evade detec", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to access detailed information about the password policy used within an ente", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence through executing malicious commands triggered by a user\u2019s she", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather credential material by invoking or forcing a user to automatically provide au", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Win", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may bridge network boundaries by compromising perimeter network devices or internal devi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may encrypt data on target systems or on large numbers of systems in a network to interr", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may undermine security controls that will either warn users of untrusted activity or pre", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privile", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's host firmware that can be used during targetin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may employ an encryption algorithm to conceal command and control traffic rather than re", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authent", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-l", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exfiltrate data to text storage sites instead of their primary command and control c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about the victim's host software that can be used during targetin", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use methods of capturing user input to obtain credentials or collect information. Du", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may search social media for information about victims that can be used during targeting.", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage Customer Relationship Management (CRM) software to mine valuable informatio", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by hijacked reference", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather credentials that can be used during targeting. Account credentials gathered b", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use an existing, legitimate external Web service as a means for sending commands to ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabili", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may iteratively probe infrastructure using brute-forcing and crawling techniques. While ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may flood targeted email addresses with an overwhelming volume of messages. This may bur", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may spoof security alerting from tools, presenting false evidence to impair defenders\u2019 a", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Microsoft Outlook's Home Page feature to obtain persistence on a compromised s", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may exfiltrate data to a cloud storage service rather than over their primary command an", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may transfer tools or other files between systems in a compromised environment. Once bro", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. A", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use startup items automatically executed at boot initialization to establish persist", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to gather information about the system language of a victim in order to infe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use an OSI non-application layer protocol for communication between host and C2 serv", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse built-in CLI tools or API calls to execute malicious commands in containerized", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use steganography techniques in order to prevent the detection of hidden information", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may compromise third-party DNS servers that can be used during targeting. During post-co", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may achieve persistence by leveraging OAuth application integrations in a software-as-a-", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and cont", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may interact with the Windows Registry to gather information about the system, configura", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes b", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries can use stolen session cookies to authenticate to web applications and services. This te", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Acces", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utilit", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may achieve persistence by leveraging Python\u2019s startup mechanisms, including path config", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use network logon scripts automatically executed at logon initialization to establis", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availabilit", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to vi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information in an attempt to calculate the geographical location of a victim ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Offic", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse BITS jobs to persistently execute code and perform various background tasks. W", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.ex", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may impersonate a trusted person or organization in order to persuade and trick a target", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may modify settings that directly affect the size, locations, and resources available to", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other serv", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the c", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may disable or modify cloud logging capabilities and integrations to limit what data is", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and ", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In s", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may use ClickOnce applications (.appref-ms and .application files) to proxy execution of", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Once a payload is delivered, adversaries may reproduce copies of the same malware on the victim syst", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may gather information about identities and roles within the victim organization that ca", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may encode data to make the content of command and control traffic more difficult to det", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content trigg", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may send phishing messages to elicit sensitive information that can be used during targe", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage the resources of co-opted systems to complete resource-intensive tasks, whi", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may create and cultivate accounts with services that can be used during targeting. Adver", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than develop", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. S", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may disable or modify conditional access policies to enable persistent access to comprom", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may acquire credentials from cloud-native secret management solutions such as AWS Secret", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may leverage code repositories to collect valuable information. Code repositories are to", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may alter data en route to storage or other systems in order to manipulate external outc", "cross_file": true }, { "count": 2, "files": [ "llm_annotated_apt.jsonl", "llm_annotated_mitre_v2.jsonl" ], "text_preview": "Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadowA cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not prope", "cross_file": false }, { "count": 2, "files": [ "llm_annotated_nvd_v2.jsonl" ], "text_preview": "Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (co", "cross_file": false } ], "short_texts": [ { "file": "llm_annotated_apt.jsonl", "line": 114, "text": "WebShell.", "length": 9 }, { "file": "llm_annotated_apt.jsonl", "line": 115, "text": "WebShell.", "length": 9 }, { "file": "llm_annotated_apt.jsonl", "line": 124, "text": "Ransomware", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 159, "text": "Ransomware", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 189, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 370, "text": "webshell", "length": 8 }, { "file": "llm_annotated_apt.jsonl", "line": 418, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 470, "text": "PyVil RAT", "length": 9 }, { "file": "llm_annotated_apt.jsonl", "line": 559, "text": "Ransomware", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 567, "text": "Keylogger.", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 618, "text": "Ransomware", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 622, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 634, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 685, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 693, "text": "A keylogger.", "length": 12 }, { "file": "llm_annotated_apt.jsonl", "line": 702, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 725, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 736, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 737, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 740, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 794, "text": "Downloader.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 795, "text": "Downloader.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 841, "text": "Infostealer", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 854, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 877, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 921, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 960, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1014, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1031, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1043, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1046, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1061, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1081, "text": "Clipboard stealer.", "length": 18 }, { "file": "llm_annotated_apt.jsonl", "line": 1086, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1160, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1199, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1200, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1223, "text": "C2 framework.", "length": 13 }, { "file": "llm_annotated_apt.jsonl", "line": 1241, "text": "Ransomware", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 1259, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1270, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1278, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1282, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1286, "text": "Wrapper for Kazuar.", "length": 19 }, { "file": "llm_annotated_apt.jsonl", "line": 1306, "text": "Infostealer", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1337, "text": "ransomware", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 1367, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1385, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1391, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1400, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1403, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1420, "text": "Ransomware", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 1431, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1442, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1459, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1463, "text": "Ransomware", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 1484, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1495, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1582, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1637, "text": "Keylogger.", "length": 10 }, { "file": "llm_annotated_apt.jsonl", "line": 1677, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1687, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1713, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1716, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1727, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_apt.jsonl", "line": 1737, "text": "Ransomware.", "length": 11 }, { "file": "llm_annotated_exploitdb.jsonl", "line": 704, "text": "ZSH 5.9 - RCE", "length": 13 }, { "file": "llm_annotated_exploitdb.jsonl", "line": 738, "text": "Redis 8.0.2 - RCE", "length": 17 }, { "file": "llm_annotated_exploitdb.jsonl", "line": 1181, "text": "Horilla v1.3 - RCE", "length": 18 }, { "file": "llm_annotated_exploitdb.jsonl", "line": 1471, "text": "xibocms 3.3.4 - RCE", "length": 19 }, { "file": "llm_annotated_exploitdb.jsonl", "line": 1598, "text": "AtomCMS v2.0 - SQLi", "length": 19 } ], "mislabels": [ { "file": "llm_annotated_apt.jsonl", "line": 1, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 22, "entity": "Avast", "label": "SYSTEM", "reason": "Security vendor/org 'Avast' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 40, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 47, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 49, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 94, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 95, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 99, "entity": "Bitdefender", "label": "SYSTEM", "reason": "Security vendor/org 'Bitdefender' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 131, "entity": "Avast", "label": "SYSTEM", "reason": "Security vendor/org 'Avast' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 133, "entity": "CVE-2023-1389", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 137, "entity": "CVE-2020-8515", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 140, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 141, "entity": "CVE-2022-42475", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 141, "entity": "Fortinet", "label": "SYSTEM", "reason": "Security vendor/org 'Fortinet' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 143, "entity": "https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 143, "entity": "19991ef983f838287aa9362b78b4ed8da0929184", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 149, "entity": "Avast", "label": "SYSTEM", "reason": "Security vendor/org 'Avast' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 153, "entity": "Sophos", "label": "SYSTEM", "reason": "Security vendor/org 'Sophos' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 155, "entity": "https://github.com/jpillora/chisel", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 155, "entity": "SentinelOne", "label": "SYSTEM", "reason": "Security vendor/org 'SentinelOne' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 164, "entity": "CVE-2021-20090", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 171, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 172, "entity": "https://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 172, "entity": "Palo Alto", "label": "SYSTEM", "reason": "Security vendor/org 'Palo Alto' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 173, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 193, "entity": "CVE-2014-8361", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 193, "entity": "CVE-2017-17215", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 198, "entity": "Fortinet", "label": "SYSTEM", "reason": "Security vendor/org 'Fortinet' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 204, "entity": "CVE-2024-21887", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 204, "entity": "CVE-2023-46805", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 205, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 209, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 212, "entity": "CVE-2024-6047", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 212, "entity": "CVE-2024-11120", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 226, "entity": "CVE-2019-19781", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 228, "entity": "CVE-2017-17215", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 251, "entity": "CVE-2024-3400", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 251, "entity": "CVE-2023-46805", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 251, "entity": "CVE-2024-21887", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 251, "entity": "CVE-2023-1389", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 251, "entity": "CVE-2022-22954", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 251, "entity": "CVE-2018-20062", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 256, "entity": "CVE-2019-15107", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 261, "entity": "CVE-2014-8361", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 264, "entity": "Fortinet", "label": "SYSTEM", "reason": "Security vendor/org 'Fortinet' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 280, "entity": "CVE-2019-10149", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 286, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 313, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 321, "entity": "SentinelOne", "label": "SYSTEM", "reason": "Security vendor/org 'SentinelOne' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 324, "entity": "https://github.com/doener2323/doenerium", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 348, "entity": "Avast", "label": "SYSTEM", "reason": "Security vendor/org 'Avast' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 350, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 351, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 357, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 387, "entity": "SentinelOne", "label": "SYSTEM", "reason": "Security vendor/org 'SentinelOne' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 390, "entity": "SentinelOne", "label": "SYSTEM", "reason": "Security vendor/org 'SentinelOne' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 396, "entity": "SentinelOne", "label": "SYSTEM", "reason": "Security vendor/org 'SentinelOne' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 414, "entity": "Avast", "label": "SYSTEM", "reason": "Security vendor/org 'Avast' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 420, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 428, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 429, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 442, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 448, "entity": "Fortinet", "label": "SYSTEM", "reason": "Security vendor/org 'Fortinet' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 455, "entity": "https://stealer.to", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 458, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 461, "entity": "https://github.com/TheGeekHT/Loki.Rat/", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 479, "entity": "CVE-2025-80880", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 498, "entity": "CVE-2018-0798", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 518, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 542, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 557, "entity": "Sophos", "label": "SYSTEM", "reason": "Security vendor/org 'Sophos' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 579, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 580, "entity": "CVE-2018-20250", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 589, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 609, "entity": "Bitdefender", "label": "SYSTEM", "reason": "Security vendor/org 'Bitdefender' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 610, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 616, "entity": "CVE-2014-4114", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 623, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 635, "entity": "Avast", "label": "SYSTEM", "reason": "Security vendor/org 'Avast' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 638, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 640, "entity": "CVE-2022-42475", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 640, "entity": "Fortinet", "label": "SYSTEM", "reason": "Security vendor/org 'Fortinet' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 642, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 664, "entity": "37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 664, "entity": "0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 664, "entity": "3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 664, "entity": "AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 664, "entity": "9255E8B64FB278BC5FFE5B8F70D68AF8", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 668, "entity": "https://github.com/skerkour/black-hat-rust", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 670, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 677, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 686, "entity": "https://github.com/jpillora/chisel", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 686, "entity": "SentinelOne", "label": "SYSTEM", "reason": "Security vendor/org 'SentinelOne' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 690, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 698, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 699, "entity": "https://github.com/fatedier/frp", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 712, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 727, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 746, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 749, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 762, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 776, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 780, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 802, "entity": "https://github.com/TheWover/donut", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 802, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 805, "entity": "https://witha.name/", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 805, "entity": "http://withanamemwesdvodfhthjq25a5a3uas24cpgoa7qm6gchcerzpis6qd.onion/", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 809, "entity": "Bitdefender", "label": "SYSTEM", "reason": "Security vendor/org 'Bitdefender' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 827, "entity": "https://github.com/arsium/EagleMonitorRAT", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 835, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 845, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 867, "entity": "McAfee", "label": "SYSTEM", "reason": "Security vendor/org 'McAfee' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 876, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 896, "entity": "SentinelOne", "label": "SYSTEM", "reason": "Security vendor/org 'SentinelOne' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 908, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 930, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 939, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 942, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 946, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1017, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1027, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1044, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1054, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1060, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1068, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1072, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1075, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1087, "entity": "CVE-2017-0144", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 1097, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1098, "entity": "https://github.com/zettabithf/LiteHTTP", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1100, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1107, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1121, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1129, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1165, "entity": "https://github.com/Cr4sh/MicroBackdoor", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1168, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1178, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1180, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1189, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1193, "entity": "https://groups.google.com/g/ph4nt0m/c/2J3_1XPeKD8/m/AYPoWudRcTAJ?pli=1", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1196, "entity": "Fortinet", "label": "SYSTEM", "reason": "Security vendor/org 'Fortinet' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1212, "entity": "Fortinet", "label": "SYSTEM", "reason": "Security vendor/org 'Fortinet' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1252, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1258, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1272, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1285, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1312, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1319, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1329, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1351, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1357, "entity": "CVE-2022-47966", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 1363, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1377, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1379, "entity": "Palo Alto", "label": "SYSTEM", "reason": "Security vendor/org 'Palo Alto' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1381, "entity": "Trend Micro", "label": "SYSTEM", "reason": "Security vendor/org 'Trend Micro' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1388, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1388, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "CVE-2018-8453", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "3d0649b5f76dbbff9f86b926afbd18ae028946bf", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "95a21e764ad0c98ea3d034d293aee5511e7c8457", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "9d1b61b1cba411ee6d4664ba2561fa59cdb0732c", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "b859de5ffcb90e4ca8e304d81a4f81e8785bb299", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "0ce2cae5287a64138d273007b34933362901783d", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "0bd22f204c5373f1a22d9a02c59f69f354a2cc0d", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "7423c57db390def08154b77e2b5e043d92d320c7", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "b53bc09cfbd292af7b3609734a99d101bd24d77e", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "8dcbcbefaedf5675b170af3fd44db93ad864894e", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "bed6fc04aeb785815744706239a1f243", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "65aa793c000762174b2f86077bdafaea", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "2abff29b4d87f30f011874b6e98959e9", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "4af953b20f3a1f165e7cf31d6156c035", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "3cae02306a95564b1fff4ea45a7dfc00", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "6e3efb83299d800edf1624ecbc0665e7", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "cfefcc2edc5c54c74b76e7d1d29e69b2", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "65ff37973426c09b9ff95f354e62959e", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1401, "entity": "ea4cae3d6d8150215a4d90593a4c30f2", "label": "HASH", "reason": "URL/hash labeled as HASH, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1415, "entity": "Avast", "label": "SYSTEM", "reason": "Security vendor/org 'Avast' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1417, "entity": "https://github.com/nyx0/Rovnix", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1421, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1432, "entity": "Symantec", "label": "SYSTEM", "reason": "Security vendor/org 'Symantec' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1450, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1452, "entity": "SentinelOne", "label": "SYSTEM", "reason": "Security vendor/org 'SentinelOne' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1470, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1477, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1486, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1491, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1500, "entity": "Kaspersky", "label": "SYSTEM", "reason": "Security vendor/org 'Kaspersky' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1504, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1506, "entity": "https://github.com/sysdream/ligolo", "label": "URL", "reason": "URL/hash labeled as URL, expected INDICATOR" }, { "file": "llm_annotated_apt.jsonl", "line": 1513, "entity": "ESET", "label": "SYSTEM", "reason": "Security vendor/org 'ESET' labeled as SYSTEM, expected ORGANIZATION" }, { "file": "llm_annotated_apt.jsonl", "line": 1518, "entity": "CVE-2018-5713", "label": "CVE_ID", "reason": "CVE ID labeled as CVE_ID, expected VULNERABILITY" } ], "overlapping_spans": [ { "file": "llm_annotated_apt.jsonl", "line": 2, "span1": "SYSTEM: Android [103:110]", "span2": "SYSTEM: Android operating system [103:127]" }, { "file": "llm_annotated_apt.jsonl", "line": 8, "span1": "ORGANIZATION: Google [26:32]", "span2": "SYSTEM: Google Play [26:37]" }, { "file": "llm_annotated_apt.jsonl", "line": 8, "span1": "SYSTEM: Google Play [26:37]", "span2": "MALWARE: Play [33:37]" }, { "file": "llm_annotated_apt.jsonl", "line": 19, "span1": "ORGANIZATION: Google [60:66]", "span2": "SYSTEM: Google Play [60:71]" }, { "file": "llm_annotated_apt.jsonl", "line": 19, "span1": "SYSTEM: Google Play [60:71]", "span2": "MALWARE: Play [67:71]" }, { "file": "llm_annotated_apt.jsonl", "line": 22, "span1": "ORGANIZATION: Google [330:336]", "span2": "SYSTEM: Google Play [330:341]" }, { "file": "llm_annotated_apt.jsonl", "line": 22, "span1": "SYSTEM: Google Play [330:341]", "span2": "MALWARE: Play [337:341]" }, { "file": "llm_annotated_apt.jsonl", "line": 22, "span1": "ORGANIZATION: Google [429:435]", "span2": "SYSTEM: Google Play [429:440]" }, { "file": "llm_annotated_apt.jsonl", "line": 22, "span1": "SYSTEM: Google Play [429:440]", "span2": "MALWARE: Play [436:440]" }, { "file": "llm_annotated_apt.jsonl", "line": 28, "span1": "ORGANIZATION: Google [222:228]", "span2": "SYSTEM: Google Play [222:233]" }, { "file": "llm_annotated_apt.jsonl", "line": 28, "span1": "SYSTEM: Google Play [222:233]", "span2": "MALWARE: Play [229:233]" }, { "file": "llm_annotated_apt.jsonl", "line": 47, "span1": "ORGANIZATION: Google [223:229]", "span2": "SYSTEM: Google Play [223:234]" }, { "file": "llm_annotated_apt.jsonl", "line": 47, "span1": "SYSTEM: Google Play [223:234]", "span2": "MALWARE: Play [230:234]" }, { "file": "llm_annotated_apt.jsonl", "line": 51, "span1": "SYSTEM: Cisco [0:5]", "span2": "ORGANIZATION: Cisco Talos [0:11]" }, { "file": "llm_annotated_apt.jsonl", "line": 51, "span1": "ORGANIZATION: Cisco Talos [0:11]", "span2": "ORGANIZATION: Talos [6:11]" }, { "file": "llm_annotated_apt.jsonl", "line": 62, "span1": "ORGANIZATION: Google [446:452]", "span2": "SYSTEM: Google Play [446:457]" }, { "file": "llm_annotated_apt.jsonl", "line": 62, "span1": "SYSTEM: Google Play [446:457]", "span2": "MALWARE: Play [453:457]" }, { "file": "llm_annotated_apt.jsonl", "line": 66, "span1": "MALWARE: Mirax [131:136]", "span2": "MALWARE: Mirax Bot [131:140]" }, { "file": "llm_annotated_apt.jsonl", "line": 67, "span1": "ORGANIZATION: Google [106:112]", "span2": "SYSTEM: Google Play [106:117]" }, { "file": "llm_annotated_apt.jsonl", "line": 67, "span1": "SYSTEM: Google Play [106:117]", "span2": "MALWARE: Play [113:117]" }, { "file": "llm_annotated_apt.jsonl", "line": 85, "span1": "ORGANIZATION: Google [68:74]", "span2": "SYSTEM: Google Play [68:79]" }, { "file": "llm_annotated_apt.jsonl", "line": 85, "span1": "SYSTEM: Google Play [68:79]", "span2": "MALWARE: Play [75:79]" }, { "file": "llm_annotated_apt.jsonl", "line": 100, "span1": "ORGANIZATION: Google [289:295]", "span2": "SYSTEM: Google Play [289:300]" }, { "file": "llm_annotated_apt.jsonl", "line": 100, "span1": "SYSTEM: Google Play [289:300]", "span2": "MALWARE: Play [296:300]" }, { "file": "llm_annotated_apt.jsonl", "line": 133, "span1": "VULNERABILITY: remote code execution [170:191]", "span2": "VULNERABILITY: code execution [177:191]" }, { "file": "llm_annotated_apt.jsonl", "line": 143, "span1": "URL: https://github.com/Egida/kek/blob/19991ef983f838287aa9362b78b4ed8da0929184/loader_multi.go [122:212]", "span2": "HASH: 19991ef983f838287aa9362b78b4ed8da0929184 [156:196]" }, { "file": "llm_annotated_apt.jsonl", "line": 162, "span1": "MALWARE: Cyclops [19:26]", "span2": "MALWARE: Cyclops Blink [19:32]" }, { "file": "llm_annotated_apt.jsonl", "line": 162, "span1": "MALWARE: Cyclops [245:252]", "span2": "MALWARE: Cyclops Blink [245:258]" }, { "file": "llm_annotated_apt.jsonl", "line": 162, "span1": "MALWARE: Cyclops [376:383]", "span2": "MALWARE: Cyclops Blink [376:389]" }, { "file": "llm_annotated_apt.jsonl", "line": 162, "span1": "MALWARE: Cyclops [485:492]", "span2": "MALWARE: Cyclops Blink [485:498]" }, { "file": "llm_annotated_apt.jsonl", "line": 170, "span1": "SYSTEM: Cisco [13:18]", "span2": "ORGANIZATION: Cisco Talos [13:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 170, "span1": "ORGANIZATION: Cisco Talos [13:24]", "span2": "ORGANIZATION: Talos [19:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 172, "span1": "SYSTEM: Palo Alto [141:150]", "span2": "ORGANIZATION: Palo Alto Networks [141:159]" }, { "file": "llm_annotated_apt.jsonl", "line": 172, "span1": "SYSTEM: Palo Alto [313:322]", "span2": "ORGANIZATION: Palo Alto Networks [313:331]" }, { "file": "llm_annotated_apt.jsonl", "line": 201, "span1": "ORGANIZATION: Black Lotus Labs [13:29]", "span2": "MALWARE: Lotus [19:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 213, "span1": "SYSTEM: Cisco [0:5]", "span2": "ORGANIZATION: Cisco Talos [0:11]" }, { "file": "llm_annotated_apt.jsonl", "line": 213, "span1": "ORGANIZATION: Cisco Talos [0:11]", "span2": "ORGANIZATION: Talos [6:11]" }, { "file": "llm_annotated_apt.jsonl", "line": 213, "span1": "THREAT_ACTOR: Cobalt [33:39]", "span2": "TOOL: Cobalt Strike [33:46]" }, { "file": "llm_annotated_apt.jsonl", "line": 225, "span1": "ORGANIZATION: Black Lotus Labs [13:29]", "span2": "MALWARE: Lotus [19:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 240, "span1": "ORGANIZATION: Black Lotus Labs [0:16]", "span2": "MALWARE: Lotus [6:11]" }, { "file": "llm_annotated_apt.jsonl", "line": 259, "span1": "SYSTEM: Cisco [13:18]", "span2": "ORGANIZATION: Cisco Talos [13:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 259, "span1": "ORGANIZATION: Cisco Talos [13:24]", "span2": "ORGANIZATION: Talos [19:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 266, "span1": "SYSTEM: Cisco [13:18]", "span2": "ORGANIZATION: Cisco Talos [13:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 266, "span1": "ORGANIZATION: Cisco Talos [13:24]", "span2": "ORGANIZATION: Talos [19:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 267, "span1": "FILEPATH: /home/%user%/.config/apdl.cf [485:513]", "span2": "DOMAIN: apdl.cf [506:513]" }, { "file": "llm_annotated_apt.jsonl", "line": 290, "span1": "ORGANIZATION: Black Lotus Labs [13:29]", "span2": "MALWARE: Lotus [19:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 324, "span1": "URL: https://github.com/doener2323/doenerium [133:172]", "span2": "MALWARE: doenerium [163:172]" }, { "file": "llm_annotated_apt.jsonl", "line": 344, "span1": "VULNERABILITY: remote code execution [422:443]", "span2": "VULNERABILITY: code execution [429:443]" }, { "file": "llm_annotated_apt.jsonl", "line": 346, "span1": "ORGANIZATION: Microsoft [148:157]", "span2": "SYSTEM: Microsoft Office [148:164]" }, { "file": "llm_annotated_apt.jsonl", "line": 348, "span1": "SYSTEM: Avast [158:163]", "span2": "DOMAIN: Avast.io [158:166]" }, { "file": "llm_annotated_apt.jsonl", "line": 352, "span1": "MALWARE: QUICKRIDE [52:61]", "span2": "MALWARE: QUICKRIDE.POWER [52:67]" }, { "file": "llm_annotated_apt.jsonl", "line": 358, "span1": "FILEPATH: %appdata%\\Roaming\\Microsoft\\Templates\\, [232:271]", "span2": "ORGANIZATION: Microsoft [250:259]" }, { "file": "llm_annotated_apt.jsonl", "line": 360, "span1": "ORGANIZATION: IBM [13:16]", "span2": "ORGANIZATION: IBM X-Force [13:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 360, "span1": "ORGANIZATION: IBM X-Force [13:24]", "span2": "ORGANIZATION: X-Force [17:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 360, "span1": "TOOL: cmd [245:248]", "span2": "TOOL: cmd.exe [245:252]" }, { "file": "llm_annotated_apt.jsonl", "line": 391, "span1": "ORGANIZATION: Microsoft [210:219]", "span2": "SYSTEM: Microsoft Office [210:226]" }, { "file": "llm_annotated_apt.jsonl", "line": 395, "span1": "MALWARE: Proton [0:6]", "span2": "MALWARE: Proton RAT [0:10]" }, { "file": "llm_annotated_apt.jsonl", "line": 395, "span1": "MALWARE: Proton [510:516]", "span2": "MALWARE: Proton RAT [510:520]" }, { "file": "llm_annotated_apt.jsonl", "line": 414, "span1": "SYSTEM: Avast [90:95]", "span2": "DOMAIN: Avast.io [90:98]" }, { "file": "llm_annotated_apt.jsonl", "line": 416, "span1": "SYSTEM: Cisco [13:18]", "span2": "ORGANIZATION: Cisco Talos [13:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 416, "span1": "ORGANIZATION: Cisco Talos [13:24]", "span2": "ORGANIZATION: Talos [19:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 434, "span1": "ORGANIZATION: Microsoft [79:88]", "span2": "SYSTEM: Microsoft Office [79:95]" }, { "file": "llm_annotated_apt.jsonl", "line": 461, "span1": "THREAT_ACTOR: El Machete [203:213]", "span2": "MALWARE: Machete [206:213]" }, { "file": "llm_annotated_apt.jsonl", "line": 461, "span1": "URL: https://github.com/TheGeekHT/Loki.Rat/ [289:327]", "span2": "MALWARE: Loki [318:322]" }, { "file": "llm_annotated_apt.jsonl", "line": 465, "span1": "SYSTEM: Cisco [0:5]", "span2": "ORGANIZATION: Cisco Talos [0:11]" }, { "file": "llm_annotated_apt.jsonl", "line": 465, "span1": "ORGANIZATION: Cisco Talos [0:11]", "span2": "ORGANIZATION: Talos [6:11]" }, { "file": "llm_annotated_apt.jsonl", "line": 466, "span1": "MALWARE: PXA [0:3]", "span2": "MALWARE: PXA Stealer [0:11]" }, { "file": "llm_annotated_apt.jsonl", "line": 466, "span1": "SYSTEM: Cisco [80:85]", "span2": "ORGANIZATION: Cisco Talos [80:91]" }, { "file": "llm_annotated_apt.jsonl", "line": 466, "span1": "ORGANIZATION: Cisco Talos [80:91]", "span2": "ORGANIZATION: Talos [86:91]" }, { "file": "llm_annotated_apt.jsonl", "line": 466, "span1": "MALWARE: PXA [342:345]", "span2": "MALWARE: PXA Stealer [342:353]" }, { "file": "llm_annotated_apt.jsonl", "line": 484, "span1": "ORGANIZATION: Microsoft [17:26]", "span2": "SYSTEM: Microsoft Word [17:31]" }, { "file": "llm_annotated_apt.jsonl", "line": 494, "span1": "MALWARE: Snake [0:5]", "span2": "MALWARE: Snake Keylogger [0:15]" }, { "file": "llm_annotated_apt.jsonl", "line": 506, "span1": "SYSTEM: Windows [401:408]", "span2": "SYSTEM: Windows 7 [401:410]" }, { "file": "llm_annotated_apt.jsonl", "line": 513, "span1": "MALWARE: Agent Racoon [0:12]", "span2": "MALWARE: Racoon [6:12]" }, { "file": "llm_annotated_apt.jsonl", "line": 536, "span1": "SYSTEM: .NET [110:114]", "span2": "SYSTEM: .NET Framework [110:124]" }, { "file": "llm_annotated_apt.jsonl", "line": 541, "span1": "MALWARE: Aurora [1153:1159]", "span2": "MALWARE: Aurora Stealer [1153:1167]" }, { "file": "llm_annotated_apt.jsonl", "line": 552, "span1": "VULNERABILITY: spear-phishing [442:456]", "span2": "VULNERABILITY: phishing [448:456]" }, { "file": "llm_annotated_apt.jsonl", "line": 560, "span1": "MALWARE: Aurora [104:110]", "span2": "MALWARE: Aurora Stealer [104:118]" }, { "file": "llm_annotated_apt.jsonl", "line": 576, "span1": "SYSTEM: Windows [88:95]", "span2": "SYSTEM: Windows Defender [88:104]" }, { "file": "llm_annotated_apt.jsonl", "line": 577, "span1": "THREAT_ACTOR: Cobalt [395:401]", "span2": "TOOL: Cobalt Strike [395:408]" }, { "file": "llm_annotated_apt.jsonl", "line": 577, "span1": "TOOL: Cobalt Strike [395:408]", "span2": "TOOL: Cobalt Strike Beacon [395:415]" }, { "file": "llm_annotated_apt.jsonl", "line": 616, "span1": "VULNERABILITY: spear-phishing [1771:1785]", "span2": "VULNERABILITY: phishing [1777:1785]" }, { "file": "llm_annotated_apt.jsonl", "line": 616, "span1": "ORGANIZATION: Microsoft [1804:1813]", "span2": "SYSTEM: Microsoft Word [1804:1818]" }, { "file": "llm_annotated_apt.jsonl", "line": 651, "span1": "TOOL: cmd [563:566]", "span2": "TOOL: cmd.exe [563:570]" }, { "file": "llm_annotated_apt.jsonl", "line": 652, "span1": "TOOL: Brute Ratel [0:11]", "span2": "MALWARE: Brute Ratel C4 [0:14]" }, { "file": "llm_annotated_apt.jsonl", "line": 652, "span1": "TOOL: Brute Ratel [987:998]", "span2": "MALWARE: Brute Ratel C4 [987:1001]" }, { "file": "llm_annotated_apt.jsonl", "line": 657, "span1": "THREAT_ACTOR: Cobalt [259:265]", "span2": "TOOL: Cobalt Strike [259:272]" }, { "file": "llm_annotated_apt.jsonl", "line": 664, "span1": "FILEPATH: C:\\Windows\\system32\\drivers\\ftusbload2.sys [690:732]", "span2": "SYSTEM: Windows [693:700]" }, { "file": "llm_annotated_apt.jsonl", "line": 666, "span1": "VULNERABILITY: spear phishing [150:164]", "span2": "VULNERABILITY: phishing [156:164]" }, { "file": "llm_annotated_apt.jsonl", "line": 667, "span1": "ORGANIZATION: Microsoft [257:266]", "span2": "SYSTEM: Microsoft Excel [257:272]" }, { "file": "llm_annotated_apt.jsonl", "line": 669, "span1": "VULNERABILITY: spear phishing [190:204]", "span2": "VULNERABILITY: phishing [196:204]" }, { "file": "llm_annotated_apt.jsonl", "line": 694, "span1": "SYSTEM: Windows [294:301]", "span2": "SYSTEM: Windows Defender [294:310]" }, { "file": "llm_annotated_apt.jsonl", "line": 700, "span1": "THREAT_ACTOR: Cobalt [0:6]", "span2": "TOOL: Cobalt Strike [0:13]" }, { "file": "llm_annotated_apt.jsonl", "line": 700, "span1": "THREAT_ACTOR: Cobalt [740:746]", "span2": "TOOL: Cobalt Strike [740:753]" }, { "file": "llm_annotated_apt.jsonl", "line": 721, "span1": "SYSTEM: Cisco [13:18]", "span2": "ORGANIZATION: Cisco Talos [13:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 721, "span1": "ORGANIZATION: Cisco Talos [13:24]", "span2": "ORGANIZATION: Talos [19:24]" }, { "file": "llm_annotated_apt.jsonl", "line": 723, "span1": "MALWARE: Crimson [224:231]", "span2": "MALWARE: Crimson RAT [224:235]" }, { "file": "llm_annotated_apt.jsonl", "line": 723, "span1": "MALWARE: Crimson [384:391]", "span2": "MALWARE: Crimson RAT [384:395]" }, { "file": "llm_annotated_apt.jsonl", "line": 746, "span1": "SYSTEM: Windows [300:307]", "span2": "SYSTEM: Windows Defender [300:316]" }, { "file": "llm_annotated_apt.jsonl", "line": 758, "span1": "THREAT_ACTOR: Cobalt [442:448]", "span2": "TOOL: Cobalt Strike [442:455]" } ], "garbage_text": [ { "file": "llm_annotated_apt.jsonl", "line": 481, "issues": [ "HTML tags" ], "text_preview": "According to Sekoia, the aim of this backdoor is to receive VBS modules for execution from a remote C2 server. Once rece" }, { "file": "llm_annotated_apt.jsonl", "line": 649, "issues": [ "HTML tags" ], "text_preview": "There is no reference available for this family and all known samples have version 1.0.0.\r\n\r\nPdb-strings in the samples " }, { "file": "llm_annotated_apt.jsonl", "line": 1226, "issues": [ "HTML tags" ], "text_preview": "NikiTeaR is a sophisticated, custom-developed RAT, which is a rewritten variant of the NikiHTTP (aka NikiTea) RAT. \r\n\r\nI" }, { "file": "llm_annotated_apt.jsonl", "line": 1258, "issues": [ "HTML tags" ], "text_preview": "According to Symantec, this malware has been deployed against IT services companies in the U.S. and Europe. A multi-stag" }, { "file": "llm_annotated_apt.jsonl", "line": 1563, "issues": [ "HTML tags" ], "text_preview": "This ransomware uses a combination of different crypto algorithms (ChaCha20, AES-128, Curve25519). The activity of this " }, { "file": "llm_annotated_apt.jsonl", "line": 1985, "issues": [ "HTML tags" ], "text_preview": "COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intru" }, { "file": "llm_annotated_apt.jsonl", "line": 2149, "issues": [ "HTML tags" ], "text_preview": "Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware" }, { "file": "llm_annotated_apt.jsonl", "line": 2634, "issues": [ "HTML tags" ], "text_preview": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of use" }, { "file": "llm_annotated_apt.jsonl", "line": 2702, "issues": [ "HTML tags" ], "text_preview": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and ut" }, { "file": "llm_annotated_apt.jsonl", "line": 2725, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defense" }, { "file": "llm_annotated_apt.jsonl", "line": 2729, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include fu" }, { "file": "llm_annotated_apt.jsonl", "line": 2732, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence through executing malicious commands triggered by a user\u2019s shell. User shells exec" }, { "file": "llm_annotated_apt.jsonl", "line": 2733, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Sc" }, { "file": "llm_annotated_apt.jsonl", "line": 2738, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system" }, { "file": "llm_annotated_apt.jsonl", "line": 2740, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i." }, { "file": "llm_annotated_apt.jsonl", "line": 2743, "issues": [ "HTML tags" ], "text_preview": "Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, win" }, { "file": "llm_annotated_apt.jsonl", "line": 2747, "issues": [ "HTML tags" ], "text_preview": "Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and servic" }, { "file": "llm_annotated_apt.jsonl", "line": 2748, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted" }, { "file": "llm_annotated_apt.jsonl", "line": 2750, "issues": [ "HTML tags" ], "text_preview": "The HISTCONTROL environment variable keeps track of what should be saved by the history comman" }, { "file": "llm_annotated_apt.jsonl", "line": 2755, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte" }, { "file": "llm_annotated_apt.jsonl", "line": 2757, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publis" }, { "file": "llm_annotated_apt.jsonl", "line": 2768, "issues": [ "HTML tags" ], "text_preview": "Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the" }, { "file": "llm_annotated_apt.jsonl", "line": 2771, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users t" }, { "file": "llm_annotated_apt.jsonl", "line": 2778, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles." }, { "file": "llm_annotated_apt.jsonl", "line": 2779, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scr" }, { "file": "llm_annotated_apt.jsonl", "line": 2781, "issues": [ "HTML tags" ], "text_preview": "Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used fo" }, { "file": "llm_annotated_apt.jsonl", "line": 2792, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may " }, { "file": "llm_annotated_apt.jsonl", "line": 2793, "issues": [ "HTML tags" ], "text_preview": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows" }, { "file": "llm_annotated_apt.jsonl", "line": 2796, "issues": [ "HTML tags" ], "text_preview": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery" }, { "file": "llm_annotated_apt.jsonl", "line": 2797, "issues": [ "HTML tags" ], "text_preview": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execu" }, { "file": "llm_annotated_apt.jsonl", "line": 2804, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through i" }, { "file": "llm_annotated_apt.jsonl", "line": 2808, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help " }, { "file": "llm_annotated_apt.jsonl", "line": 2809, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the pe" }, { "file": "llm_annotated_apt.jsonl", "line": 2812, "issues": [ "HTML tags" ], "text_preview": "During the boot process, macOS executes source /etc/rc.common, which is a shell script containing various u" }, { "file": "llm_annotated_apt.jsonl", "line": 2818, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost" }, { "file": "llm_annotated_apt.jsonl", "line": 2820, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measure" }, { "file": "llm_annotated_apt.jsonl", "line": 2824, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Vir" }, { "file": "llm_annotated_apt.jsonl", "line": 2825, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost" }, { "file": "llm_annotated_apt.jsonl", "line": 2834, "issues": [ "HTML tags" ], "text_preview": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be " }, { "file": "llm_annotated_apt.jsonl", "line": 2835, "issues": [ "HTML tags" ], "text_preview": "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management sy" }, { "file": "llm_annotated_apt.jsonl", "line": 2837, "issues": [ "HTML tags" ], "text_preview": "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain" }, { "file": "llm_annotated_apt.jsonl", "line": 2838, "issues": [ "HTML tags" ], "text_preview": "A port monitor can be set through the API call to set a DLL to be loaded at startup. This DLL can be located in sudo command \"allows a system administrator to delegate authority to give certain users (or groups of u" }, { "file": "llm_annotated_apt.jsonl", "line": 2848, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domai" }, { "file": "llm_annotated_apt.jsonl", "line": 2849, "issues": [ "HTML tags" ], "text_preview": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a" }, { "file": "llm_annotated_apt.jsonl", "line": 2854, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are ins" }, { "file": "llm_annotated_apt.jsonl", "line": 2855, "issues": [ "HTML tags" ], "text_preview": "Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network fil" }, { "file": "llm_annotated_apt.jsonl", "line": 2861, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which" }, { "file": "llm_annotated_apt.jsonl", "line": 2864, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions o" }, { "file": "llm_annotated_apt.jsonl", "line": 2867, "issues": [ "HTML tags" ], "text_preview": "Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (" }, { "file": "llm_annotated_apt.jsonl", "line": 2872, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of mal" }, { "file": "llm_annotated_apt.jsonl", "line": 2873, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission gr" }, { "file": "llm_annotated_apt.jsonl", "line": 2876, "issues": [ "HTML tags" ], "text_preview": "Per Apple\u2019s documentation, startup items execute during the final phase of the boot process and contain shell scripts or" }, { "file": "llm_annotated_apt.jsonl", "line": 2877, "issues": [ "HTML tags" ], "text_preview": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-in" }, { "file": "llm_annotated_apt.jsonl", "line": 2880, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-l" }, { "file": "llm_annotated_apt.jsonl", "line": 2883, "issues": [ "HTML tags" ], "text_preview": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent acc" }, { "file": "llm_annotated_apt.jsonl", "line": 2884, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalat" }, { "file": "llm_annotated_apt.jsonl", "line": 2888, "issues": [ "HTML tags" ], "text_preview": "The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may " }, { "file": "llm_annotated_apt.jsonl", "line": 2893, "issues": [ "HTML tags" ], "text_preview": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFo" }, { "file": "llm_annotated_apt.jsonl", "line": 2894, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used " }, { "file": "llm_annotated_apt.jsonl", "line": 2897, "issues": [ "HTML tags" ], "text_preview": "Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE" }, { "file": "llm_annotated_apt.jsonl", "line": 2901, "issues": [ "HTML tags" ], "text_preview": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information abo" }, { "file": "llm_annotated_apt.jsonl", "line": 2907, "issues": [ "HTML tags" ], "text_preview": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry store" }, { "file": "llm_annotated_apt.jsonl", "line": 2908, "issues": [ "HTML tags" ], "text_preview": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to" }, { "file": "llm_annotated_apt.jsonl", "line": 2916, "issues": [ "HTML tags" ], "text_preview": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches" }, { "file": "llm_annotated_apt.jsonl", "line": 2922, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for " }, { "file": "llm_annotated_apt.jsonl", "line": 2923, "issues": [ "HTML tags" ], "text_preview": "MacOS provides the option to list specific applications to run when a user logs in. These applications run under the log" }, { "file": "llm_annotated_apt.jsonl", "line": 2927, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Service" }, { "file": "llm_annotated_apt.jsonl", "line": 2928, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applicati" }, { "file": "llm_annotated_apt.jsonl", "line": 2932, "issues": [ "HTML tags" ], "text_preview": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs pr" }, { "file": "llm_annotated_apt.jsonl", "line": 2933, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for" }, { "file": "llm_annotated_apt.jsonl", "line": 2934, "issues": [ "HTML tags" ], "text_preview": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operation" }, { "file": "llm_annotated_apt.jsonl", "line": 2936, "issues": [ "HTML tags" ], "text_preview": "Windows stores local service configuration information in the Registry under HKLM\\SYSTEM\\CurrentControlSet\\Service" }, { "file": "llm_annotated_apt.jsonl", "line": 2940, "issues": [ "HTML tags" ], "text_preview": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the " }, { "file": "llm_annotated_apt.jsonl", "line": 2946, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require se" }, { "file": "llm_annotated_apt.jsonl", "line": 2955, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ti" }, { "file": "llm_annotated_apt.jsonl", "line": 2961, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possib" }, { "file": "llm_annotated_apt.jsonl", "line": 2964, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application " }, { "file": "llm_annotated_apt.jsonl", "line": 2966, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escal" }, { "file": "llm_annotated_apt.jsonl", "line": 2967, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow use" }, { "file": "llm_annotated_apt.jsonl", "line": 2968, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that po" }, { "file": "llm_annotated_apt.jsonl", "line": 2972, "issues": [ "HTML tags" ], "text_preview": "Bash keeps track of the commands users type on the command-line with the \"history\" utility. Once a user logs out, the hi" }, { "file": "llm_annotated_apt.jsonl", "line": 2975, "issues": [ "HTML tags" ], "text_preview": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser. \n\nWeb browsers " }, { "file": "llm_annotated_apt.jsonl", "line": 2976, "issues": [ "HTML tags" ], "text_preview": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, o" }, { "file": "llm_annotated_apt.jsonl", "line": 2977, "issues": [ "HTML tags" ], "text_preview": "**This technique has been deprecated and should no longer be used.**\n\nThe source command loads functions in" }, { "file": "llm_annotated_apt.jsonl", "line": 2980, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique " }, { "file": "llm_annotated_apt.jsonl", "line": 2992, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address l" }, { "file": "llm_annotated_apt.jsonl", "line": 2995, "issues": [ "HTML tags" ], "text_preview": "Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under HKEY_LOCAL_MACHINE\\System\\C" }, { "file": "llm_annotated_apt.jsonl", "line": 2998, "issues": [ "HTML tags" ], "text_preview": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows eve" }, { "file": "llm_annotated_apt.jsonl", "line": 3003, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (co" }, { "file": "llm_annotated_apt.jsonl", "line": 3006, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are load" }, { "file": "llm_annotated_apt.jsonl", "line": 3007, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign p" }, { "file": "llm_annotated_apt.jsonl", "line": 3008, "issues": [ "HTML tags" ], "text_preview": "Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SA" }, { "file": "llm_annotated_apt.jsonl", "line": 3011, "issues": [ "HTML tags" ], "text_preview": "Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a syst" }, { "file": "llm_annotated_apt.jsonl", "line": 3016, "issues": [ "HTML tags" ], "text_preview": "Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provi" }, { "file": "llm_annotated_apt.jsonl", "line": 3020, "issues": [ "HTML tags" ], "text_preview": "Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute" }, { "file": "llm_annotated_apt.jsonl", "line": 3021, "issues": [ "HTML tags" ], "text_preview": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control to" }, { "file": "llm_annotated_apt.jsonl", "line": 3023, "issues": [ "HTML tags" ], "text_preview": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change cont" }, { "file": "llm_annotated_apt.jsonl", "line": 3033, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides " }, { "file": "llm_annotated_apt.jsonl", "line": 3034, "issues": [ "HTML tags" ], "text_preview": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversa" }, { "file": "llm_annotated_apt.jsonl", "line": 3036, "issues": [ "HTML tags" ], "text_preview": "Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. " }, { "file": "llm_annotated_apt.jsonl", "line": 3038, "issues": [ "HTML tags" ], "text_preview": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are" }, { "file": "llm_annotated_apt.jsonl", "line": 3039, "issues": [ "HTML tags" ], "text_preview": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-servi" }, { "file": "llm_annotated_apt.jsonl", "line": 3040, "issues": [ "HTML tags" ], "text_preview": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers comm" }, { "file": "llm_annotated_apt.jsonl", "line": 3041, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because " }, { "file": "llm_annotated_apt.jsonl", "line": 3044, "issues": [ "HTML tags" ], "text_preview": "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHC" }, { "file": "llm_annotated_apt.jsonl", "line": 3045, "issues": [ "HTML tags" ], "text_preview": "macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages" }, { "file": "llm_annotated_apt.jsonl", "line": 3050, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, u" }, { "file": "llm_annotated_apt.jsonl", "line": 3052, "issues": [ "HTML tags" ], "text_preview": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Priva" }, { "file": "llm_annotated_apt.jsonl", "line": 3058, "issues": [ "HTML tags" ], "text_preview": "Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created" }, { "file": "llm_annotated_apt.jsonl", "line": 3059, "issues": [ "HTML tags" ], "text_preview": "The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functional" }, { "file": "llm_annotated_apt.jsonl", "line": 3061, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trapauthorized_keys file to maintain persistence on a victim host. Linux distrib" }, { "file": "llm_annotated_apt.jsonl", "line": 3098, "issues": [ "HTML tags" ], "text_preview": "Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They e" }, { "file": "llm_annotated_apt.jsonl", "line": 3099, "issues": [ "HTML tags" ], "text_preview": "Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start." }, { "file": "llm_annotated_apt.jsonl", "line": 3101, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File E" }, { "file": "llm_annotated_apt.jsonl", "line": 3102, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allo" }, { "file": "llm_annotated_apt.jsonl", "line": 3108, "issues": [ "HTML tags" ], "text_preview": "In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on t" }, { "file": "llm_annotated_apt.jsonl", "line": 3110, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into process via process doppelg\u00e4nging in order to evade process-based defenses as" }, { "file": "llm_annotated_apt.jsonl", "line": 3111, "issues": [ "HTML tags" ], "text_preview": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of syste" }, { "file": "llm_annotated_apt.jsonl", "line": 3114, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may" }, { "file": "llm_annotated_apt.jsonl", "line": 3115, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibilit" }, { "file": "llm_annotated_apt.jsonl", "line": 3117, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gain persistence and elevate privileges in certain situations by abusing PowerShell profiles. A PowerShe" }, { "file": "llm_annotated_apt.jsonl", "line": 3118, "issues": [ "HTML tags" ], "text_preview": "In user mode, Windows Authenticode digital signatures are used to verify a file's origin and integrity, variables that " }, { "file": "llm_annotated_apt.jsonl", "line": 3123, "issues": [ "HTML tags" ], "text_preview": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. T" }, { "file": "llm_annotated_apt.jsonl", "line": 3124, "issues": [ "HTML tags" ], "text_preview": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Activ" }, { "file": "llm_annotated_apt.jsonl", "line": 3127, "issues": [ "HTML tags" ], "text_preview": "Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code" }, { "file": "llm_annotated_apt.jsonl", "line": 3135, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name " }, { "file": "llm_annotated_apt.jsonl", "line": 3137, "issues": [ "HTML tags" ], "text_preview": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG " }, { "file": "llm_annotated_apt.jsonl", "line": 3141, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contain" }, { "file": "llm_annotated_apt.jsonl", "line": 3145, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse a container administration service to execute commands within a container. A container administrat" }, { "file": "llm_annotated_apt.jsonl", "line": 3146, "issues": [ "HTML tags" ], "text_preview": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certa" }, { "file": "llm_annotated_apt.jsonl", "line": 3149, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade p" }, { "file": "llm_annotated_apt.jsonl", "line": 3151, "issues": [ "HTML tags" ], "text_preview": "The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for bac" }, { "file": "llm_annotated_apt.jsonl", "line": 3152, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evad" }, { "file": "llm_annotated_apt.jsonl", "line": 3154, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs" }, { "file": "llm_annotated_apt.jsonl", "line": 3161, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently acc" }, { "file": "llm_annotated_apt.jsonl", "line": 3163, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downl" }, { "file": "llm_annotated_apt.jsonl", "line": 3167, "issues": [ "HTML tags" ], "text_preview": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of maliciou" }, { "file": "llm_annotated_apt.jsonl", "line": 3169, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as poss" }, { "file": "llm_annotated_apt.jsonl", "line": 3170, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Ve" }, { "file": "llm_annotated_apt.jsonl", "line": 3172, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service manageme" }, { "file": "llm_annotated_apt.jsonl", "line": 3177, "issues": [ "HTML tags" ], "text_preview": "Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for" }, { "file": "llm_annotated_apt.jsonl", "line": 3182, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted " }, { "file": "llm_annotated_apt.jsonl", "line": 3183, "issues": [ "HTML tags" ], "text_preview": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are a" }, { "file": "llm_annotated_apt.jsonl", "line": 3194, "issues": [ "HTML tags" ], "text_preview": "Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchr" }, { "file": "llm_annotated_apt.jsonl", "line": 3200, "issues": [ "HTML tags" ], "text_preview": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts" }, { "file": "llm_annotated_apt.jsonl", "line": 3203, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to" }, { "file": "llm_annotated_apt.jsonl", "line": 3205, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow admini" }, { "file": "llm_annotated_apt.jsonl", "line": 3208, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organi" }, { "file": "llm_annotated_apt.jsonl", "line": 3209, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to ga" }, { "file": "llm_annotated_apt.jsonl", "line": 3210, "issues": [ "HTML tags" ], "text_preview": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interp" }, { "file": "llm_annotated_apt.jsonl", "line": 3211, "issues": [ "HTML tags" ], "text_preview": "This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how th" }, { "file": "llm_annotated_apt.jsonl", "line": 3221, "issues": [ "HTML tags" ], "text_preview": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e" }, { "file": "llm_annotated_apt.jsonl", "line": 3223, "issues": [ "HTML tags" ], "text_preview": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A" }, { "file": "llm_annotated_apt.jsonl", "line": 3228, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line i" }, { "file": "llm_annotated_apt.jsonl", "line": 3230, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file i" }, { "file": "llm_annotated_apt.jsonl", "line": 3236, "issues": [ "HTML tags" ], "text_preview": "Windows contains accessibility features that may be launched with a key combination before a user has logged in (for exa" }, { "file": "llm_annotated_apt.jsonl", "line": 3238, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Da" }, { "file": "llm_annotated_apt.jsonl", "line": 3242, "issues": [ "HTML tags" ], "text_preview": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e" }, { "file": "llm_annotated_apt.jsonl", "line": 3243, "issues": [ "HTML tags" ], "text_preview": "Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and feature" }, { "file": "llm_annotated_apt.jsonl", "line": 3245, "issues": [ "HTML tags" ], "text_preview": "The sudoers file, /etc/sudoers, describes which users can run which commands and from which terminals. This" }, { "file": "llm_annotated_apt.jsonl", "line": 3247, "issues": [ "HTML tags" ], "text_preview": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A" }, { "file": "llm_annotated_apt.jsonl", "line": 3250, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission gr" }, { "file": "llm_annotated_apt.jsonl", "line": 3255, "issues": [ "HTML tags" ], "text_preview": "Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .htaKernelCallbackTable of a process to hijack its execution flow in order to run the" }, { "file": "llm_annotated_apt.jsonl", "line": 3265, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Sy" }, { "file": "llm_annotated_apt.jsonl", "line": 3271, "issues": [ "HTML tags" ], "text_preview": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo" }, { "file": "llm_annotated_apt.jsonl", "line": 3278, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. " }, { "file": "llm_annotated_apt.jsonl", "line": 3287, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language" }, { "file": "llm_annotated_apt.jsonl", "line": 3295, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Pr" }, { "file": "llm_annotated_apt.jsonl", "line": 3297, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applic" }, { "file": "llm_annotated_apt.jsonl", "line": 3298, "issues": [ "HTML tags" ], "text_preview": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legi" }, { "file": "llm_annotated_apt.jsonl", "line": 3304, "issues": [ "HTML tags" ], "text_preview": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish pe" }, { "file": "llm_annotated_apt.jsonl", "line": 3306, "issues": [ "HTML tags" ], "text_preview": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualiza" }, { "file": "llm_annotated_apt.jsonl", "line": 3307, "issues": [ "HTML tags" ], "text_preview": "The trap command allows programs and shells to specify commands that will be executed upon receiving interr" }, { "file": "llm_annotated_apt.jsonl", "line": 3309, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cl" }, { "file": "llm_annotated_apt.jsonl", "line": 3311, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence through executing malicious commands triggered by a user\u2019s shell. User Unix Shells" }, { "file": "llm_annotated_apt.jsonl", "line": 3312, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication informa" }, { "file": "llm_annotated_apt.jsonl", "line": 3318, "issues": [ "HTML tags" ], "text_preview": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the" }, { "file": "llm_annotated_apt.jsonl", "line": 3322, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs" }, { "file": "llm_annotated_apt.jsonl", "line": 3325, "issues": [ "HTML tags" ], "text_preview": "Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage" }, { "file": "llm_annotated_apt.jsonl", "line": 3328, "issues": [ "HTML tags" ], "text_preview": "Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configura" }, { "file": "llm_annotated_apt.jsonl", "line": 3337, "issues": [ "HTML tags" ], "text_preview": "Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those u" }, { "file": "llm_annotated_apt.jsonl", "line": 3347, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take " }, { "file": "llm_annotated_apt.jsonl", "line": 3349, "issues": [ "HTML tags" ], "text_preview": "On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron" }, { "file": "llm_annotated_apt.jsonl", "line": 3350, "issues": [ "HTML tags" ], "text_preview": "When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run wi" }, { "file": "llm_annotated_apt.jsonl", "line": 3351, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items " }, { "file": "llm_annotated_apt.jsonl", "line": 3355, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical l" }, { "file": "llm_annotated_apt.jsonl", "line": 3359, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic tec" }, { "file": "llm_annotated_apt.jsonl", "line": 3365, "issues": [ "HTML tags" ], "text_preview": "Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact wi" }, { "file": "llm_annotated_apt.jsonl", "line": 3368, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regas" }, { "file": "llm_annotated_apt.jsonl", "line": 3369, "issues": [ "HTML tags" ], "text_preview": "**This technique has been deprecated. Please use Path Interception by PATH Environment Variable, Path Interception by Se" }, { "file": "llm_annotated_apt.jsonl", "line": 3372, "issues": [ "HTML tags" ], "text_preview": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary contro" }, { "file": "llm_annotated_apt.jsonl", "line": 3377, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries ma" }, { "file": "llm_annotated_apt.jsonl", "line": 3378, "issues": [ "HTML tags" ], "text_preview": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by repla" }, { "file": "llm_annotated_apt.jsonl", "line": 3383, "issues": [ "HTML tags" ], "text_preview": "Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-leve" }, { "file": "llm_annotated_apt.jsonl", "line": 3388, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are ins" }, { "file": "llm_annotated_apt.jsonl", "line": 3389, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows t" }, { "file": "llm_annotated_apt.jsonl", "line": 3392, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language" }, { "file": "llm_annotated_apt.jsonl", "line": 3396, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs" }, { "file": "llm_annotated_apt.jsonl", "line": 3401, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are prog" }, { "file": "llm_annotated_apt.jsonl", "line": 3402, "issues": [ "HTML tags" ], "text_preview": "Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that a" }, { "file": "llm_annotated_apt.jsonl", "line": 3409, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline " }, { "file": "llm_annotated_apt.jsonl", "line": 3410, "issues": [ "HTML tags" ], "text_preview": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a u" }, { "file": "llm_annotated_apt.jsonl", "line": 3413, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses a" }, { "file": "llm_annotated_apt.jsonl", "line": 3421, "issues": [ "HTML tags" ], "text_preview": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the " }, { "file": "llm_annotated_apt.jsonl", "line": 3422, "issues": [ "HTML tags" ], "text_preview": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for s" }, { "file": "llm_annotated_apt.jsonl", "line": 3424, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on pre" }, { "file": "llm_annotated_apt.jsonl", "line": 3429, "issues": [ "HTML tags" ], "text_preview": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to" }, { "file": "llm_annotated_apt.jsonl", "line": 3433, "issues": [ "HTML tags" ], "text_preview": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML" }, { "file": "llm_annotated_apt.jsonl", "line": 3434, "issues": [ "HTML tags" ], "text_preview": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows sy" }, { "file": "llm_annotated_apt.jsonl", "line": 3435, "issues": [ "HTML tags" ], "text_preview": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of " }, { "file": "llm_annotated_apt.jsonl", "line": 3436, "issues": [ "HTML tags" ], "text_preview": "Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certifi" }, { "file": "llm_annotated_apt.jsonl", "line": 3438, "issues": [ "HTML tags" ], "text_preview": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native" }, { "file": "llm_annotated_apt.jsonl", "line": 3444, "issues": [ "HTML tags" ], "text_preview": "To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of" }, { "file": "llm_annotated_apt.jsonl", "line": 3445, "issues": [ "HTML tags" ], "text_preview": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication" }, { "file": "llm_annotated_apt.jsonl", "line": 3446, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system\u2019s startup. T" }, { "file": "llm_annotated_apt.jsonl", "line": 3447, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and" }, { "file": "llm_annotated_apt.jsonl", "line": 3448, "issues": [ "HTML tags" ], "text_preview": "The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are r" }, { "file": "llm_annotated_apt.jsonl", "line": 3450, "issues": [ "HTML tags" ], "text_preview": "Per Apple\u2019s developer documentation, when a user logs in, a per-user launchd process is started which loads the paramete" }, { "file": "llm_annotated_apt.jsonl", "line": 3466, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a netw" }, { "file": "llm_annotated_apt.jsonl", "line": 3467, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, i" }, { "file": "llm_annotated_apt.jsonl", "line": 3472, "issues": [ "HTML tags" ], "text_preview": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace a" }, { "file": "llm_annotated_apt.jsonl", "line": 3473, "issues": [ "HTML tags" ], "text_preview": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specificall" }, { "file": "llm_annotated_apt.jsonl", "line": 3474, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or rest" }, { "file": "llm_annotated_apt.jsonl", "line": 3479, "issues": [ "HTML tags" ], "text_preview": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may" }, { "file": "llm_annotated_apt.jsonl", "line": 3481, "issues": [ "HTML tags" ], "text_preview": "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email accoun" }, { "file": "llm_annotated_apt.jsonl", "line": 3483, "issues": [ "HTML tags" ], "text_preview": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo" }, { "file": "llm_annotated_apt.jsonl", "line": 3487, "issues": [ "HTML tags" ], "text_preview": "Per Apple\u2019s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This p" }, { "file": "llm_annotated_apt.jsonl", "line": 3488, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-b" }, { "file": "llm_annotated_apt.jsonl", "line": 3492, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windo" }, { "file": "llm_annotated_apt.jsonl", "line": 3493, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-base" }, { "file": "llm_annotated_apt.jsonl", "line": 3496, "issues": [ "HTML tags" ], "text_preview": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensib" }, { "file": "llm_annotated_apt.jsonl", "line": 3498, "issues": [ "HTML tags" ], "text_preview": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accid" }, { "file": "llm_annotated_apt.jsonl", "line": 3501, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An " }, { "file": "llm_annotated_apt.jsonl", "line": 3504, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential " }, { "file": "llm_annotated_apt.jsonl", "line": 3510, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service" }, { "file": "llm_annotated_apt.jsonl", "line": 3519, "issues": [ "HTML tags" ], "text_preview": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set " }, { "file": "llm_annotated_apt.jsonl", "line": 3520, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. Th" }, { "file": "llm_annotated_apt.jsonl", "line": 3522, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as " }, { "file": "llm_annotated_apt.jsonl", "line": 3529, "issues": [ "HTML tags" ], "text_preview": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted syst" }, { "file": "llm_annotated_apt.jsonl", "line": 3530, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also ref" }, { "file": "llm_annotated_apt.jsonl", "line": 3536, "issues": [ "HTML tags" ], "text_preview": "InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific" }, { "file": "llm_annotated_apt.jsonl", "line": 3540, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are c" }, { "file": "llm_annotated_apt.jsonl", "line": 3549, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a pat" }, { "file": "llm_annotated_apt.jsonl", "line": 3555, "issues": [ "HTML tags" ], "text_preview": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating s" }, { "file": "llm_annotated_apt.jsonl", "line": 3556, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary" }, { "file": "llm_annotated_apt.jsonl", "line": 3557, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line argum" }, { "file": "llm_annotated_apt.jsonl", "line": 3558, "issues": [ "HTML tags" ], "text_preview": "Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote" }, { "file": "llm_annotated_apt.jsonl", "line": 3593, "issues": [ "HTML tags" ], "text_preview": "Quad7 Activity, also known as CovertNetwork-1658 or the 7777 Botnet, is a network of compromised small office/home offic" }, { "file": "llm_annotated_apt.jsonl", "line": 3613, "issues": [ "HTML tags" ], "text_preview": ":small_blue_diamond: kbandla
\n:small_blue_diamond: APTnotes
\n:small_blue_diamond: Florian Roth - APT Groups
" }, { "file": "llm_annotated_apt.jsonl", "line": 3632, "issues": [ "HTML tags" ], "text_preview": "### SentinelOne \n:small_orange_diamond: 2024 - [[SentinelOne] WatchTower 2023 Intelligence-Driven Threat Hunting](https:" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 46, "issues": [ "HTML tags" ], "text_preview": "COATHANGER is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intru" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 210, "issues": [ "HTML tags" ], "text_preview": "Raspberry Robin is initial access malware first identified in September 2021, and active through early 2024. The malware" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 694, "issues": [ "HTML tags" ], "text_preview": "The Net utility is a component of the Windows operating system. It is used in command-line operations for control of use" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 762, "issues": [ "HTML tags" ], "text_preview": "cmd is the Windows command-line interpreter that can be used to interact with systems and execute other processes and ut" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 785, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defense" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 788, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use utilities to compress and/or encrypt collected data prior to exfiltration. Many utilities include fu" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 791, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Sc" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 795, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 797, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i." }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 802, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 808, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protecte" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 810, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publis" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 822, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use email rules to hide inbound emails in a compromised user's mailbox. Many email clients allow users t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 828, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles." }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 829, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 839, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 840, "issues": [ "HTML tags" ], "text_preview": "Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 842, "issues": [ "HTML tags" ], "text_preview": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 843, "issues": [ "HTML tags" ], "text_preview": "Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges. Adversaries may do this to execu" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 850, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through i" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 854, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 855, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Flaws in the pe" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 863, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 865, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measure" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 868, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Vir" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 874, "issues": [ "HTML tags" ], "text_preview": "Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 875, "issues": [ "HTML tags" ], "text_preview": "Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management sy" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 877, "issues": [ "HTML tags" ], "text_preview": "Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 879, "issues": [ "HTML tags" ], "text_preview": "An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 880, "issues": [ "HTML tags" ], "text_preview": "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 881, "issues": [ "HTML tags" ], "text_preview": "Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 884, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domai" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 885, "issues": [ "HTML tags" ], "text_preview": "Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 890, "issues": [ "HTML tags" ], "text_preview": "Adversaries may communicate using publish/subscribe (pub/sub) application layer protocols to avoid detection/network fil" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 896, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 898, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions o" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 904, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the cron utility to perform task scheduling for initial or recurring execution of mal" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 905, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission gr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 908, "issues": [ "HTML tags" ], "text_preview": "Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-in" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 911, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-l" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 914, "issues": [ "HTML tags" ], "text_preview": "An adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent acc" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 915, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalat" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 921, "issues": [ "HTML tags" ], "text_preview": "Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 922, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 928, "issues": [ "HTML tags" ], "text_preview": "Adversaries may try to gather information about registered local system services. Adversaries may obtain information abo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 933, "issues": [ "HTML tags" ], "text_preview": "Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry store" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 934, "issues": [ "HTML tags" ], "text_preview": "Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 942, "issues": [ "HTML tags" ], "text_preview": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 948, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 952, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse components of Terminal Services to enable persistent access to systems. Microsoft Terminal Service" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 953, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applicati" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 957, "issues": [ "HTML tags" ], "text_preview": "Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs pr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 958, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to steal Kerberos tickets stored in credential cache files (or ccache). These files are used for" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 959, "issues": [ "HTML tags" ], "text_preview": "Adversaries may clear or remove evidence of malicious network connections in order to clean up traces of their operation" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 964, "issues": [ "HTML tags" ], "text_preview": "In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 968, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require se" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 977, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ti" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 983, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possib" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 985, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 987, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escal" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 988, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify mail and mail application data to remove evidence of their activity. Email applications allow use" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 989, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use a Login Hook to establish persistence executed upon user logon. A login hook is a plist file that po" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 995, "issues": [ "HTML tags" ], "text_preview": "Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed, o" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 996, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify file time attributes to hide new files or changes to existing files. Timestomping is a technique " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1007, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address l" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1011, "issues": [ "HTML tags" ], "text_preview": "Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows eve" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1016, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (co" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1019, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are load" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1020, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify a process's in-memory arguments to change its name in order to appear as a legitimate or benign p" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1028, "issues": [ "HTML tags" ], "text_preview": "Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control to" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1029, "issues": [ "HTML tags" ], "text_preview": "Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change cont" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1039, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1040, "issues": [ "HTML tags" ], "text_preview": "Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversa" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1042, "issues": [ "HTML tags" ], "text_preview": "Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1043, "issues": [ "HTML tags" ], "text_preview": "An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-servi" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1044, "issues": [ "HTML tags" ], "text_preview": "Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers comm" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1045, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1048, "issues": [ "HTML tags" ], "text_preview": "Adversaries may redirect network traffic to adversary-owned systems by spoofing Dynamic Host Configuration Protocol (DHC" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1053, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, u" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1055, "issues": [ "HTML tags" ], "text_preview": "Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Priva" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1061, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The trapauthorized_keys file to maintain persistence on a victim host. Linux distrib" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1089, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File E" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1090, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1095, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into process via process doppelg\u00e4nging in order to evade process-based defenses as" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1096, "issues": [ "HTML tags" ], "text_preview": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of syste" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1099, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1100, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibilit" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1106, "issues": [ "HTML tags" ], "text_preview": "An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. T" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1107, "issues": [ "HTML tags" ], "text_preview": "Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Activ" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1110, "issues": [ "HTML tags" ], "text_preview": "Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1117, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1119, "issues": [ "HTML tags" ], "text_preview": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1123, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contain" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1127, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse a container administration service to execute commands within a container. A container administrat" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1128, "issues": [ "HTML tags" ], "text_preview": "Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certa" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1131, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade p" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1133, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify property list files (plist files) to enable other malicious activity, while also potentially evad" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1135, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1140, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently acc" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1142, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downl" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1145, "issues": [ "HTML tags" ], "text_preview": "Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of maliciou" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1146, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as poss" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1147, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Ve" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1149, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service manageme" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1154, "issues": [ "HTML tags" ], "text_preview": "Adversaries can provide malicious content to an XPC service daemon for local code execution. macOS uses XPC services for" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1159, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1160, "issues": [ "HTML tags" ], "text_preview": "Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1171, "issues": [ "HTML tags" ], "text_preview": "Adversaries may log into accessible cloud services within a compromised environment using Valid Accounts that are synchr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1177, "issues": [ "HTML tags" ], "text_preview": "Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1180, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use hidden users to hide the presence of user accounts they create or modify. Administrators may want to" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1182, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow admini" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1184, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organi" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1185, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get information about running processes on a system. Information obtained could be used to ga" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1186, "issues": [ "HTML tags" ], "text_preview": "Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interp" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1195, "issues": [ "HTML tags" ], "text_preview": "Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to e" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1201, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line i" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1202, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file i" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1207, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Da" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1213, "issues": [ "HTML tags" ], "text_preview": "Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. A" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1216, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission gr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1220, "issues": [ "HTML tags" ], "text_preview": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control ch" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1221, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are p" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1226, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the KernelCallbackTable of a process to hijack its execution flow in order to run the" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1228, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Sy" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1233, "issues": [ "HTML tags" ], "text_preview": "Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1239, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1248, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse Lua commands and scripts for execution. Lua is a cross-platform scripting and programming language" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1255, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Pr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1257, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applic" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1258, "issues": [ "HTML tags" ], "text_preview": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legi" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1263, "issues": [ "HTML tags" ], "text_preview": "Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish pe" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1265, "issues": [ "HTML tags" ], "text_preview": "Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualiza" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1267, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cl" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1269, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence through executing malicious commands triggered by a user\u2019s shell. User Unix Shells" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1270, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication informa" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1275, "issues": [ "HTML tags" ], "text_preview": "Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1278, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1280, "issues": [ "HTML tags" ], "text_preview": "Adversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1290, "issues": [ "HTML tags" ], "text_preview": "Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those u" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1300, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1302, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1303, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical l" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1306, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic tec" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1314, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regas" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1316, "issues": [ "HTML tags" ], "text_preview": "Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary contro" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1320, "issues": [ "HTML tags" ], "text_preview": "Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries ma" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1321, "issues": [ "HTML tags" ], "text_preview": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by repla" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1329, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are ins" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1330, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1332, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1336, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1341, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are prog" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1347, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to dump the contents of /etc/passwd and /etc/shadow to enable offline " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1348, "issues": [ "HTML tags" ], "text_preview": "Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a u" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1351, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1358, "issues": [ "HTML tags" ], "text_preview": "Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for s" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1363, "issues": [ "HTML tags" ], "text_preview": "Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1367, "issues": [ "HTML tags" ], "text_preview": "Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1368, "issues": [ "HTML tags" ], "text_preview": "An adversary may abuse Active Directory authentication encryption properties to gain access to credentials on Windows sy" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1369, "issues": [ "HTML tags" ], "text_preview": "Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1370, "issues": [ "HTML tags" ], "text_preview": "Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1376, "issues": [ "HTML tags" ], "text_preview": "Adversaries may create or modify references in user document templates to conceal malicious code or force authentication" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1377, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by modifying RC scripts, which are executed during a Unix-like system\u2019s startup. T" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1378, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify access tokens to operate under a different user or system security context to perform actions and" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1394, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a netw" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1395, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, i" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1400, "issues": [ "HTML tags" ], "text_preview": "Adversaries may employ various means to detect and avoid debuggers. Debuggers are typically used by defenders to trace a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1401, "issues": [ "HTML tags" ], "text_preview": "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specificall" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1402, "issues": [ "HTML tags" ], "text_preview": "Adversaries may modify plist files to automatically run an application when a user logs in. When a user logs out or rest" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1406, "issues": [ "HTML tags" ], "text_preview": "Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1408, "issues": [ "HTML tags" ], "text_preview": "Adversaries may grant additional permission levels to maintain persistent access to an adversary-controlled email accoun" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1412, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-b" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1416, "issues": [ "HTML tags" ], "text_preview": "Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1417, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse list-view controls to inject malicious code into hijacked processes in order to evade process-base" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1420, "issues": [ "HTML tags" ], "text_preview": "Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensib" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1422, "issues": [ "HTML tags" ], "text_preview": "Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accid" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1425, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the Microsoft Office \"Office Test\" Registry key to obtain persistence on a compromised system. An " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1427, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1433, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1441, "issues": [ "HTML tags" ], "text_preview": "An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1442, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse the at utility to perform task scheduling for initial or recurring execution of malicious code. Th" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1443, "issues": [ "HTML tags" ], "text_preview": "Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1449, "issues": [ "HTML tags" ], "text_preview": "Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted syst" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1450, "issues": [ "HTML tags" ], "text_preview": "Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also ref" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1457, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are c" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1466, "issues": [ "HTML tags" ], "text_preview": "Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a pat" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1472, "issues": [ "HTML tags" ], "text_preview": "Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating s" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1473, "issues": [ "HTML tags" ], "text_preview": "Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console (MMC) is a binary" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1474, "issues": [ "HTML tags" ], "text_preview": "Adversaries may attempt to hide process command-line arguments by overwriting process memory. Process command-line argum" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1838, "issues": [ "HTML tags" ], "text_preview": "Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, ser" }, { "file": "llm_annotated_nvd.jsonl", "line": 47, "issues": [ "HTML tags" ], "text_preview": "CVE-2026-34840: OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, OneUptime's" }, { "file": "llm_annotated_nvd.jsonl", "line": 304, "issues": [ "HTML tags" ], "text_preview": "CVE-2020-36945: WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticate" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 8, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix double free race when mount fails in cifs" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 9, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcutorture: Fix rcutorture_one_extend_check() splat" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 10, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/packet: fix slab-out-of-bounds access in packet" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 12, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix 'scheduling while atomic' on aux critical " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 15, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix address wraparound in move_page_tabl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 22, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate buffer length while parsing inde" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 29, "issues": [ "HTML tags" ], "text_preview": "An attacker can upload files with the privilege of the Web Server process for Kaseya VSA Unified Remote Monitoring & Man" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 30, "issues": [ "HTML tags" ], "text_preview": "All versions of package reportlab are vulnerable to Server-side Request Forgery (SSRF) via img tags. In order to reduce " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 32, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: release svc_expkey/svc_export with rcu_work\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 39, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmips: bmips: BCM6358: disable RAC flush for TP1\n\nRA" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 42, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: Fix system crash due to lack of free space in" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 54, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\necryptfs: Fix buffer size for tag 66 packet\n\nThe 'T" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 57, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ninterconnect: Don't access req_list while it's bein" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 68, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscrypt: fix left shift underflow when inode->i_blk" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 71, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on direct node in trun" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 75, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemstick: rtsx_usb_ms: Fix slab-use-after-free in r" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 77, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: teql: Fix double-free in teql_master_xmi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 79, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: tables: FPDT: Don't call acpi_os_map_memory()" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 80, "issues": [ "HTML tags" ], "text_preview": "An Improper Check for Unusual or Exceptional Conditions vulnerability in the packet forwarding engine (pfe) of Juniper N" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 84, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsrcu: Delegate work to the boot cpu if using SRCU_S" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 85, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during reboot when adapter i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 86, "issues": [ "HTML tags" ], "text_preview": "An Uncontrolled Resource Consumption vulnerability in the PFE management daemon (evo-pfemand) of Juniper Networks Junos " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 88, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix fortify source warning while accessi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 89, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Get user_ns from in_skb in unix_diag_get_e" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 95, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ftrace: fix module PLTs with mcount\n\nLi Huaf" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 109, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nstmmac: Clear variable when destroying workqueue\n\nC" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 111, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntunnels: do not assume mac header is set in skb_tun" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 121, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't drop extent_map for free space inode o" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 125, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Use a cpumask to know what threads" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 126, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: gadget: Fix use-after-free Read in usb_udc_uev" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 132, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup/cpuset: Prevent UAF in proc_cpuset_show()\n\nA" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 141, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Fix NULL deref in ntfs_update_mftmirr\n\nIf" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 143, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npfcp: Destroy device along with udp socket's netns " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 155, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: Fix unregistering of framebuffers without de" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 161, "issues": [ "HTML tags" ], "text_preview": "Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 168, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add length check in indx_get_root\n\nThis a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 170, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: prevent nf_skb_duplicated cor" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 171, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: fix llsec key resources release in mac80" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 172, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix NULL pointer dereference in iavf_get_link" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 178, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: prevent copying too big compressed lzo segme" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 179, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 180, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Fix NULL dereference in error cleanup\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 184, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: fix double free issue during amdgp" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 187, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Always pass in an error pointer to __" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 191, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_fs: Clear ffs_eventfd in ffs_data_cl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 194, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Disable migration in nf_hook_run_bpf().\n\nsyzbo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 204, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check rcu_read_lock_trace_held() before callin" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 210, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: publish jinode after initialization\n\next4_ino" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 215, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bgmac: Fix a BUG triggered by wrong bytes_comp" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 216, "issues": [ "HTML tags" ], "text_preview": "SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 229, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mem: Fix shutdown order\n\nIra reports that remov" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 232, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nubifs: Fix memory leak in ubifs_sysfs_init()\n\nWhen " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 235, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vmwgfx: Unmap the surface before resetting it o" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 239, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: core: Fix use-after-free in snd_soc_exit()\n\nK" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 242, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: pm: only set fullmesh for subflow endp\n\nWith" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 251, "issues": [ "HTML tags" ], "text_preview": "Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Managemen" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 252, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: lapbether: fix issue of invalid opcode in lapb" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 253, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm thin: fix use-after-free crash in dm_sm_register" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 258, "issues": [ "HTML tags" ], "text_preview": "XWiki Commons are technical libraries common to several other top level XWiki projects. The \"restricted\" mode of the HTM" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 263, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Fix NULL deref in debugfs odm_comb" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 264, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nip6mr: Fix skb_under_panic in ip6mr_cache_report()\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 266, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix use-after-free caused by l2ca" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 278, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: page_alloc: move mlocked flag clearance into fr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 280, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nvduse: fix NULL pointer dereference\n\nvduse_vdpa_set" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 283, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmac802154: check local interfaces before deleting s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 288, "issues": [ "HTML tags" ], "text_preview": "

A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 290, "issues": [ "HTML tags" ], "text_preview": "An Improper Preservation of Consistency Between Independent Representations of Shared State vulnerability in the Packet " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 291, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Fix oops in write-retry from mis-resetting t" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 293, "issues": [ "HTML tags" ], "text_preview": "A Missing Release of Resource after Effective Lifetime vulnerability the xinetd process, responsible for spawning SSH da" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 302, "issues": [ "HTML tags" ], "text_preview": "Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 304, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: remove aq_nic_deinit() when resume\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 306, "issues": [ "HTML tags" ], "text_preview": "Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Managemen" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 316, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix race between DIM disable and net_dim" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 317, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix truesize for mb-xdp-pass case\n\nWhen " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 318, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nhv_netvsc: Fix race condition between netvsc_probe " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 328, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: qedi: Fix crash while reading debugfs attribu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 332, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds in hfsplus_bnode_re" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 337, "issues": [ "HTML tags" ], "text_preview": "When an Apache CloudStack user-account creates a CKS-based Kubernetes cluster in a project, the API key and the secret k" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 339, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma-mapping: benchmark: fix node id validation\n\nWhi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 342, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix nfs4_openowner leak when concurrent nfsd4" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 343, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HIDP: Fix possible UAF\n\nThis fixes the f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 347, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix failure to rebuild free space tree using" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 354, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on node footer for non" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 358, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: core: mcq: Fix &hwq->cq_lock deadlock is" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 378, "issues": [ "HTML tags" ], "text_preview": "Gradle Build Action allows users to execute a Gradle Build in their GitHub Actions workflow. A vulnerability impacts Git" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 379, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_ec_uart: properly fix race co" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 383, "issues": [ "HTML tags" ], "text_preview": "MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 386, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix WARN() in get_bpf_raw_tp_regs\n\nsyzkaller r" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 393, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracefs: Use generic inode RCU for synchronizing fr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 397, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix error handling in the init_task on load\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 398, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Fix task hung while purging oob_skb in GC." }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 411, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: check for non-NULL file pointer in io_fil" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 415, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: unmap and remove csa_va properly\n\nRoot " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 419, "issues": [ "HTML tags" ], "text_preview": "A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a play" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 422, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fgraph: Fix stack layout to match __arch_ftr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 423, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nFS:JFS:UBSAN:array-index-out-of-bounds in dbAdjTree" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 427, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: piix4: Fix adapter not be removed in piix4_rem" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 437, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to cover read extent cache access with lo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 442, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Prevent null pointer access in xe_migrate_c" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 445, "issues": [ "HTML tags" ], "text_preview": "Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed con" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 457, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Limit num_syncs to prevent oversized alloca" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 463, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: move netif_queue_set_napi to rtnl-protected se" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 465, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: iris: fix module removal if firmware downloa" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 471, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: Fix double increment of client_count in " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 473, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/histograms: Add histograms to hist_vars if " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 476, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: fix a UAF when vma->mm is freed after vma->vm_r" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 487, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Defer sub-object cleanup in export put callba" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 490, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: fix possible null-ptr-defer in spk_ttyio_relea" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 491, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Fix UAF in hci_conn_tx_dequeu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 498, "issues": [ "HTML tags" ], "text_preview": "Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 501, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Fix call trace warning and hang when re" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 505, "issues": [ "HTML tags" ], "text_preview": "Flarum is a forum software for building communities. Using the mentions feature provided by the flarum/mentions extensio" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 520, "issues": [ "HTML tags" ], "text_preview": "PyBB is an open source bulletin board. A manual code review of the PyBB bulletin board server has revealed that a vulner" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 521, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: Fix use-after-free in tun_detach()\n\nsyzbo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 530, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Actually free the watch\n\nfree_watch() " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 532, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwatch_queue: Fix filter limit check\n\nIn watch_queue" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 539, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix uaf in nbd_genl_connect() error path\n\nTher" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 543, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/fadump: Move fadump_cma_init to setup_arch(" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 554, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix crash on profile change rollback fai" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 555, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: dlm: fix invalid derefence of sb_lvbptr\n\nI expe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 559, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nudmabuf: Set the DMA mask for the udmabuf device (v" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 561, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/osnoise: Fix slab-out-of-bounds in _parse_i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 565, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mempool: fix poisoning order>0 pages with HIGHME" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 576, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: If sock is dead don't access sock's sk_wq in s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 581, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nudp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 590, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vivid: Change the siize of the composing\n\nsy" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 592, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_acl_tcam: Fix memory leak during re" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 596, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: ti: k3-udma: Add missing locking\n\nRecent" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 598, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix the sk->sk_forward_alloc warning " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 599, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix TX channel offset when using legacy interr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 600, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix resource leak in device_add()\n\nWhe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 602, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nkthread: unpark only parked kthread\n\nCalling into k" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 611, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: revert rtnl_lock() that causes deadlock\n\nThe c" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 617, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to truncate first page in error path of f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 633, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nARM: 9170/1: fix panic when kasan and kprobe are en" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 636, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: wake up all waiters after z_erofs_lzma_head " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 637, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: Fix out-of-bounds read in bond_option_arp_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 646, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: udlfb: Fix endpoint check\n\nThe syzbot fuzzer" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 650, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-bufio: fix sched in atomic context\n\nIf \"try_veri" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 652, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nSUNRPC: Fix null-ptr-deref when xps sysfs alloc fai" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 653, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: fs, lock FTE when checking if active\n\nThe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 654, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid to init mgnt_entry list twice wh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 656, "issues": [ "HTML tags" ], "text_preview": "

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows." }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 668, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential null-ptr-deref in device" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 672, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/port: Hold port reference until decoder release" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 673, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: kprobe: Fix potential null-ptr-deref on tr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 674, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix use-after-free in rdata->read_into_pages(" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 685, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: dmi-sysfs: Fix null-ptr-deref in dmi_sysf" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 699, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conntrack_h323: Add protection for bm" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 700, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nigb: Do not bring the device up after non-fatal err" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 705, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921e: fix crash in chip reset fail\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 717, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rt2x00: Fix memory leak when handling surveys" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 718, "issues": [ "HTML tags" ], "text_preview": "Flarum is a forum software for building communities. Flarum's translation system allowed for string inputs to be convert" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 727, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: ensure context reset on disconnect()\n\nAfter " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 739, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: Fix a null-ptr-deref in io_tctx_exit_cb()" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 747, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/fpu: KVM: Set the base guest FPU uABI size to s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 751, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix panic with larger ipoib send_queue_siz" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 755, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: qualcomm: rmnet: fix global oob in rmnet_polic" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 758, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix slab-use-after-free Read in l" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 760, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Fix kernel crash during module removal\n\nThe d" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 761, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix null pointer dereference in __sev" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 765, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"IB/isert: Fix incorrect release of isert co" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 766, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: x86-android-tablets: Unregister devic" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 769, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clear acl_access/acl_default after releasing " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 771, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: fix net_dev_start_xmit trace event vs skb_tran" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 778, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsock_map: avoid race between sock_map_close and sk_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 779, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Check the remaining info_cnt before repeating " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 790, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_tunnel: Fix suspicious RCU usage warning i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 791, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Make sure kthread is running before ma" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 806, "issues": [ "HTML tags" ], "text_preview": "xml-crypto is an xml digital signature and encryption library for Node.js. In affected versions the default configuratio" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 808, "issues": [ "HTML tags" ], "text_preview": "debug is a JavaScript debugging utility. On 8 September 2025, the npm publishing account for debug was taken over after " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 810, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Fix wild-memory-access in register_synth_e" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 812, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Lag, fix failure to cancel delayed bond w" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 813, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: equilibrium: fix warning trace on load\n\nTh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 818, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: gup: stop abusing try_grab_folio\n\nA kernel warn" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 827, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc: Don't try to copy PPR for task with NULL p" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 829, "issues": [ "HTML tags" ], "text_preview": "Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulne" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 831, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: add missing cpu_to_node to kvzalloc_node" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 833, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: free peer for station when disconnect from " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 843, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/debug_vm_pgtable: clear page table entries at de" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 852, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp_bpf: Fix the sk_mem_uncharge logic in tcp_bpf_s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 854, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/cma: Fix kmemleak in rdma_core observed during" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 856, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix use-after-free when rename device na" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 861, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Fix dropping valid root bus resources with .en" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 869, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gvt: fix vgpu debugfs clean in remove\n\nChe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 876, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid use f2fs_bug_on() in f2fs_new_no" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 877, "issues": [ "HTML tags" ], "text_preview": "The .so library, which is used by , is\nvulnerable to a buffer overflow in the code that handles the " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 888, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: amd_sfh: free driver_data after destroying hid" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 892, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"libfs: fix infinite directory reads for off" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 898, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: fix the warning of dev_wake in mhi_pm_disab" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 902, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix vm_bind_ioctl double free bug\n\nIf the a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 906, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Fix potential null-ptr-deref in drm_vblank_des" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 917, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/pci: Skip to handle RAS errors if CXL.mem devic" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 922, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfirmware: xilinx: don't make a sleepable memory all" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 925, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: Do not use WQ_MEM_RECLAIM flag for workqueue\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 942, "issues": [ "HTML tags" ], "text_preview": "color-convert provides plain color conversion functions in JavaScript. On 8 September 2025, the npm publishing account f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 947, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: gl620a: fix endpoint checking in genelink_b" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 952, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Forcibly leave SMM mode on SHUTDOWN inter" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 963, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 965, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"ALSA: firewire-lib: operate for period elap" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 967, "issues": [ "HTML tags" ], "text_preview": "Vulnerability in the Oracle Cloud Infrastructure Storage Gateway product of Oracle Storage Gateway (component: Managemen" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 974, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/alloc_tag: do not acquire non-existent lock in " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 979, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Fix potential null-ptr-deref due to drmm_mode_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 993, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix panic due to wrong pageattr of im->image\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 996, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: release correct delalloc amount in direct IO" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1008, "issues": [ "HTML tags" ], "text_preview": "Thinkific Thinkific Online Course Creation Platform 1.0 is affected by: Cross Site Scripting (XSS). The impact is: execu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1013, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix the qp flush warnings in req\n\nWhen th" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1016, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: Fix KASAN slab-out-of-bounds in cachefi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1030, "issues": [ "HTML tags" ], "text_preview": "Command injection in the parameter of a .exe request leads to remote code execution as the root use" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1039, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: fix UAF in direct writes\n\nIn production we hav" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1040, "issues": [ "HTML tags" ], "text_preview": "APTRS (Automated Penetration Testing Reporting System) is a Python and Django-based automated reporting tool designed fo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1046, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: avoid possible NULL deref in rt6_uncached_lis" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1047, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix mlx5e_priv_init() cleanup flow\n\nWhen" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1049, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: don't fail igc_probe() on LED setup error\n\nWhe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1053, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix NULL pointer dereference in tipc_mon_rein" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1056, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix possible race in __fib6_drop_pcpu_from()\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1060, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: Replace snprintf with scnprintf\n\nCurrent code p" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1061, "issues": [ "HTML tags" ], "text_preview": "A vulnerability in the processing of traffic matching a firewall filter containing a syslog action in Juniper Networks J" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1062, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: br_netfilter: skip conntrack input hook " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1067, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: udf: fix OOB read in lengthAllocDescs handling\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1068, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu/fence: Fix oops due to non-matching drm_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1071, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: Fix NULL pointer dereference\n\nWhen MPOA_cache_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1072, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: fix memory leak in ocfs2_mount_volume()\n\nThe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1078, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: apple: validate feature-report field count to " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1083, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: avoid data corruption on cq descriptor number\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1089, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix folio is still mapped when deleted\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1092, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix NULL deref in mesh_matches_loca" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1102, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix recursive locking in RPC handle list acc" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1113, "issues": [ "HTML tags" ], "text_preview": "An authenticated administrator is able to prepare an alert that is able to execute an SSRF attack. This is exclusively w" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1116, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Forbid FDB status change while nexthop is " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1117, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/niu: Niu requires MSIX ENTRY_DATA fields touch " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1133, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix the smbd_response slab to allow usercopy\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1137, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: fix adapter NULL pointer dereference on reboo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1140, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtio_pci: Fix admin vq cleanup by using correct i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1146, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvme: fix memory allocation in nvme_pr_read_keys()\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1148, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nidpf: Fix RSS LUT NULL pointer crash on early ethto" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1153, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Track xmit submission to PTP WQ after po" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1162, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm: Check output polling initialized before disabl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1169, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU incorrectly marks MMIO" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1170, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-boundary access in dnode " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1177, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: cros-ec-tunnel: defer probe if parent EC is no" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1179, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Fix debug checking for np-guests using " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1182, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc/uss720: fix memory leak in uss720_probe\n\nuss72" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1192, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Fix use-after-free in acpi_ut_copy_ipackage" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1200, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix warning when putting transaction with qg" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1201, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: Fix using smp_processor_id() in preemptible" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1202, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Avoid memory allocation in iommu_suspen" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1219, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ngve: fix incorrect buffer cleanup in gve_tx_clean_p" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1220, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Fix a WARN during dereg_mr for DM type\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1222, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnbd: fix io hung while disconnecting device\n\nIn our" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1228, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Fix repeated calls to sock_put() when" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1230, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix usage slab after free\n\n[ +0.000021" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1233, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not ignore genmask when lo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1235, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: HCI: Fix global-out-of-bounds\n\nTo loop a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1236, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: set ATTR_CTIME flags when setting mtime\n\nDav" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1239, "issues": [ "HTML tags" ], "text_preview": "The CGI script .sh can be used to download any file on the filesystem.\n\nThis issue affects Iocharger firmware " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1247, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: prevent xattr node from overflowing the eras" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1257, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/amd: Improve page fault error reporting\n\nIf I" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1262, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: use spin_lock to avoid hang\n\n[14696.634553] t" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1264, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/imc-pmu: Fix use of mutex in IRQs disabled " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1271, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: hyperv: streamline driver probe to avoid devre" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1272, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nlibie: don't unroll if fwlog isn't supported\n\nThe l" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1278, "issues": [ "HTML tags" ], "text_preview": "soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5.2, and 25.1.1, the `#[contractimpl]` ma" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1283, "issues": [ "HTML tags" ], "text_preview": "OAuthenticator is an OAuth token library for the JupyerHub login handler. CILogonOAuthenticator is provided by the OAuth" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1301, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ngtp: Fix use-after-free in __gtp_encap_destroy().\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1302, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: dvm: Fix memcpy: detected field-span" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1305, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: brcmfmac: Check the return value of of_proper" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1306, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"f2fs: fix to do sanity check on extent cach" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1307, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ibmvfc: Allocate/free queue resource only dur" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1310, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Free kvm_cpuid_entry2 array on post-KVM_R" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1311, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched_ext: Fix incorrect autogroup migration detect" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1313, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: test for not too small csum_start in virtio_ne" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1314, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix race in concurrent f2fs_stop_gc_thread\n\nI" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1316, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exit\n\nWhen a task is sche" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1319, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: never allow the PM to close a listener subfl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1330, "issues": [ "HTML tags" ], "text_preview": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected ver" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1337, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_str" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1340, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Set end correctly when doing batch carry\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1342, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nUSB: class: cdc-wdm: Fix CPU lockup caused by exces" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1348, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: fix incorrect dev_tracker usage\n\nWhile invest" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1354, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: unset the binding mark of a reused connectio" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1355, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: MGMT: Fix possible UAFs\n\nThis attemps to" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1356, "issues": [ "HTML tags" ], "text_preview": "After gaining access to the firmware of a charging station, a file at can be accessed to obtain default crede" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1357, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid UAF in f2fs_sync_inode_meta()\n\ns" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1360, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nath11k: mhi: use mhi_sync_power_up()\n\nIf amss.bin w" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1361, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Fix NULL pointer dereference in ice_vsi_set_na" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1366, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only create /proc/fs/netfs with CONFIG_PROC_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1379, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: fix kernel panic in the bnxt_get_queue_s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1390, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_set_pipapo_avx2: Add irq_fpu_usable(" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1399, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nspi: Fix use-after-free with devm_spi_alloc_*\n\nWe c" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1411, "issues": [ "HTML tags" ], "text_preview": "AliasVault is a privacy-first password manager with built-in email aliasing. A server-side request forgery (SSRF) vulner" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1414, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfscache: Use wait_on_bit() to wait for the freeing " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1418, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxsw: spectrum_buffers: Fix memory corruptions on " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1419, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix aggregation ID mask to prevent oops on" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1425, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix block group refcount race in btrfs_creat" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1438, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: ets: fix divide by zero in the offload p" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1442, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid potential deadlock\n\nAs Jiaming Z" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1447, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: zero-initialize tc skb extension on allocation" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1449, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/pagewalk: fix race between concurrent split and " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1452, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: core: fix possible resource leak in init_mtd()" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1460, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix error propagation of split bios\n\nThe pur" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1462, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid NULL pointer dereference in f2fs" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1469, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/perf: Fix power_pmu_disable to call clear_p" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1472, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mad: Improve handling of timed out WRs of mad " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1478, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_en: Fix double invocation of bnxt_ulp_stop()/b" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1487, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock, bfq: fix bfqq uaf in bfq_limit_depth()\n\nSet " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1488, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/x86: ISST: Fix the KASAN report slab-out-o" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1501, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/huc: Fix fence not released on early probe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1506, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Fix shift-out-of-bounds in dctcp_update_alpha(" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1507, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: do not accept ACK of bytes we never sent\n\nThis" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1510, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: correct the order of prelim_ref arguments in" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1513, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: vmk80xx: fix incomplete endpoint checking\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1515, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm cache: free background tracker's queued work in " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1522, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix transaction atomicity bug when enabling " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1526, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cgroup: Fix kernel BUG in purge_effective_prog" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1534, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/x86/amd: Check event before enable to avoid GP" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1535, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: fix ida_free call while not allocated\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1540, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nxdp: produce a warning when calculated tailroom is " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1553, "issues": [ "HTML tags" ], "text_preview": "Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1559, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fix initialization of rx->link and " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1563, "issues": [ "HTML tags" ], "text_preview": "Wiki.js is a wiki app built on node.js. Wiki.js 2.5.263 and earlier is vulnerable to stored cross-site scripting through" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1568, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"tty: n_gsm: fix UAF in gsm_cleanup_mux\"\n\nTh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1570, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: zone: fix to avoid inconsistence in between S" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1571, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\niavf: Fix reset error handling\n\nDo not call iavf_cl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1574, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: nSVM: Check instead of asserting on nested TSC" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1578, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconne" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1579, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPICA: Avoid undefined behavior: applying zero off" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1584, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mscc: ocelot: Fix use-after-free caused by cyc" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1585, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_ne" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1587, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmalloc: combine all TLB flush operations of KAS" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1592, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mac80211: fortify the spinlock against deadlo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1597, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nhwmon: (nct6775) Fix crash in clear_caseopen\n\nPawe\u0142" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1608, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix null deref on srq->rq.queue after res" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1614, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1617, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\natm: clip: Fix NULL pointer dereference in vcc_send" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1623, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: pm8001: Fix abort all task initialization\n\nIn" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1624, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbcon: always restore the old font data in fbcon_do" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1626, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Terminating the subsequent process of" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1642, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: atm: cxacru: fix a flaw in existing endpoint c" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1651, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to do sanity check on i_xattr_nid in sani" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1657, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: add reserved GDT blocks check\n\nWe capture a N" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1660, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix UAF in decryption with multichanne" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1664, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fix lockdep splat in qdisc_tree_reduce_b" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1670, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: iscsi_tcp: Fix UAF during logout when accessi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1674, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\napparmor: avoid crash when parsed profile name is e" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1675, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix use-after-free in btrfs_encoded_read_end" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1679, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix potential null deref in ext4_mb_init()\n\nI" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1682, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Drop oob_skb ref before purging queue in G" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1685, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: stmmac: fix dma queue left shift overflow issu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1686, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npadata: fix UAF in padata_reorder\n\nA bug was found " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1692, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix WARNING in mb_find_extent\n\nSyzbot found t" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1695, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: add NULL check in xfrm_update_ae_params\n\nNorm" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1701, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndst: fix races in rt6_uncached_list_del() and rt_de" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1705, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix mptcp DSS corruption due to large pmtu xmi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1708, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: do not update checksum in bnxt_xdp_build" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1711, "issues": [ "HTML tags" ], "text_preview": "Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1720, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1725, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/msg_ring: ensure io_kiocb freeing is defer" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1727, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Add overflow check for attribute size\n\nTh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1730, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing/eprobes: Do not allow eprobes to use $stack" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1731, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don't call cleanup on profile rollback f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1732, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nblktrace: fix __this_cpu_read/write in preemptible " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1734, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ttm: fix undefined behavior in bit shift for TT" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1738, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmpls: Use rcu_dereference_rtnl() in mpls_route_inpu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1742, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: sar: drop lockdep assertion in rtw89_s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1746, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix calltrace warning in amddrm_buddy_f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1749, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv/kprobe: Fix instruction simulation of JALR\n\nS" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1754, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/mremap: fix WARN with uffd that has remap events" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1758, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Silence warning when chunk allocation fail" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1761, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix struct pid leaks in OOB support\n\nsyzbo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1763, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: set the right AMDGPU sg segment limitat" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1764, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm6: check ip6_dst_idev() return value in xfrm6_g" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1765, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nata: libata-core: Fix double free on error\n\nIf e.g." }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1768, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndma: xilinx_dpdma: Fix locking\n\nThere are several p" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1784, "issues": [ "HTML tags" ], "text_preview": "

This vulnerability is caused when SharePoint Server does not properly sanitize a specially crafted request to an affe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1785, "issues": [ "HTML tags" ], "text_preview": "Cacti is an open source operational monitoring and fault management framework. The fix applied for CVE-2023-39515 in ver" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1787, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: stricter state check in mptcp_worker\n\nAs rep" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1789, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix unpinning of pages when an access is p" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1796, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: handle NULL pages in unpin_user_pages()\n\nTh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1800, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrpl: Fix use-after-free in rpl_do_srh_inline().\n\nRu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1808, "issues": [ "HTML tags" ], "text_preview": "File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a spec" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1809, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: fix shift-out-of-bounds in hid_report_ra" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1810, "issues": [ "HTML tags" ], "text_preview": "Use After Free vulnerability in Apache Arrow C++.\n\nThis issue affects Apache Arrow C++ from 15.0.0 through 23.0.0. It ca" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1823, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/47x: Fix 47x syscall return crash\n\nEddie re" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1826, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\njffs2: check that raw node were preallocated before" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1830, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ivsc: Fix crash at shutdown due to missing m" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1831, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: ts2020: fix null-ptr-deref in ts2020_probe()" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1849, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting free space root from " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1851, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/ast: astdp: Fix timeout for enabling video sign" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1852, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: pcl818: fix null-ptr-deref in pcl818_ai_can" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1877, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: fix timer races against user threads\n\nRo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1878, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel rfkill_block work in wiphy_u" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1879, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw88: use work to update rate to avoid RCU w" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1884, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring/io-wq: Use set_bit() and test_bit() at wor" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1886, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: fix a race in rxrpc_exit_net()\n\nCurrent code" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1890, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nvc_screen: move load of struct vc_data pointer in v" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1892, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfs_common: must not hold RCU while calling nfsd_fi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1893, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: tun: fix tun_napi_alloc_frags()\n\nsyzbot report" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1897, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Fix oops during rmmod on single-CP" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1898, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: dump vmalloc memory info safely\n\nCurrently, fo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1910, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/IPoIB: Fix legacy IPoIB due to wrong number of q" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1912, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\njbd2: avoid bug_on in jbd2_journal_get_create_acces" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1915, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/dp: Fix divide-by-zero regression on DP MST unp" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1917, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: Don't leave consecutive consumed OOB skbs." }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1920, "issues": [ "HTML tags" ], "text_preview": "An Improper Handling of Exceptional Conditions vulnerability in packet processing of Juniper Networks Junos OS on MX Ser" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1927, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: Fix event leak upon exec and file release\n\nTh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1928, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf: RISC-V: Remove PERF_HES_STOPPED flag checking" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1934, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hamradio: fix memory leak in mkiss_close\n\nMy l" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1939, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: Intel: sof-nau8825: fix module alias overflow" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1944, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: probes: Fix uprobes for big-endian kernels\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1946, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: Fix global-out-of-bounds bug in _rtl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1947, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix AIP early init panic\n\nAn early failure" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1949, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nDrivers: hv: util: Avoid accessing a ringbuffer not" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1951, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: L2CAP: Fix memory leak in vhci_write\n\nSy" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1963, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbrd: defer automatic disk creation until module ini" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1966, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Forcibly leave nested virt when SMM state" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1969, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix hang during unmount when stopping a spac" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1988, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vkms: Fix null-ptr-deref in vkms_release()\n\nA n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1989, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, cpumap: Handle skb as well when clean up ptr_r" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1992, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/ntfs3: Validate data run offset\n\nThis adds sanit" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1999, "issues": [ "HTML tags" ], "text_preview": "

A remote code execution vulnerability exists when the Windows Text Service Module improperly handles memory. An attac" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2001, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfsplus: fix slab-out-of-bounds read in hfsplus_uni" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2002, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwriteback: don't block sync for filesystems with no" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2003, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix null-ptr-deref in iptable_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2005, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbnxt_re: avoid shift undefined behavior in bnxt_qpl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2006, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: altmode should keep reference to parent" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2007, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: Correct the migration DMA map direction" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2011, "issues": [ "HTML tags" ], "text_preview": "

Depending on configuration of various package managers it is possible for an attacker to insert a malicious package i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2013, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: qcom: sdm845: add missing soundwire runtime s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2015, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: Check the bearer type before calling tipc_udp" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2022, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: DLPAR add doesn't completely" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2023, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa_sim: fix possible memory leak in vdpasim_net_i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2029, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: flower: fix filter idr initialization\n\nT" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2034, "issues": [ "HTML tags" ], "text_preview": "Akeneo PIM is an open source Product Information Management (PIM). Akeneo PIM Community Edition versions before v5.0.119" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2035, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncpufreq: schedutil: Use kobject release() method to" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2038, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfou: Fix null-ptr-deref in GRO.\n\nWe observed a null" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2048, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: Fix Kernel Panic during ndo_tx_timeout callbac" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2051, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRISC-V: KVM: Teardown riscv specific bits after kvm" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2055, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: SVM: Get source vCPUs from source VM for SEV-E" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2071, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nhfs: fix missing hfs_bnode_get() in __hfs_bnode_cre" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2072, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nax25: rcu protect dev->ax25_ptr\n\nsyzbot found a loc" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2074, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix crash on probe for DPLL enabled E810 LOM\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2075, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntpm: do not start chip while suspended\n\nChecking TP" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2078, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix use-after-free in ext4_orphan_cleanup\n\nI " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2081, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: Add missing bridge lock to pci_bus_lock()\n\nOne" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2082, "issues": [ "HTML tags" ], "text_preview": "Decidim is a participatory democracy framework. Starting in version 0.27.0 and prior to versions 0.27.5 and 0.28.0, the " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2085, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\narp: Prevent overflow in arp_req_get().\n\nsyzkaller " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2089, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Unregister notifier on eswitch init failu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2095, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nerspan: Initialize options_len before referencing o" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2102, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: ip_gre: make ipgre_header() robust\n\nAnalog to" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2103, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: ccp - Fix crash when rebind ccp device for " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2104, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix underflow in second superblock position" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2117, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix double brelse() the buffer of the extents" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2118, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/net_failover: fix txq exceeding warning\n\nThe fa" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2120, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries/iommu: IOMMU table is not initializ" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2132, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nproc: fix UAF in proc_get_inode()\n\nFix race between" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2133, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Whitelist dtl slub object for copy" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2134, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ses: Handle enclosure with just a primary com" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2141, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix general protection fault in nilfs_btree" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2146, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ena: fix shift-out-of-bounds in exponential ba" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2151, "issues": [ "HTML tags" ], "text_preview": "TensorFlow is an end-to-end open source platform for machine learning. Specifying a negative dense shape in `tf.raw_ops." }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2155, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nquota: fix warning in dqgrab()\n\nThere's issue as fo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2177, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: ignore xattrs past end\n\nOnce inside 'ext4_xat" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2188, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nthermal/drivers/cpufreq_cooling: Fix slab OOB issue" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2191, "issues": [ "HTML tags" ], "text_preview": "

A security feature bypass vulnerability exists in Microsoft Word software when it fails to properly handle .LNK files" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2197, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix OOB map writes when deleting elements\n\nJor" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2200, "issues": [ "HTML tags" ], "text_preview": "XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected ver" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2203, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nLoongArch: KVM: Fix stack protector issue in send_i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2209, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Prevent bpf program recursion for raw tracepoi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2213, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, sockmap: Avoid using sk_socket after free when" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2217, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcutorture: Fix ksoftirqd boosting timing and itera" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2219, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetlink: avoid infinite retry looping in netlink_un" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2223, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-bufio: don't schedule in atomic context\n\nA BUG w" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2227, "issues": [ "HTML tags" ], "text_preview": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2231, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nvfio/pci: Properly hide first-in-list PCIe extended" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2232, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/sseu: fix max_subslices array-index-out-of" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2233, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: send: fix buffer overflow detection when cop" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2237, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix race when deleting quota root from the d" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2245, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_devcd_dump: fix out-of-bounds via de" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2262, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: aggregator: protect driver attr handlers agai" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2264, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bonding: fix use-after-free in bond_xmit_broad" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2265, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix use-after-free in amdgpu_userq_susp" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2268, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Skip Recompute DSC Params if no St" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2274, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: clone set on flush only\n\nSyzb" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2276, "issues": [ "HTML tags" ], "text_preview": "Kirby is an open source CMS. An editor with write access to the Kirby Panel can upload an SVG file that contains harmful" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2284, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: check send stream number after wait_for_sndbu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2287, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/shmem, swap: fix softlockup with mTHP swapin\n\nFo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2291, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\naio: fix use-after-free due to missing POLLFREE han" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2292, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nvxlan: Fix NPD in {arp,neigh}_reduce() when using n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2298, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vimc: skip .s_stream() for stopped entities\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2307, "issues": [ "HTML tags" ], "text_preview": "ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2309, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/gt: Fix timeline left held on VMA alloc er" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2312, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix WARNING in ext4_update_inline_data\n\nSyzbo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2313, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr,ip6mr: acquire RTNL before calling ip[6]mr_fre" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2316, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnexthop: Fix memory leaks in nexthop notification c" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2320, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don't readahead the relocation inode on RST\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2325, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrxrpc: Fix irq-disabled in local_bh_enable()\n\nThe r" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2327, "issues": [ "HTML tags" ], "text_preview": "XWiki Platform is a generic wiki platform. The rendered diff in XWiki embeds images to be able to compare the contents a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2328, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: avoid invalid memory access via node_on" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2342, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu-tasks: Avoid pr_info() with spin lock in cblist" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2346, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2347, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: do not start relocation until in progress dr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2363, "issues": [ "HTML tags" ], "text_preview": "

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a speci" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2365, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix relocation crash due to premature return" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2369, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: remove unnecessary WARN_ON() in implemen" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2380, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: fix dereferencing invalid pmd migra" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2389, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/nocb: Fix missed RCU barrier on deoffloading\n\nC" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2401, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid accessing uninitialized curseg\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2409, "issues": [ "HTML tags" ], "text_preview": "Plate is a javascript toolkit that makes it easier for you to develop with Slate, a popular framework for building text " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2410, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/gma500: Fix BUG: sleeping function called from " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2414, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: usb: rtl8150: enable basic endpoint checking\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2415, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix BUG_ON condition in btrfs_cancel_balance" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2417, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncxl/mbox: validate payload size before accessing co" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2420, "issues": [ "HTML tags" ], "text_preview": "mailcow is a mail server suite based on Dovecot, Postfix and other open source software, that provides a modern web UI f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2421, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: make fallback action and fallback decision a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2433, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix slab-use-after-free Read in rxe_queue" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2437, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nafs: Fix lock recursion\n\nafs_wake_up_async_call() c" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2442, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nplatform/chrome: cros_usbpd_notify: Fix error handl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2443, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfc: fix segfault in nfc_genl_dump_devices_done\n\nWh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2445, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmISDN: hfcpci: Fix warning when deleting uninitiali" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2452, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nACPI: PAD: fix crash in exit_round_robin()\n\nThe ker" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2455, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd-raid10: fix KASAN warning\n\nThere's a KASAN warni" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2467, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nfsdax: Fix infinite loop in dax_iomap_rw()\n\nI got a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2469, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdrom: rearrange last_media_change check to avoid u" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2480, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: update orig_path in ext4_find_extent()\n\nIn ex" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2482, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Fix use-after-free bugs caused by sco_so" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2493, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix max_sge overflow in smb_extract_fo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2496, "issues": [ "HTML tags" ], "text_preview": "The .exe or .exe CGI binary can be used to upload arbitrary files to /tmp/upload/ or /tmp/ respectiv" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2510, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Don't store mlx5e_priv in mlx5e_dev devl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2525, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: bridge: mcast: wait for previous gc cycles whe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2536, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: fix lockdep splat in in6_dump_addrs()\n\nAs rep" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2538, "issues": [ "HTML tags" ], "text_preview": "Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2539, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: always keep track of remap prev/next\n\nDurin" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2540, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: fix NULL pointer dereference in nilfs_pallo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2552, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpt3sas: Fix crash in transport port remove b" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2553, "issues": [ "HTML tags" ], "text_preview": "is-arrayish checks if an object can be used like an Array. On 8 September 2025, an npm publishing account for is-arrayis" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2565, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appleir: Fix potential NULL dereference at raw" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2571, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/hfi1: Fix sdma.h tx->num_descs off-by-one error\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2595, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: skb_partial_csum_set() fix against transport h" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2598, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/mlx5: Fix UMR pd cleanup on error flow of driver" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2604, "issues": [ "HTML tags" ], "text_preview": "When DNS filtering is enabled on Juniper Networks Junos MX Series with one of the following cards MS-PIC, MS-MIC or MS-M" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2608, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: fix ktls panic with sockmap\n\n[ 2172.936997] --" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2611, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncachefiles: fix memory leak in cachefiles_add_cache" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2613, "issues": [ "HTML tags" ], "text_preview": "

A cross-site-scripting (XSS) vulnerability exists when Microsoft SharePoint Server does not properly sanitize a speci" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2616, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu/kvfree: Fix data-race in __mod_timer / kvfree_c" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2619, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ni40e: fix IRQ freeing in i40e_vsi_request_irq_msix " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2623, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/mlx5: Return the firmware result upon destroyi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2629, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: fq_pie: prevent dismantle issue\n\nFor som" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2633, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix WARN_ON in iommu probe path\n\nCommit" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2649, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrash: fix crashkernel resource shrink\n\nWhen crashk" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2663, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: nexthop: allocate skb dynamically in rtm_get_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2667, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nlib/group_cpus: fix NULL pointer dereference from g" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2671, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: USB: Fix wrong-direction WARNING in plusb.c\n\nT" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2682, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: 8852a: rfk: fix div 0 exception\n\nThe D" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2684, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Protect ->defer_qs_iw_pending from data race\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2687, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nIB/ipoib: Fix mcast list locking\n\nReleasing the `pr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2689, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: Reset connection when trying to use SMCRv2" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2692, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, lockdown, audit: Fix buggy SELinux lockdown pe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2699, "issues": [ "HTML tags" ], "text_preview": "

An elevation of privilege vulnerability exists in the way that the Wininit.dll handles objects in memory. An attacker" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2701, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nveth: Ensure eth header is in skb's linear part\n\nAf" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2703, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/hugetlb: fix PTE marker handling in hugetlb_chan" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2704, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: macvlan: fix memory leaks of macvlan_common_ne" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2705, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/vc4: drop all currently held locks if deadlock " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2708, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid panic in f2fs_evict_inode\n\nAs sy" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2709, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm: fix use-after-free in dm_cleanup_zoned_dev()\n\nd" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2715, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix kernel panic caused by race of smc_soc" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2718, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsit: do not call ipip6_dev_free() from sit_init_net" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2719, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nserial: core: check uartclk for zero to avoid divid" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2725, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dp: populate connector of struct dp_panel\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2739, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nksm: use range-walk function to jump over holes in " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2740, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtw89: avoid to add interface to list twice w" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2744, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nethtool: cmis_cdb: use correct rpl size in ethtool_" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2746, "issues": [ "HTML tags" ], "text_preview": "WeGIA is a web manager for charitable institutions. Versions 3.6.6 and below have a Reflected Cross-Site Scripting (XSS)" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2747, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: directly free partially initialized fs_info " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2749, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ni2c: i801: Revert \"i2c: i801: replace acpi_lock wit" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2751, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: comedi_8255: Correct error in subdevice ini" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2754, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/fixmap: Fix VM debug warning on unmap\n\nUnma" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2756, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Disable KASAN report during " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2761, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbfq: Avoid merging queues with different parents\n\nI" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2763, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: fix a job->pasid access race in gpu rec" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2771, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: Add netif_device_attach/detach into PF reset f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2775, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: fix DFS traversal oops without CONFIG_CIFS_DF" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2778, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: wwan: fix global oob in wwan_rtnl_policy\n\nThe " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2780, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix cleanup null-ptr deref on encap lock" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2782, "issues": [ "HTML tags" ], "text_preview": "color is a Javascript color conversion and manipulation library. On 8 September 2025, the npm publishing account for col" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2785, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: track AF_XDP ZC enabled queues in bitmap\n\nComm" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2786, "issues": [ "HTML tags" ], "text_preview": "TensorFlow is an end-to-end open source platform for machine learning. An attacker can cause a denial of service by cont" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2795, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: flow_dissector: use DEBUG_NET_WARN_ON_ONCE\n\nTh" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2797, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: prevent use-after-free due to open_cached_dir " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2799, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nteam: fix check for port enabled in team_queue_over" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2804, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracing: Build event generation tests only as modul" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2811, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nvdpa_sim: avoid putting an uninitialized iova_domai" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2814, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix use-after-free in inet6_addr_del().\n\nsyzb" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2817, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: appletb-kbd: fix memory corruption of input_ha" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2818, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/gup: fix gup_pud_range() for dax\n\nFor dax pud, p" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2821, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\namd/amdkfd: enhance kfd process check in switch par" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2825, "issues": [ "HTML tags" ], "text_preview": "Emissary is a P2P based data-driven workflow engine. Affected versions of Emissary are vulnerable to post-authentication" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2826, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix ttm_bo_delayed_delete oops\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2830, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ncomedi: check device's attached status in compat io" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2838, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nsctp: fix possible UAF in sctp_v6_available()\n\nA lo" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2839, "issues": [ "HTML tags" ], "text_preview": "The Formidable Form Builder WordPress plugin before 4.09.05 allows to inject certain HTML Tags like

A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnera" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2939, "issues": [ "HTML tags" ], "text_preview": "Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documen" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2941, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\naf_unix: fix use-after-free in unix_stream_read_act" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2942, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix ECMP sibling count mismatch when clearing" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2943, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: reject new transactions if the fs is fully r" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2944, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: core: Fix refcount error in del_mtd_device()\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2949, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe/userptr: fix EFAULT handling\n\nCurrently we t" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2954, "issues": [ "HTML tags" ], "text_preview": "Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered th" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2956, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: make cow_file_range_inline() honor locked_pa" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2958, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: VMAP_STACK overflow detection thread-safe\n\nc" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2960, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Convert spinlock to mutex to lock " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2961, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: appletalk: Fix use-after-free in AARP proxy pr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2962, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: Fix infinite recursion in fib6_dump_done().\n\n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2964, "issues": [ "HTML tags" ], "text_preview": "Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a Stored" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2965, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nxfrm: Fix input error path memory access\n\nWhen ther" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2967, "issues": [ "HTML tags" ], "text_preview": "ImageMagick is free software delivered as a ready-to-run binary distribution or as source code that you may use, copy, m" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2971, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix route with nexthop object delete war" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2974, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: honor table dormant flag from" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2978, "issues": [ "HTML tags" ], "text_preview": "WWBN AVideo is an open source video platform. In versions 29.0 and prior, `objects/configurationUpdate.json.php` (also r" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2979, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nInput: gpio-keys - cancel delayed work only in case" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2983, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_reject_ipv6: fix potential crash in n" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2986, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: Initialise rcv_mss before calling tcp_send_a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2998, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/sched: act_ct: fix skb leak and crash on ooo fr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2999, "issues": [ "HTML tags" ], "text_preview": "In the Linux kernel, the following vulnerability has been resolved:\n\nrcu: Fix __this_cpu_read() lockdep warning in rcu_f" } ], "repetitive_entities": [ { "entity": "SYSTEM: Linux kernel", "count": 1262 }, { "entity": "SYSTEM: Windows", "count": 1011 }, { "entity": "TOOL: at", "count": 495 }, { "entity": "SYSTEM: Linux", "count": 465 }, { "entity": "VULNERABILITY: SQL Injection", "count": 447 }, { "entity": "ORGANIZATION: Microsoft", "count": 431 }, { "entity": "VULNERABILITY: Remote Code Execution", "count": 337 }, { "entity": "ORGANIZATION: Google", "count": 297 }, { "entity": "SYSTEM: macOS", "count": 287 }, { "entity": "VULNERABILITY: Remote Code Execution (RCE)", "count": 286 }, { "entity": "SYSTEM: Android", "count": 276 }, { "entity": "VULNERABILITY: phishing", "count": 240 }, { "entity": "VULNERABILITY: Unquoted Service Path", "count": 230 }, { "entity": "TOOL: PowerShell", "count": 229 }, { "entity": "SYSTEM: .NET", "count": 225 }, { "entity": "VULNERABILITY: XSS", "count": 199 }, { "entity": "SYSTEM: QEMU", "count": 196 }, { "entity": "ORGANIZATION: Oracle", "count": 191 }, { "entity": "VULNERABILITY: Authentication Bypass", "count": 182 }, { "entity": "VULNERABILITY: denial of service", "count": 180 }, { "entity": "SYSTEM: Python", "count": 177 }, { "entity": "TOOL: Metasploit", "count": 171 }, { "entity": "VULNERABILITY: NULL pointer dereference", "count": 169 }, { "entity": "VULNERABILITY: use-after-free", "count": 167 }, { "entity": "FILEPATH: /01/2014", "count": 155 }, { "entity": "VULNERABILITY: Persistent Cross-Site Scripting", "count": 152 }, { "entity": "THREAT_ACTOR: APT29", "count": 149 }, { "entity": "VULNERABILITY: Stored Cross-Site Scripting (XSS)", "count": 145 }, { "entity": "VULNERABILITY: Denial of Service", "count": 143 }, { "entity": "VULNERABILITY: Denial of Service (PoC)", "count": 131 }, { "entity": "VULNERABILITY: buffer overflow", "count": 126 }, { "entity": "THREAT_ACTOR: Lazarus Group", "count": 122 }, { "entity": "SYSTEM: Active Directory", "count": 118 }, { "entity": "VULNERABILITY: Buffer Overflow", "count": 118 }, { "entity": "SYSTEM: AWS", "count": 117 }, { "entity": "SYSTEM: API", "count": 117 }, { "entity": "VULNERABILITY: remote code execution", "count": 114 }, { "entity": "FILEPATH: /x86/entry/common.c", "count": 114 }, { "entity": "VULNERABILITY: privilege escalation", "count": 113 }, { "entity": "VULNERABILITY: SQL injection", "count": 112 }, { "entity": "SYSTEM: GitHub", "count": 111 }, { "entity": "ORGANIZATION: Mandiant", "count": 109 }, { "entity": "TOOL: Mimikatz", "count": 105 }, { "entity": "SYSTEM: Java", "count": 102 }, { "entity": "THREAT_ACTOR: APT28", "count": 101 }, { "entity": "THREAT_ACTOR: Turla", "count": 100 }, { "entity": "VULNERABILITY: code execution", "count": 93 }, { "entity": "SYSTEM: WordPress", "count": 93 }, { "entity": "MALWARE: Conti", "count": 90 }, { "entity": "VULNERABILITY: Privilege Escalation", "count": 90 }, { "entity": "ORGANIZATION: Juniper", "count": 90 }, { "entity": "MALWARE: PlugX", "count": 88 }, { "entity": "TOOL: PsExec", "count": 86 }, { "entity": "MALWARE: IcedID", "count": 86 }, { "entity": "ORGANIZATION: FireEye", "count": 85 }, { "entity": "MALWARE: TrickBot", "count": 84 }, { "entity": "ORGANIZATION: Proofpoint", "count": 84 }, { "entity": "ORGANIZATION: CrowdStrike", "count": 84 }, { "entity": "THREAT_ACTOR: Mustang Panda", "count": 84 }, { "entity": "MALWARE: BlackCat", "count": 83 }, { "entity": "MALWARE: Latrodectus", "count": 83 }, { "entity": "FILEPATH: socket.c", "count": 83 }, { "entity": "SYSTEM: Access", "count": 82 }, { "entity": "VULNERABILITY: RCE", "count": 81 }, { "entity": "SYSTEM: Kubernetes", "count": 81 }, { "entity": "VULNERABILITY: DDoS", "count": 80 }, { "entity": "MALWARE: REvil", "count": 79 }, { "entity": "ORGANIZATION: Cisco Talos", "count": 78 }, { "entity": "MALWARE: Play", "count": 77 }, { "entity": "THREAT_ACTOR: OilRig", "count": 77 }, { "entity": "FILEPATH: dump_stack.c", "count": 77 }, { "entity": "SYSTEM: SMB", "count": 76 }, { "entity": "VULNERABILITY: SQLi", "count": 76 }, { "entity": "SYSTEM: iOS", "count": 75 }, { "entity": "SYSTEM: Azure", "count": 75 }, { "entity": "MALWARE: Ryuk", "count": 75 }, { "entity": "VULNERABILITY: Command Injection", "count": 75 }, { "entity": "ORGANIZATION: CISA", "count": 74 }, { "entity": "VULNERABILITY: cross-site scripting", "count": 74 }, { "entity": "VULNERABILITY: memory leak", "count": 73 }, { "entity": "TOOL: Cobalt Strike", "count": 72 }, { "entity": "VULNERABILITY: Cross-Site Request Forgery", "count": 72 }, { "entity": "VULNERABILITY: race condition", "count": 72 }, { "entity": "VULNERABILITY: Arbitrary File Upload", "count": 71 }, { "entity": "THREAT_ACTOR: Cobalt", "count": 70 }, { "entity": "MALWARE: Emotet", "count": 70 }, { "entity": "SYSTEM: PHP", "count": 70 }, { "entity": "VULNERABILITY: Cross Site Scripting", "count": 70 }, { "entity": "VULNERABILITY: CSRF", "count": 70 }, { "entity": "MALWARE: QakBot", "count": 69 }, { "entity": "ORGANIZATION: PCrisk", "count": 68 }, { "entity": "TOOL: BloodHound", "count": 68 }, { "entity": "MALWARE: ShadowPad", "count": 67 }, { "entity": "MALWARE: Dridex", "count": 67 }, { "entity": "TOOL: Hashcat", "count": 67 }, { "entity": "SYSTEM: Go", "count": 66 }, { "entity": "VULNERABILITY: command injection", "count": 66 }, { "entity": "VULNERABILITY: Directory Traversal", "count": 66 }, { "entity": "MALWARE: Qbot", "count": 65 }, { "entity": "SYSTEM: Telegram", "count": 64 } ], "empty_spans": [ { "file": "llm_annotated_apt.jsonl", "line": 10, "text_preview": "According to Lukas Stefanko, this is an open-source crypto-ransomware found on G" }, { "file": "llm_annotated_apt.jsonl", "line": 26, "text_preview": "Poses as an app that can offer a \"corona safety mask\" but phone's address book a" }, { "file": "llm_annotated_apt.jsonl", "line": 55, "text_preview": "RAT, which can be used to extract sensitive information, e.g. contact lists, txt" }, { "file": "llm_annotated_apt.jsonl", "line": 88, "text_preview": "A sophisticated mobile surveillance implant operating as a Remote Control System" }, { "file": "llm_annotated_apt.jsonl", "line": 102, "text_preview": "Information stealer posing as a fake banking app, targeting Korean users." }, { "file": "llm_annotated_apt.jsonl", "line": 106, "text_preview": "Related to the micropsia windows malware and also sometimes named micropsia." }, { "file": "llm_annotated_apt.jsonl", "line": 109, "text_preview": "According to Avira, this is a banking trojan targeting Japan." }, { "file": "llm_annotated_apt.jsonl", "line": 114, "text_preview": "WebShell." }, { "file": "llm_annotated_apt.jsonl", "line": 115, "text_preview": "WebShell." }, { "file": "llm_annotated_apt.jsonl", "line": 120, "text_preview": "A MIPS ELF binary with wiper functionality used against Viasat KA-SAT modems." }, { "file": "llm_annotated_apt.jsonl", "line": 124, "text_preview": "Ransomware" }, { "file": "llm_annotated_apt.jsonl", "line": 147, "text_preview": "Pangu Lab discovered this backdoor during a forensic investigation in 2013. They" }, { "file": "llm_annotated_apt.jsonl", "line": 151, "text_preview": "A backdoor for UNIX operating systems that implements knocking as authentication" }, { "file": "llm_annotated_apt.jsonl", "line": 152, "text_preview": "This is in the same family as eBury, Calfbot, and is also likely related to Dark" }, { "file": "llm_annotated_apt.jsonl", "line": 159, "text_preview": "Ransomware" }, { "file": "llm_annotated_apt.jsonl", "line": 160, "text_preview": "This was observed to be pushed by IoT malware, abusing devices for LiteCoin and " }, { "file": "llm_annotated_apt.jsonl", "line": 189, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 195, "text_preview": "RAT. Functionality like ExecShell, GetFileList/SendFile/DownloadFile, Socks5, Po" }, { "file": "llm_annotated_apt.jsonl", "line": 210, "text_preview": "Loader and Cleaner components used in attacks against high-performance computing" }, { "file": "llm_annotated_apt.jsonl", "line": 216, "text_preview": "A x64 ELF file infector with non-destructive payload." }, { "file": "llm_annotated_apt.jsonl", "line": 224, "text_preview": "Golang-based RAT that offers execution of shell commands and download+run capabi" }, { "file": "llm_annotated_apt.jsonl", "line": 233, "text_preview": "A botnet with P2P and centralized C&C capabilities." }, { "file": "llm_annotated_apt.jsonl", "line": 277, "text_preview": "Cryptojacking botnet" }, { "file": "llm_annotated_apt.jsonl", "line": 282, "text_preview": "Enables remote execution of scripts on a host, communicates via Tox." }, { "file": "llm_annotated_apt.jsonl", "line": 291, "text_preview": "Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD." }, { "file": "llm_annotated_apt.jsonl", "line": 294, "text_preview": "Commercial spyware by Intellexa." }, { "file": "llm_annotated_apt.jsonl", "line": 322, "text_preview": "WebAssembly-based crpyto miner." }, { "file": "llm_annotated_apt.jsonl", "line": 345, "text_preview": "According to the author, this is a project that will give understanding of bypas" }, { "file": "llm_annotated_apt.jsonl", "line": 354, "text_preview": "According to StepSecurity, this is a stealer deployed through a compromised Nx p" }, { "file": "llm_annotated_apt.jsonl", "line": 364, "text_preview": "A simple loader written in JavaScript found by Marco Ramilli." }, { "file": "llm_annotated_apt.jsonl", "line": 365, "text_preview": "A script able to list folders and emails in the current Roundcube account, and t" }, { "file": "llm_annotated_apt.jsonl", "line": 370, "text_preview": "webshell" }, { "file": "llm_annotated_apt.jsonl", "line": 385, "text_preview": "RAT. Functionality like ExecShell, GetFileList/SendFile/DownloadFile, Socks5, Po" }, { "file": "llm_annotated_apt.jsonl", "line": 392, "text_preview": "Backdoor as a fork of OpenSSH_6.0 with no logging, and \u201c-P\u201d and \u201c-z\u201d hidden comm" }, { "file": "llm_annotated_apt.jsonl", "line": 402, "text_preview": "General purpose backdoor" }, { "file": "llm_annotated_apt.jsonl", "line": 409, "text_preview": "A webshell for multiple web languages (asp/aspx, jsp/jspx, php), openly distribu" }, { "file": "llm_annotated_apt.jsonl", "line": 415, "text_preview": "Backdoor written in php" }, { "file": "llm_annotated_apt.jsonl", "line": 418, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 421, "text_preview": "A loader written in Powershell, usually delivered packaged in MSI/MSIX files." }, { "file": "llm_annotated_apt.jsonl", "line": 475, "text_preview": "A basic info stealer w/ some capability to inject code into legit applications." }, { "file": "llm_annotated_apt.jsonl", "line": 485, "text_preview": "Downloads NodeJS when deployed." }, { "file": "llm_annotated_apt.jsonl", "line": 489, "text_preview": "Unnamed malware. Delivered as remote template that drops a VBS file, which uses " }, { "file": "llm_annotated_apt.jsonl", "line": 492, "text_preview": "Information stealer, based on strings it seems to target crypto currencies, inst" }, { "file": "llm_annotated_apt.jsonl", "line": 495, "text_preview": "Downloader used in suspected APT attack against Vietnam." }, { "file": "llm_annotated_apt.jsonl", "line": 501, "text_preview": "MajorGeeks describes this malware as trying to locate credit card data by readin" }, { "file": "llm_annotated_apt.jsonl", "line": 521, "text_preview": "Allcome is classified as a clipper malware. Clippers are threats designed to acc" }, { "file": "llm_annotated_apt.jsonl", "line": 529, "text_preview": "Anatova is a ransomware family with the goal of ciphering all the files that it " }, { "file": "llm_annotated_apt.jsonl", "line": 531, "text_preview": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extensi" }, { "file": "llm_annotated_apt.jsonl", "line": 533, "text_preview": "Ransomware that demands payment in Bitcoin." }, { "file": "llm_annotated_apt.jsonl", "line": 540, "text_preview": "A banking trojan, derived from the source code of win.kronos. In August 2022 it " }, { "file": "llm_annotated_apt.jsonl", "line": 544, "text_preview": "Helper malware associated with AridGopher, which will provide an alternative per" }, { "file": "llm_annotated_apt.jsonl", "line": 546, "text_preview": "It is available as a service, purchasable by anyone to use in their own campaign" }, { "file": "llm_annotated_apt.jsonl", "line": 559, "text_preview": "Ransomware" }, { "file": "llm_annotated_apt.jsonl", "line": 564, "text_preview": "Information stealer which uses AutoIT for wrapping." }, { "file": "llm_annotated_apt.jsonl", "line": 566, "text_preview": "Was previously wrongly tagged as PoweliksDropper, now looking for additional con" }, { "file": "llm_annotated_apt.jsonl", "line": 567, "text_preview": "Keylogger." }, { "file": "llm_annotated_apt.jsonl", "line": 569, "text_preview": "According to Checkpoint, this malware is a wiper instead of ransomware as self-a" }, { "file": "llm_annotated_apt.jsonl", "line": 570, "text_preview": "According to Porthas, this is a ransomware written in Golang, using a time-based" }, { "file": "llm_annotated_apt.jsonl", "line": 583, "text_preview": "According to Expel, the developers behind the recent AppSuite-PDF and PDF Editor" }, { "file": "llm_annotated_apt.jsonl", "line": 586, "text_preview": "A rewrite of Bazarloader in the Nim programming language." }, { "file": "llm_annotated_apt.jsonl", "line": 618, "text_preview": "Ransomware" }, { "file": "llm_annotated_apt.jsonl", "line": 622, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 626, "text_preview": "According to Cyderes, this is a tool to clear kernel callbacks registered by a r" }, { "file": "llm_annotated_apt.jsonl", "line": 634, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 641, "text_preview": "BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It s" }, { "file": "llm_annotated_apt.jsonl", "line": 663, "text_preview": "PWC describes this malware as a backdoor, capable of file management, upload and" }, { "file": "llm_annotated_apt.jsonl", "line": 678, "text_preview": "According to Secui, this ransomware was used in attacks observed against Middle " }, { "file": "llm_annotated_apt.jsonl", "line": 684, "text_preview": "Adware that shows advertisements using plugin techniques for popular browsers" }, { "file": "llm_annotated_apt.jsonl", "line": 685, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 702, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 716, "text_preview": "Destructive \"joke\" malware that ultimately deploys a wiper for the MBR." }, { "file": "llm_annotated_apt.jsonl", "line": 725, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 728, "text_preview": "A typical infostealer, capable of obtaining credentials for browsers, crypto cur" }, { "file": "llm_annotated_apt.jsonl", "line": 736, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 737, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 738, "text_preview": "Potential Lazarus sample." }, { "file": "llm_annotated_apt.jsonl", "line": 739, "text_preview": "Profero describes this as a ransomware family using CryptoPP as library to enabl" }, { "file": "llm_annotated_apt.jsonl", "line": 740, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 750, "text_preview": "Stealer is written in Visual Basic." }, { "file": "llm_annotated_apt.jsonl", "line": 764, "text_preview": "This malware uses DropBox as C&C channel." }, { "file": "llm_annotated_apt.jsonl", "line": 794, "text_preview": "Downloader." }, { "file": "llm_annotated_apt.jsonl", "line": 795, "text_preview": "Downloader." }, { "file": "llm_annotated_apt.jsonl", "line": 797, "text_preview": "DneSpy collects information, takes screenshots, and downloads and executes the l" }, { "file": "llm_annotated_apt.jsonl", "line": 811, "text_preview": "Cyber Defense Institute stated that this shellcode PE loader was observed stagin" }, { "file": "llm_annotated_apt.jsonl", "line": 812, "text_preview": "According to Idan Malihi, this ransomware is based on the LockBit builder from 2" }, { "file": "llm_annotated_apt.jsonl", "line": 837, "text_preview": "The application is a command-line utility and its primary purpose is to tunnel t" }, { "file": "llm_annotated_apt.jsonl", "line": 839, "text_preview": "This dropper masquerades itself as Adobe software, titled as Adobe.msi. It is us" }, { "file": "llm_annotated_apt.jsonl", "line": 841, "text_preview": "Infostealer" }, { "file": "llm_annotated_apt.jsonl", "line": 844, "text_preview": "Supposedly a worm that was active around 2012-2013." }, { "file": "llm_annotated_apt.jsonl", "line": 851, "text_preview": "Rough collection EQGRP samples, to be sorted" }, { "file": "llm_annotated_apt.jsonl", "line": 854, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 856, "text_preview": "This malware is part of the Eternity Malware \"Framework\"." }, { "file": "llm_annotated_apt.jsonl", "line": 857, "text_preview": "Eternity Framework Ransomware Payload" }, { "file": "llm_annotated_apt.jsonl", "line": 858, "text_preview": "This Stealer is part of the eternity malware project." }, { "file": "llm_annotated_apt.jsonl", "line": 859, "text_preview": "This malware is part of the Eternity Malware \"Framework\"." }, { "file": "llm_annotated_apt.jsonl", "line": 864, "text_preview": "ExileRAT is a simple RAT platform capable of getting information on the system (" }, { "file": "llm_annotated_apt.jsonl", "line": 877, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 921, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 933, "text_preview": "Gold Max is a Golang written command and control backdoor used by the NOBELIUM t" }, { "file": "llm_annotated_apt.jsonl", "line": 935, "text_preview": "Gomorrah is a stealer with no or little obfuscation that appeared around March 2" }, { "file": "llm_annotated_apt.jsonl", "line": 945, "text_preview": "This loader abuses the benign service Notion for data exchange." }, { "file": "llm_annotated_apt.jsonl", "line": 947, "text_preview": "Downloader / information stealer used by UAC-0056, observed since at least Octob" }, { "file": "llm_annotated_apt.jsonl", "line": 954, "text_preview": "This is a proxy-aware HTTP backdoor that is implemented as a service and uses th" }, { "file": "llm_annotated_apt.jsonl", "line": 958, "text_preview": "A malware family with a DGA." }, { "file": "llm_annotated_apt.jsonl", "line": 960, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 962, "text_preview": "Py2Exe based tool as found on github." }, { "file": "llm_annotated_apt.jsonl", "line": 965, "text_preview": "Ransomware written in C#." }, { "file": "llm_annotated_apt.jsonl", "line": 984, "text_preview": "Adware, tied to eGobbler and Nephos7 campaigns," }, { "file": "llm_annotated_apt.jsonl", "line": 988, "text_preview": "Remote Acess Tool Written in VB.NET." }, { "file": "llm_annotated_apt.jsonl", "line": 994, "text_preview": "A loader that has been used by multiple threat actor groups since 2015." }, { "file": "llm_annotated_apt.jsonl", "line": 997, "text_preview": "Sideloader used by EmissaryPanda" }, { "file": "llm_annotated_apt.jsonl", "line": 1003, "text_preview": "According to nao_sec, this malware is a simple passive-mode backdoor that is ins" }, { "file": "llm_annotated_apt.jsonl", "line": 1010, "text_preview": "Keylogger written in Visual Basic dating back to at least 2012." }, { "file": "llm_annotated_apt.jsonl", "line": 1011, "text_preview": "A ransomware that emerged in April 2022." }, { "file": "llm_annotated_apt.jsonl", "line": 1014, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1021, "text_preview": "A maliciously abused open source tool for port forwarding & intranet proxy." }, { "file": "llm_annotated_apt.jsonl", "line": 1031, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1043, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1045, "text_preview": "According to Karsten Hahn, a straightforward loader that runs assemblies from im" }, { "file": "llm_annotated_apt.jsonl", "line": 1046, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1061, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1069, "text_preview": "A ransomware that was active in 2018." }, { "file": "llm_annotated_apt.jsonl", "line": 1081, "text_preview": "Clipboard stealer." }, { "file": "llm_annotated_apt.jsonl", "line": 1082, "text_preview": "According to Seqrite, this is a TLS-based reverse shell." }, { "file": "llm_annotated_apt.jsonl", "line": 1086, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1101, "text_preview": "A ransomware first observed in July 2021." }, { "file": "llm_annotated_apt.jsonl", "line": 1103, "text_preview": "For the lack of a better name, this is a VBS-based loader that was used in begin" }, { "file": "llm_annotated_apt.jsonl", "line": 1122, "text_preview": "An uploader that can exfiltrate files to Dropbox." }, { "file": "llm_annotated_apt.jsonl", "line": 1124, "text_preview": "This .Net written malware is used as backdoor using the http protocol by a state" }, { "file": "llm_annotated_apt.jsonl", "line": 1130, "text_preview": "According to DCSO, this malware is written as a Extended Stored Procedure for a " }, { "file": "llm_annotated_apt.jsonl", "line": 1141, "text_preview": "Ransomware written in Delphi." }, { "file": "llm_annotated_apt.jsonl", "line": 1148, "text_preview": "Banking trojan written in Delphi, targeting customers of European and South Amer" }, { "file": "llm_annotated_apt.jsonl", "line": 1160, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1162, "text_preview": "On March 7, 2022, KELA observed a threat actor named _META_ announcing the launc" }, { "file": "llm_annotated_apt.jsonl", "line": 1163, "text_preview": "A wiper used in an attack against the Iranian train system." }, { "file": "llm_annotated_apt.jsonl", "line": 1171, "text_preview": "Ransomware, potential rebranding of win.sfile." }, { "file": "llm_annotated_apt.jsonl", "line": 1184, "text_preview": "LNK files used to lure and orchestrate execution of various scripts, interacting" }, { "file": "llm_annotated_apt.jsonl", "line": 1194, "text_preview": "This tool is a passive backdoor which allows attackers to inspect all incoming t" }, { "file": "llm_annotated_apt.jsonl", "line": 1199, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1200, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1201, "text_preview": "a command-line reconnaissance tool. It can be used to execute files as a differe" }, { "file": "llm_annotated_apt.jsonl", "line": 1206, "text_preview": "Botnet with focus on banks in Latin America and South America.\r\nRelies on DLL Si" }, { "file": "llm_annotated_apt.jsonl", "line": 1218, "text_preview": "Freely available network reconnaissance tool." }, { "file": "llm_annotated_apt.jsonl", "line": 1223, "text_preview": "C2 framework." }, { "file": "llm_annotated_apt.jsonl", "line": 1231, "text_preview": "Backdoor written in Nim." }, { "file": "llm_annotated_apt.jsonl", "line": 1235, "text_preview": "This ransomware has much in common with the LukaLocker ransomware. 1 Analysis o" }, { "file": "llm_annotated_apt.jsonl", "line": 1236, "text_preview": "A Turkish cryptominer campaign." }, { "file": "llm_annotated_apt.jsonl", "line": 1240, "text_preview": "A wiper that overwrites target files with itself, thus spreading in virus-fashio" }, { "file": "llm_annotated_apt.jsonl", "line": 1241, "text_preview": "Ransomware" }, { "file": "llm_annotated_apt.jsonl", "line": 1242, "text_preview": "An open source C2 framework intended for pentest and red teaming activities." }, { "file": "llm_annotated_apt.jsonl", "line": 1254, "text_preview": "Spam bot that was active around 2007 and after, one of the first malware familie" }, { "file": "llm_annotated_apt.jsonl", "line": 1257, "text_preview": "Malware which seems to have no function other than to disrupt computer systems r" }, { "file": "llm_annotated_apt.jsonl", "line": 1259, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1265, "text_preview": "A malware generating DGA domains seeded by the Bitcoin Genesis Block. This famil" }, { "file": "llm_annotated_apt.jsonl", "line": 1269, "text_preview": "Oski is a stealer written in C++ that appeared around November 2019 and is being" }, { "file": "llm_annotated_apt.jsonl", "line": 1270, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1278, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1279, "text_preview": "Parallax is a Remote Access Trojan used by attackers to gain access to a victim'" }, { "file": "llm_annotated_apt.jsonl", "line": 1282, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1289, "text_preview": "Information gathering and downloading tool used to deliver second stage malware " }, { "file": "llm_annotated_apt.jsonl", "line": 1294, "text_preview": "Keylogger, information stealer." }, { "file": "llm_annotated_apt.jsonl", "line": 1306, "text_preview": "Infostealer" }, { "file": "llm_annotated_apt.jsonl", "line": 1313, "text_preview": "uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library " }, { "file": "llm_annotated_apt.jsonl", "line": 1326, "text_preview": "Malware that abuses the Common Log File System (CLFS) to store/hide a second sta" }, { "file": "llm_annotated_apt.jsonl", "line": 1331, "text_preview": "According to Matthew Mesa, this is a modular bot. The name stems from the string" }, { "file": "llm_annotated_apt.jsonl", "line": 1337, "text_preview": "ransomware" }, { "file": "llm_annotated_apt.jsonl", "line": 1338, "text_preview": "PureLogs, also known as PureLog Stealer, is an infostealer malware from the Pure" }, { "file": "llm_annotated_apt.jsonl", "line": 1339, "text_preview": "According to Morphisec, this RAT combines advanced in-memory execution, API and " }, { "file": "llm_annotated_apt.jsonl", "line": 1367, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1371, "text_preview": "InfinityGroup notes that Rapid Ransomware, unlike regular Ransomware, stays acti" }, { "file": "llm_annotated_apt.jsonl", "line": 1372, "text_preview": "A spy trojan is a type of malware that has the capability to gather information " }, { "file": "llm_annotated_apt.jsonl", "line": 1373, "text_preview": "This ransomware encrypts all user\u2019s data on the PC (photos, documents, excel tab" }, { "file": "llm_annotated_apt.jsonl", "line": 1385, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1391, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1400, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1403, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1416, "text_preview": "Ransomware that was discovered over the last months of 2016 and likely based on " }, { "file": "llm_annotated_apt.jsonl", "line": 1420, "text_preview": "Ransomware" }, { "file": "llm_annotated_apt.jsonl", "line": 1431, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1434, "text_preview": "This in .Net witten backdoor abuses the DNS protocoll for its C2 communication. " }, { "file": "llm_annotated_apt.jsonl", "line": 1442, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1459, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1463, "text_preview": "Ransomware" }, { "file": "llm_annotated_apt.jsonl", "line": 1478, "text_preview": "Ransomware used by threat actor group DEV-0530, attributed by MSTIC to North Kor" }, { "file": "llm_annotated_apt.jsonl", "line": 1479, "text_preview": "Ransomware used by threat actor group DEV-0530, attributed by MSTIC to North Kor" }, { "file": "llm_annotated_apt.jsonl", "line": 1484, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1495, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1501, "text_preview": "A downloader trojan with some infostealer capabilities focused on the browser. P" }, { "file": "llm_annotated_apt.jsonl", "line": 1521, "text_preview": "A backdoor, capable of providing shell access, loading additional payloads, inte" }, { "file": "llm_annotated_apt.jsonl", "line": 1528, "text_preview": "Malware that abuses the Common Log File System (CLFS) to store/hide a second sta" }, { "file": "llm_annotated_apt.jsonl", "line": 1534, "text_preview": "According to PTSecurity, this stealer harvests system information which is then " }, { "file": "llm_annotated_apt.jsonl", "line": 1544, "text_preview": "Ransomware, written in Delphi." }, { "file": "llm_annotated_apt.jsonl", "line": 1563, "text_preview": "This ransomware uses a combination of different crypto algorithms (ChaCha20, AES" }, { "file": "llm_annotated_apt.jsonl", "line": 1565, "text_preview": "Steve Miller pointed out that it is proxy-aware (Tencent) for C&C communication " }, { "file": "llm_annotated_apt.jsonl", "line": 1573, "text_preview": "According to Cyble, this is a stealer targeting several crypto currency wallets " }, { "file": "llm_annotated_apt.jsonl", "line": 1582, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1585, "text_preview": "Standalone implant. Potentially tied to a framework called PATROLWAGON." }, { "file": "llm_annotated_apt.jsonl", "line": 1597, "text_preview": "Downloader, delivered via a lure with fake exploits published on Github." }, { "file": "llm_annotated_apt.jsonl", "line": 1604, "text_preview": "Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Saf" }, { "file": "llm_annotated_apt.jsonl", "line": 1615, "text_preview": "Information stealer." }, { "file": "llm_annotated_apt.jsonl", "line": 1617, "text_preview": "Unnamed ransomware that camouflages as a program performing system cleanup calle" }, { "file": "llm_annotated_apt.jsonl", "line": 1619, "text_preview": "Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019)." }, { "file": "llm_annotated_apt.jsonl", "line": 1620, "text_preview": "Was previously wrongly tagged as PoweliksDropper, now looking for additional con" }, { "file": "llm_annotated_apt.jsonl", "line": 1624, "text_preview": "MSI-based loader that has been observed as a stager for win.metamorfo." }, { "file": "llm_annotated_apt.jsonl", "line": 1625, "text_preview": "Unpacked http_dll.dat from the blog post." }, { "file": "llm_annotated_apt.jsonl", "line": 1630, "text_preview": "Ransomware written in Nim." }, { "file": "llm_annotated_apt.jsonl", "line": 1631, "text_preview": "Downloader used in suspected APT attack against Vietnam." }, { "file": "llm_annotated_apt.jsonl", "line": 1632, "text_preview": "Recon/Loader malware attributed to Lazarus, disguised as Notepad++ shell extensi" }, { "file": "llm_annotated_apt.jsonl", "line": 1637, "text_preview": "Keylogger." }, { "file": "llm_annotated_apt.jsonl", "line": 1639, "text_preview": "Potential Lazarus sample." }, { "file": "llm_annotated_apt.jsonl", "line": 1640, "text_preview": "Donot malware is a sophisticated, high-level malware toolkit designed to collect" }, { "file": "llm_annotated_apt.jsonl", "line": 1648, "text_preview": "According to Walmart, this is a loader written in Nim that contains an AmsiScanB" }, { "file": "llm_annotated_apt.jsonl", "line": 1649, "text_preview": "This malware family delivers its artifacts packed with free and generic packers." }, { "file": "llm_annotated_apt.jsonl", "line": 1650, "text_preview": "According to Deutsche Telekom CERT, this malware unpacks an obfuscated, multi-st" }, { "file": "llm_annotated_apt.jsonl", "line": 1663, "text_preview": "Delphi-based ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1666, "text_preview": "Ransomware, which appears to be a rebranding of win.cuba." }, { "file": "llm_annotated_apt.jsonl", "line": 1674, "text_preview": "Polymorphic parasitic file infecting virus which transforms files into copies of" }, { "file": "llm_annotated_apt.jsonl", "line": 1676, "text_preview": "Malware of this family searches for computers on a network and creates copies of" }, { "file": "llm_annotated_apt.jsonl", "line": 1677, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1679, "text_preview": "Ransomware written in D." }, { "file": "llm_annotated_apt.jsonl", "line": 1681, "text_preview": "Information stealer." }, { "file": "llm_annotated_apt.jsonl", "line": 1683, "text_preview": "Wabot is an IRC worm that is written in Delphi." }, { "file": "llm_annotated_apt.jsonl", "line": 1687, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1698, "text_preview": "Destructive malware deployed against targets in Ukraine in January 2022." }, { "file": "llm_annotated_apt.jsonl", "line": 1701, "text_preview": "Information stealer used by threat actor LuoYu." }, { "file": "llm_annotated_apt.jsonl", "line": 1706, "text_preview": "Information Stealer." }, { "file": "llm_annotated_apt.jsonl", "line": 1713, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1716, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1721, "text_preview": "Simple Loader used to download and install stealers, clippers and other malwares" }, { "file": "llm_annotated_apt.jsonl", "line": 1725, "text_preview": "Malware with wide range of capabilities ranging from RAT to ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1727, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 1729, "text_preview": "According to PTSecurity, this RAT uses Yandex Disk as a C2." }, { "file": "llm_annotated_apt.jsonl", "line": 1737, "text_preview": "Ransomware." }, { "file": "llm_annotated_apt.jsonl", "line": 2136, "text_preview": "This piece of malware steals the content of the user's keychain while maintainin" }, { "file": "llm_annotated_apt.jsonl", "line": 2728, "text_preview": "If a malicious tool is detected and quarantined or otherwise curtailed, an adver" }, { "file": "llm_annotated_apt.jsonl", "line": 2733, "text_preview": "Adversaries may attempt to take screen captures of the desktop to gather informa" }, { "file": "llm_annotated_apt.jsonl", "line": 2736, "text_preview": "Adversaries may use scripts automatically executed at boot or logon initializati" }, { "file": "llm_annotated_apt.jsonl", "line": 2737, "text_preview": "Adversaries may attempt to position themselves between two or more networked dev" }, { "file": "llm_annotated_apt.jsonl", "line": 2739, "text_preview": "Adversaries may buy, lease, rent, or obtain infrastructure that can be used duri" }, { "file": "llm_annotated_apt.jsonl", "line": 2745, "text_preview": "Adversaries may encode data with a standard data encoding system to make the con" }, { "file": "llm_annotated_apt.jsonl", "line": 2746, "text_preview": "Adversaries may embed payloads within other files to conceal malicious content f" }, { "file": "llm_annotated_apt.jsonl", "line": 2749, "text_preview": "An adversary may revert changes made to a cloud instance after they have perform" }, { "file": "llm_annotated_apt.jsonl", "line": 2751, "text_preview": "Adversaries may gather information about the victim's hosts that can be used dur" }, { "file": "llm_annotated_apt.jsonl", "line": 2752, "text_preview": "Adversaries may search public digital certificate data for information about vic" }, { "file": "llm_annotated_apt.jsonl", "line": 2754, "text_preview": "Adversaries may attempt to hide their file-based artifacts by writing them to sp" }, { "file": "llm_annotated_apt.jsonl", "line": 2758, "text_preview": "Adversaries may purchase technical information about victims that can be used du" }, { "file": "llm_annotated_apt.jsonl", "line": 2759, "text_preview": "Adversaries may attempt to dump credentials to obtain account login and credenti" }, { "file": "llm_annotated_apt.jsonl", "line": 2761, "text_preview": "Adversaries may collect data related to managed devices from configuration repos" }, { "file": "llm_annotated_apt.jsonl", "line": 2764, "text_preview": "Adversaries may insert, delete, or manipulate data at rest in order to manipulat" }, { "file": "llm_annotated_apt.jsonl", "line": 2769, "text_preview": "Adversaries may obtain access to generative artificial intelligence tools, such " }, { "file": "llm_annotated_apt.jsonl", "line": 2772, "text_preview": "An adversary may deface systems external to an organization in an attempt to del" }, { "file": "llm_annotated_apt.jsonl", "line": 2773, "text_preview": "Adversaries may encrypt or encode files to obfuscate strings, bytes, and other s" }, { "file": "llm_annotated_apt.jsonl", "line": 2775, "text_preview": "Adversaries may gather the victim's IP addresses that can be used during targeti" }, { "file": "llm_annotated_apt.jsonl", "line": 2784, "text_preview": "An adversary can leverage a computer's peripheral devices (e.g., microphones and" }, { "file": "llm_annotated_apt.jsonl", "line": 2792, "text_preview": "Adversaries may abuse a double extension in the filename as a means of masquerad" }, { "file": "llm_annotated_apt.jsonl", "line": 2794, "text_preview": "Adversaries may take actions to hide the deployment of new, or modification of e" }, { "file": "llm_annotated_apt.jsonl", "line": 2798, "text_preview": "An adversary may compress or encrypt data that is collected prior to exfiltratio" }, { "file": "llm_annotated_apt.jsonl", "line": 2799, "text_preview": "An adversary may attempt to modify a cloud account's compute service infrastruct" }, { "file": "llm_annotated_apt.jsonl", "line": 2800, "text_preview": "Adversaries may compromise third-party network devices that can be used during t" }, { "file": "llm_annotated_apt.jsonl", "line": 2802, "text_preview": "Adversaries may attempt to discover group and permission settings. This informat" }, { "file": "llm_annotated_apt.jsonl", "line": 2803, "text_preview": "Adversaries may target user email to collect sensitive information. Emails may c" }, { "file": "llm_annotated_apt.jsonl", "line": 2805, "text_preview": "Adversaries may search public WHOIS data for information about victims that can " }, { "file": "llm_annotated_apt.jsonl", "line": 2807, "text_preview": "Adversaries may search websites owned by the victim for information that can be " }, { "file": "llm_annotated_apt.jsonl", "line": 2810, "text_preview": "Adversaries may search DNS data for information about victims that can be used d" }, { "file": "llm_annotated_apt.jsonl", "line": 2814, "text_preview": "Adversaries may buy and/or steal SSL/TLS certificates that can be used during ta" }, { "file": "llm_annotated_apt.jsonl", "line": 2815, "text_preview": "Adversaries may set up their own Domain Name System (DNS) servers that can be us" }, { "file": "llm_annotated_apt.jsonl", "line": 2817, "text_preview": "Adversaries may communicate using the Domain Name System (DNS) application layer" }, { "file": "llm_annotated_apt.jsonl", "line": 2826, "text_preview": "Process hollowing occurs when a process is created in a suspended state then its" }, { "file": "llm_annotated_apt.jsonl", "line": 2830, "text_preview": "Adversaries may create self-signed SSL/TLS certificates that can be used during " }, { "file": "llm_annotated_apt.jsonl", "line": 2831, "text_preview": "Adversaries may insert, delete, or manipulate data at rest in order to influence" }, { "file": "llm_annotated_apt.jsonl", "line": 2832, "text_preview": "Adversaries may use password cracking to attempt to recover usable credentials, " }, { "file": "llm_annotated_apt.jsonl", "line": 2839, "text_preview": "Adversaries may compromise a network device\u2019s encryption capability in order to " }, { "file": "llm_annotated_apt.jsonl", "line": 2844, "text_preview": "Adversaries may develop malware and malware components that can be used during t" }, { "file": "llm_annotated_apt.jsonl", "line": 2850, "text_preview": "Adversaries may attempt to hide artifacts associated with their behaviors to eva" }, { "file": "llm_annotated_apt.jsonl", "line": 2853, "text_preview": "Adversaries may gather information about the victim's business tempo that can be" }, { "file": "llm_annotated_apt.jsonl", "line": 2855, "text_preview": "Adversaries may communicate using publish/subscribe (pub/sub) application layer " }, { "file": "llm_annotated_apt.jsonl", "line": 2856, "text_preview": "Adversaries may gather information about the victim's host hardware that can be " }, { "file": "llm_annotated_apt.jsonl", "line": 2857, "text_preview": "Adversaries may deliver payloads to remote systems by adding content to shared s" }, { "file": "llm_annotated_apt.jsonl", "line": 2860, "text_preview": "Adversaries may employ a known symmetric encryption algorithm to conceal command" }, { "file": "llm_annotated_apt.jsonl", "line": 2865, "text_preview": "Adversaries may use application access tokens to bypass the typical authenticati" }, { "file": "llm_annotated_apt.jsonl", "line": 2868, "text_preview": "Adversaries may abuse netbooting to load an unauthorized network device operatin" }, { "file": "llm_annotated_apt.jsonl", "line": 2870, "text_preview": "Adversaries may use Fast Flux DNS to hide a command and control channel behind a" }, { "file": "llm_annotated_apt.jsonl", "line": 2874, "text_preview": "Adversaries may acquire information about vulnerabilities that can be used durin" }, { "file": "llm_annotated_apt.jsonl", "line": 2885, "text_preview": "Adversaries may disable security tools to avoid possible detection of their tool" }, { "file": "llm_annotated_apt.jsonl", "line": 2889, "text_preview": "Adversaries may attempt to make a payload difficult to analyze by removing symbo" }, { "file": "llm_annotated_apt.jsonl", "line": 2892, "text_preview": "Once established within a system or network, an adversary may use automated tech" }, { "file": "llm_annotated_apt.jsonl", "line": 2896, "text_preview": "Adversaries may acquire user credentials from third-party password managers. Pas" }, { "file": "llm_annotated_apt.jsonl", "line": 2906, "text_preview": "Adversaries may modify systems in order to manipulate the data as it is accessed" }, { "file": "llm_annotated_apt.jsonl", "line": 2909, "text_preview": "Adversaries may attempt to gather information about attached peripheral devices " }, { "file": "llm_annotated_apt.jsonl", "line": 2911, "text_preview": "Adversaries may gather information about the victim's network topology that can " }, { "file": "llm_annotated_apt.jsonl", "line": 2912, "text_preview": "Adversaries may create self-signed code signing certificates that can be used du" }, { "file": "llm_annotated_apt.jsonl", "line": 2923, "text_preview": "MacOS provides the option to list specific applications to run when a user logs " }, { "file": "llm_annotated_apt.jsonl", "line": 2924, "text_preview": "Adversaries may gather information about the victim's network trust dependencies" }, { "file": "llm_annotated_apt.jsonl", "line": 2929, "text_preview": "Adversaries may abuse software extensions to establish persistent access to vict" }, { "file": "llm_annotated_apt.jsonl", "line": 2931, "text_preview": "Adversaries may manipulate hardware components in products prior to receipt by a" }, { "file": "llm_annotated_apt.jsonl", "line": 2937, "text_preview": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can b" }, { "file": "llm_annotated_apt.jsonl", "line": 2939, "text_preview": "Adversaries may reduce the level of effort required to decrypt data transmitted " }, { "file": "llm_annotated_apt.jsonl", "line": 2942, "text_preview": "Adversaries may use a custom cryptographic protocol or algorithm to hide command" }, { "file": "llm_annotated_apt.jsonl", "line": 2943, "text_preview": "An adversary may revert changes made to a cloud instance after they have perform" }, { "file": "llm_annotated_apt.jsonl", "line": 2948, "text_preview": "Adversaries may maliciously modify components of a victim environment in order t" }, { "file": "llm_annotated_apt.jsonl", "line": 2950, "text_preview": "Adversaries may compromise email accounts that can be used during targeting. Adv" }, { "file": "llm_annotated_apt.jsonl", "line": 2956, "text_preview": "Adversaries may search for common password storage locations to obtain user cred" }, { "file": "llm_annotated_apt.jsonl", "line": 2957, "text_preview": "Adversaries may use an existing, legitimate external Web service to exfiltrate d" }, { "file": "llm_annotated_apt.jsonl", "line": 2962, "text_preview": "An adversary performs C2 communications using multiple layers of encryption, typ" }, { "file": "llm_annotated_apt.jsonl", "line": 2963, "text_preview": "Adversaries may attempt to manipulate features of their artifacts to make them a" }, { "file": "llm_annotated_apt.jsonl", "line": 2965, "text_preview": "Adversaries may search compromised systems to find and obtain insecurely stored " }, { "file": "llm_annotated_apt.jsonl", "line": 2969, "text_preview": "Adversaries may gain access and continuously communicate with victims by injecti" }, { "file": "llm_annotated_apt.jsonl", "line": 2972, "text_preview": "Bash keeps track of the commands users type on the command-line with the \"histor" }, { "file": "llm_annotated_apt.jsonl", "line": 2973, "text_preview": "Adversaries may use traffic signaling to hide open ports or other malicious func" }, { "file": "llm_annotated_apt.jsonl", "line": 2977, "text_preview": "**This technique has been deprecated and should no longer be used.**\n\nThe " }, { "file": "llm_annotated_apt.jsonl", "line": 2981, "text_preview": "Adversaries may host seemingly genuine Wi-Fi access points to deceive users into" }, { "file": "llm_annotated_apt.jsonl", "line": 2989, "text_preview": "Adversaries may attempt to get a listing of open application windows. Window lis" }, { "file": "llm_annotated_apt.jsonl", "line": 2991, "text_preview": "Adversaries may explicitly employ a known encryption algorithm to conceal comman" }, { "file": "llm_annotated_apt.jsonl", "line": 2993, "text_preview": "**This technique has been deprecated and should no longer be used.**\n\nA type-1 h" }, { "file": "llm_annotated_apt.jsonl", "line": 2994, "text_preview": "Adversaries may employ various time-based methods to detect virtualization and a" }, { "file": "llm_annotated_apt.jsonl", "line": 2999, "text_preview": "Adversaries may schedule data exfiltration to be performed only at certain times" }, { "file": "llm_annotated_apt.jsonl", "line": 3004, "text_preview": "Adversaries may bridge network boundaries by modifying a network device\u2019s Networ" }, { "file": "llm_annotated_apt.jsonl", "line": 3012, "text_preview": "Adversaries may search private data from threat intelligence vendors for informa" }, { "file": "llm_annotated_apt.jsonl", "line": 3013, "text_preview": "Adversaries may attempt to exfiltrate data over a different network medium than " }, { "file": "llm_annotated_apt.jsonl", "line": 3014, "text_preview": "Adversaries may access network configuration files to collect sensitive data abo" }, { "file": "llm_annotated_apt.jsonl", "line": 3015, "text_preview": "Adversaries may gather information about the victim's identity that can be used " }, { "file": "llm_annotated_apt.jsonl", "line": 3019, "text_preview": "An adversary may compress and/or encrypt data that is collected prior to exfiltr" }, { "file": "llm_annotated_apt.jsonl", "line": 3025, "text_preview": "Adversaries may communicate using application layer protocols associated with el" }, { "file": "llm_annotated_apt.jsonl", "line": 3027, "text_preview": "Adversaries may scan victims for vulnerabilities that can be used during targeti" }, { "file": "llm_annotated_apt.jsonl", "line": 3029, "text_preview": "Adversaries may search freely available technical databases for information abou" }, { "file": "llm_annotated_apt.jsonl", "line": 3042, "text_preview": "Adversaries may modify visual content available internally or externally to an e" }, { "file": "llm_annotated_apt.jsonl", "line": 3055, "text_preview": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the comman" }, { "file": "llm_annotated_apt.jsonl", "line": 3061, "text_preview": "Adversaries may establish persistence by executing malicious content triggered b" }, { "file": "llm_annotated_apt.jsonl", "line": 3066, "text_preview": "Adversaries can perform command and control between compromised hosts on potenti" }, { "file": "llm_annotated_apt.jsonl", "line": 3068, "text_preview": "Adversaries may create email accounts that can be used during targeting. Adversa" }, { "file": "llm_annotated_apt.jsonl", "line": 3075, "text_preview": "Adversaries may execute active reconnaissance scans to gather information that c" }, { "file": "llm_annotated_apt.jsonl", "line": 3076, "text_preview": "Adversaries may use junk code / dead code to obfuscate a malware\u2019s functionality" }, { "file": "llm_annotated_apt.jsonl", "line": 3078, "text_preview": "Adversaries may circumvent mechanisms designed to control elevate privileges to " }, { "file": "llm_annotated_apt.jsonl", "line": 3079, "text_preview": "Adversaries may create a new process with an existing token to escalate privileg" }, { "file": "llm_annotated_apt.jsonl", "line": 3093, "text_preview": "**This technique has been deprecated. Please use Create Account, Web Shell, and " }, { "file": "llm_annotated_apt.jsonl", "line": 3100, "text_preview": "Adversaries may gather information about the victim's network security appliance" }, { "file": "llm_annotated_apt.jsonl", "line": 3103, "text_preview": "Adversaries may use search engines to collect information about victims that can" }, { "file": "llm_annotated_apt.jsonl", "line": 3105, "text_preview": "Adversaries may gather information about the victim's business relationships tha" }, { "file": "llm_annotated_apt.jsonl", "line": 3112, "text_preview": "An adversary may delete a cloud instance after they have performed malicious act" }, { "file": "llm_annotated_apt.jsonl", "line": 3116, "text_preview": "Adversaries may leverage the network bandwidth resources of co-opted systems to " }, { "file": "llm_annotated_apt.jsonl", "line": 3126, "text_preview": "Adversaries may gather employee names that can be used during targeting. Employe" }, { "file": "llm_annotated_apt.jsonl", "line": 3131, "text_preview": "Adversaries may exfiltrate data, such as sensitive documents, through the use of" }, { "file": "llm_annotated_apt.jsonl", "line": 3132, "text_preview": "Adversaries may gather information about the victim's client configurations that" }, { "file": "llm_annotated_apt.jsonl", "line": 3133, "text_preview": "Adversaries may disable or modify a firewall within a cloud environment to bypas" }, { "file": "llm_annotated_apt.jsonl", "line": 3136, "text_preview": "Adversaries may buy, steal, or download malware that can be used during targetin" }, { "file": "llm_annotated_apt.jsonl", "line": 3137, "text_preview": "Adversaries may smuggle data and files past content filters by hiding malicious " }, { "file": "llm_annotated_apt.jsonl", "line": 3139, "text_preview": "Adversaries may delete or modify artifacts generated within systems to remove ev" }, { "file": "llm_annotated_apt.jsonl", "line": 3140, "text_preview": "Adversaries may steal data by exfiltrating it over a symmetrically encrypted net" }, { "file": "llm_annotated_apt.jsonl", "line": 3142, "text_preview": "Adversaries may rent Virtual Private Servers (VPSs)\u00a0that can be used during targ" }, { "file": "llm_annotated_apt.jsonl", "line": 3146, "text_preview": "Adversaries may enumerate files and directories or may search in specific locati" }, { "file": "llm_annotated_apt.jsonl", "line": 3147, "text_preview": "Adversaries may dynamically establish connections to command and control infrast" }, { "file": "llm_annotated_apt.jsonl", "line": 3153, "text_preview": "Adversaries may use `JamPlus` to proxy the execution of a malicious script. `Jam" }, { "file": "llm_annotated_apt.jsonl", "line": 3154, "text_preview": "Adversaries may establish persistence and/or elevate privileges by executing mal" }, { "file": "llm_annotated_apt.jsonl", "line": 3156, "text_preview": "To disguise the source of malicious traffic, adversaries may chain together mult" }, { "file": "llm_annotated_apt.jsonl", "line": 3162, "text_preview": "Adversaries may compromise third-party infrastructure that can be used during ta" }, { "file": "llm_annotated_apt.jsonl", "line": 3164, "text_preview": "Adversaries disable a network device\u2019s dedicated hardware encryption, which may " }, { "file": "llm_annotated_apt.jsonl", "line": 3181, "text_preview": "Adversaries may perform calculations on addresses returned in DNS results to det" }, { "file": "llm_annotated_apt.jsonl", "line": 3186, "text_preview": "Adversaries may create multiple stages for command and control that are employed" }, { "file": "llm_annotated_apt.jsonl", "line": 3187, "text_preview": "Adversaries may steal monetary resources from targets through extortion, social " }, { "file": "llm_annotated_apt.jsonl", "line": 3190, "text_preview": "Adversaries may forge web cookies that can be used to gain access to web applica" }, { "file": "llm_annotated_apt.jsonl", "line": 3192, "text_preview": "Adversaries may duplicate then impersonate another user's existing token to esca" }, { "file": "llm_annotated_apt.jsonl", "line": 3195, "text_preview": "Adversaries may use port knocking to hide open ports used for persistence or com" }, { "file": "llm_annotated_apt.jsonl", "line": 3201, "text_preview": "An adversary may rely upon specific actions by a user in order to gain execution" }, { "file": "llm_annotated_apt.jsonl", "line": 3202, "text_preview": "An adversary may deface systems internal to an organization in an attempt to int" }, { "file": "llm_annotated_apt.jsonl", "line": 3204, "text_preview": "Adversaries may make new tokens and impersonate users to escalate privileges and" }, { "file": "llm_annotated_apt.jsonl", "line": 3207, "text_preview": "Adversaries may steal data by exfiltrating it over an asymmetrically encrypted n" }, { "file": "llm_annotated_apt.jsonl", "line": 3214, "text_preview": "Adversaries may search content delivery network (CDN) data about victims that ca" }, { "file": "llm_annotated_apt.jsonl", "line": 3215, "text_preview": "Adversaries may employ various user activity checks to detect and avoid virtuali" }, { "file": "llm_annotated_apt.jsonl", "line": 3220, "text_preview": "Adversaries may steal data by exfiltrating it over an existing command and contr" }, { "file": "llm_annotated_apt.jsonl", "line": 3222, "text_preview": "Adversaries may gather information about the victim's organization that can be u" }, { "file": "llm_annotated_apt.jsonl", "line": 3231, "text_preview": "Adversaries may inject malicious code into processes via VDSO hijacking in order" }, { "file": "llm_annotated_apt.jsonl", "line": 3232, "text_preview": "**This technique has been deprecated and should no longer be used.**\n\nSome adver" }, { "file": "llm_annotated_apt.jsonl", "line": 3234, "text_preview": "Adversaries may intentionally exclude certain files, folders, directories, file " }, { "file": "llm_annotated_apt.jsonl", "line": 3240, "text_preview": "Adversaries may gather information about the victim's networks that can be used " }, { "file": "llm_annotated_apt.jsonl", "line": 3251, "text_preview": "**This technique has been deprecated and should no longer be used.**\n\nAs of OS X" }, { "file": "llm_annotated_apt.jsonl", "line": 3252, "text_preview": "Adversaries may search freely available websites and/or domains for information " }, { "file": "llm_annotated_apt.jsonl", "line": 3253, "text_preview": "Adversaries may disable network device-based firewall mechanisms entirely or add" }, { "file": "llm_annotated_apt.jsonl", "line": 3258, "text_preview": "Adversaries may employ various time-based methods to evade detection and analysi" }, { "file": "llm_annotated_apt.jsonl", "line": 3262, "text_preview": "Adversaries may attempt to exfiltrate data over a USB connected physical device." }, { "file": "llm_annotated_apt.jsonl", "line": 3264, "text_preview": "Adversaries may search and gather information about victims from closed (e.g., p" }, { "file": "llm_annotated_apt.jsonl", "line": 3270, "text_preview": "Adversaries may leverage the compute resources of co-opted systems to complete r" }, { "file": "llm_annotated_apt.jsonl", "line": 3276, "text_preview": "An adversary may use legitimate remote access hardware to establish an interacti" }, { "file": "llm_annotated_apt.jsonl", "line": 3279, "text_preview": "Adversaries may insert, delete, or manipulate data in order to influence externa" }, { "file": "llm_annotated_apt.jsonl", "line": 3281, "text_preview": "Adversaries may obfuscate command and control traffic to make it more difficult " }, { "file": "llm_annotated_apt.jsonl", "line": 3284, "text_preview": "Adversaries may make changes to the operating system of embedded network devices" }, { "file": "llm_annotated_apt.jsonl", "line": 3286, "text_preview": "Adversaries may attempt to blend in with legitimate traffic by spoofing browser " }, { "file": "llm_annotated_apt.jsonl", "line": 3288, "text_preview": "Adversaries may remove indicators from tools if they believe their malicious too" }, { "file": "llm_annotated_apt.jsonl", "line": 3292, "text_preview": "Adversaries may communicate using a protocol and port pairing that are typically" }, { "file": "llm_annotated_apt.jsonl", "line": 3297, "text_preview": "Adversaries may abuse resource forks to hide malicious code or executables to ev" }, { "file": "llm_annotated_apt.jsonl", "line": 3301, "text_preview": "Adversaries may attempt to make an executable or file difficult to discover or a" }, { "file": "llm_annotated_apt.jsonl", "line": 3305, "text_preview": "Adversaries may attempt to mimic features of valid code signatures to increase t" }, { "file": "llm_annotated_apt.jsonl", "line": 3307, "text_preview": "The trap command allows programs and shells to specify commands tha" }, { "file": "llm_annotated_apt.jsonl", "line": 3310, "text_preview": "Adversaries may establish persistence and/or elevate privileges using system mec" }, { "file": "llm_annotated_apt.jsonl", "line": 3314, "text_preview": "Adversaries may bridge network boundaries by compromising perimeter network devi" }, { "file": "llm_annotated_apt.jsonl", "line": 3317, "text_preview": "Adversaries may undermine security controls that will either warn users of untru" }, { "file": "llm_annotated_apt.jsonl", "line": 3319, "text_preview": "Adversaries may gather information about the victim's host firmware that can be " }, { "file": "llm_annotated_apt.jsonl", "line": 3320, "text_preview": "Adversaries may employ an encryption algorithm to conceal command and control tr" }, { "file": "llm_annotated_apt.jsonl", "line": 3325, "text_preview": "Adversaries may exfiltrate data to text storage sites instead of their primary c" }, { "file": "llm_annotated_apt.jsonl", "line": 3327, "text_preview": "Adversaries may gather information about the victim's host software that can be " }, { "file": "llm_annotated_apt.jsonl", "line": 3329, "text_preview": "Adversaries may use methods of capturing user input to obtain credentials or col" }, { "file": "llm_annotated_apt.jsonl", "line": 3331, "text_preview": "Adversaries may develop exploits that can be used during targeting. An exploit t" }, { "file": "llm_annotated_apt.jsonl", "line": 3332, "text_preview": "Adversaries may search social media for information about victims that can be us" }, { "file": "llm_annotated_apt.jsonl", "line": 3336, "text_preview": "Adversaries may manipulate application software prior to receipt by a final cons" }, { "file": "llm_annotated_apt.jsonl", "line": 3341, "text_preview": "Adversaries may flood targeted email addresses with an overwhelming volume of me" }, { "file": "llm_annotated_apt.jsonl", "line": 3348, "text_preview": "Adversaries may install SSL/TLS certificates that can be used during targeting. " }, { "file": "llm_annotated_apt.jsonl", "line": 3360, "text_preview": "Adversaries may compromise third-party DNS servers that can be used during targe" }, { "file": "llm_annotated_apt.jsonl", "line": 3364, "text_preview": "An adversary may exfiltrate data in fixed size chunks instead of whole files or " }, { "file": "llm_annotated_apt.jsonl", "line": 3366, "text_preview": "Adversaries can use stolen session cookies to authenticate to web applications a" }, { "file": "llm_annotated_apt.jsonl", "line": 3371, "text_preview": "Adversaries can use stolen session cookies to authenticate to web applications a" }, { "file": "llm_annotated_apt.jsonl", "line": 3376, "text_preview": "Adversaries may conduct C2 communications over a non-standard port to bypass pro" }, { "file": "llm_annotated_apt.jsonl", "line": 3378, "text_preview": "Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embe" }, { "file": "llm_annotated_apt.jsonl", "line": 3381, "text_preview": "Adversaries may impersonate a trusted person or organization in order to persuad" }, { "file": "llm_annotated_apt.jsonl", "line": 3382, "text_preview": "Adversaries may modify settings that directly affect the size, locations, and re" }, { "file": "llm_annotated_apt.jsonl", "line": 3384, "text_preview": "Adversaries may modify systems in order to manipulate the data as it is accessed" }, { "file": "llm_annotated_apt.jsonl", "line": 3386, "text_preview": "Adversaries may poison Address Resolution Protocol (ARP) caches to position them" }, { "file": "llm_annotated_apt.jsonl", "line": 3393, "text_preview": "Once a payload is delivered, adversaries may reproduce copies of the same malwar" }, { "file": "llm_annotated_apt.jsonl", "line": 3394, "text_preview": "Adversaries may gather information about identities and roles within the victim " }, { "file": "llm_annotated_apt.jsonl", "line": 3395, "text_preview": "Adversaries may encode data to make the content of command and control traffic m" }, { "file": "llm_annotated_apt.jsonl", "line": 3398, "text_preview": "Adversaries may leverage the resources of co-opted systems to complete resource-" }, { "file": "llm_annotated_apt.jsonl", "line": 3400, "text_preview": "Adversaries may buy and/or steal capabilities that can be used during targeting." }, { "file": "llm_annotated_apt.jsonl", "line": 3404, "text_preview": "An adversary may create a new instance or virtual machine (VM) within the comput" }, { "file": "llm_annotated_apt.jsonl", "line": 3410, "text_preview": "Adversaries may create or modify launch agents to repeatedly execute malicious p" }, { "file": "llm_annotated_apt.jsonl", "line": 3411, "text_preview": "Adversaries may abuse system services or daemons to execute commands or programs" }, { "file": "llm_annotated_apt.jsonl", "line": 3416, "text_preview": "Adversaries may modify the operating system of a network device to introduce new" }, { "file": "llm_annotated_apt.jsonl", "line": 3419, "text_preview": "Adversaries may clear artifacts associated with previously established persisten" }, { "file": "llm_annotated_apt.jsonl", "line": 3423, "text_preview": "Adversaries may match or approximate the names of legitimate accounts to make ne" }, { "file": "llm_annotated_apt.jsonl", "line": 3426, "text_preview": "Adversaries may physically introduce computer accessories, networking hardware, " }, { "file": "llm_annotated_apt.jsonl", "line": 3428, "text_preview": "Adversaries may abuse legitimate extensible development features of servers to e" }, { "file": "llm_annotated_apt.jsonl", "line": 3430, "text_preview": "Adversaries may encode data with a non-standard data encoding system to make the" }, { "file": "llm_annotated_apt.jsonl", "line": 3433, "text_preview": "Adversaries may smuggle data and files past content filters by hiding malicious " }, { "file": "llm_annotated_apt.jsonl", "line": 3443, "text_preview": "Adversaries may scan victim IP blocks to gather information that can be used dur" }, { "file": "llm_annotated_apt.jsonl", "line": 3453, "text_preview": "Adversaries may communicate using application layer protocols associated with we" }, { "file": "llm_annotated_apt.jsonl", "line": 3455, "text_preview": "Adversaries may use a hidden file system to conceal malicious activity from user" }, { "file": "llm_annotated_apt.jsonl", "line": 3457, "text_preview": "Adversaries who successfully compromise a system may attempt to maintain persist" }, { "file": "llm_annotated_apt.jsonl", "line": 3459, "text_preview": "Adversaries may create an account to maintain access to victim systems. With a s" }, { "file": "llm_annotated_apt.jsonl", "line": 3465, "text_preview": "Adversaries can hide a program's true filetype by changing the extension of a fi" }, { "file": "llm_annotated_apt.jsonl", "line": 3469, "text_preview": "Adversaries may attempt to get a listing of software and software versions that " }, { "file": "llm_annotated_apt.jsonl", "line": 3471, "text_preview": "Adversaries may inject malicious code into processes via thread local storage (T" }, { "file": "llm_annotated_apt.jsonl", "line": 3473, "text_preview": "Adversaries can hide a program's true filetype by changing the extension of a fi" }, { "file": "llm_annotated_apt.jsonl", "line": 3477, "text_preview": "Adversaries may attempt to exfiltrate data via a physical medium, such as a remo" }, { "file": "llm_annotated_apt.jsonl", "line": 3478, "text_preview": "Adversaries may execute their own malicious payloads by side-loading DLLs. Simil" }, { "file": "llm_annotated_apt.jsonl", "line": 3482, "text_preview": "Adversaries may buy and/or steal code signing certificates that can be used duri" }, { "file": "llm_annotated_apt.jsonl", "line": 3488, "text_preview": "Adversaries may inject malicious code into processes via ptrace (process trace) " }, { "file": "llm_annotated_apt.jsonl", "line": 3490, "text_preview": "Adversaries may obfuscate then dynamically resolve API functions called by their" }, { "file": "llm_annotated_apt.jsonl", "line": 3494, "text_preview": "Adversaries may manipulate network traffic in order to hide and evade detection " }, { "file": "llm_annotated_apt.jsonl", "line": 3497, "text_preview": "Adversaries may search within public scan databases for information about victim" }, { "file": "llm_annotated_apt.jsonl", "line": 3500, "text_preview": "Adversaries may gather the victim's physical location(s) that can be used during" }, { "file": "llm_annotated_apt.jsonl", "line": 3502, "text_preview": "Adversaries may build capabilities that can be used during targeting. Rather tha" }, { "file": "llm_annotated_apt.jsonl", "line": 3505, "text_preview": "Adversaries may target the Management Information Base (MIB) to collect and/or m" }, { "file": "llm_annotated_apt.jsonl", "line": 3506, "text_preview": "Adversaries may use steganographic techniques to hide command and control traffi" }, { "file": "llm_annotated_apt.jsonl", "line": 3512, "text_preview": "Adversaries may environmentally key payloads or other features of malware to eva" }, { "file": "llm_annotated_apt.jsonl", "line": 3513, "text_preview": "Adversaries may use fallback or alternate communication channels if the primary " }, { "file": "llm_annotated_apt.jsonl", "line": 3515, "text_preview": "Adversaries may use NTFS file attributes to hide their malicious data in order t" }, { "file": "llm_annotated_apt.jsonl", "line": 3517, "text_preview": "Every New Technology File System (NTFS) formatted partition contains a Master Fi" }, { "file": "llm_annotated_apt.jsonl", "line": 3524, "text_preview": "Adversaries may buy, steal, or download exploits that can be used during targeti" }, { "file": "llm_annotated_apt.jsonl", "line": 3534, "text_preview": "Adversaries may communicate using a custom command and control protocol instead " }, { "file": "llm_annotated_apt.jsonl", "line": 3537, "text_preview": "Adversaries may add junk data to protocols used for command and control to make " }, { "file": "llm_annotated_apt.jsonl", "line": 3544, "text_preview": "Adversaries may use Patch System Image to hard code a password in the operating " }, { "file": "llm_annotated_apt.jsonl", "line": 3547, "text_preview": "Adversaries may steal data by exfiltrating it over an un-encrypted network proto" }, { "file": "llm_annotated_apt.jsonl", "line": 3550, "text_preview": "Adversaries may install an older version of the operating system of a network de" }, { "file": "llm_annotated_apt.jsonl", "line": 3551, "text_preview": "Adversaries may obtain and abuse credentials of a local account as a means of ga" }, { "file": "llm_annotated_apt.jsonl", "line": 3552, "text_preview": "Adversaries may gain initial access to target systems by connecting to wireless " }, { "file": "llm_annotated_apt.jsonl", "line": 3553, "text_preview": "Adversaries may exploit a system or application vulnerability to bypass security" }, { "file": "llm_annotated_apt.jsonl", "line": 3612, "text_preview": "* Print Friendly & PDF" }, { "file": "llm_annotated_apt.jsonl", "line": 3647, "text_preview": "Anonymous 64 is a group accused by China's national security ministry of attempt" }, { "file": "llm_annotated_apt.jsonl", "line": 3654, "text_preview": "According to 360 TIC the actor has carried out continuous cyber espionage activi" }, { "file": "llm_annotated_apt.jsonl", "line": 3656, "text_preview": "As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report" }, { "file": "llm_annotated_apt.jsonl", "line": 3658, "text_preview": "PLA Unit 61398 (Chinese: 61398\u90e8\u961f, Pinyin: 61398 b\u00f9du\u00ec) is the Military Unit Cove" }, { "file": "llm_annotated_apt.jsonl", "line": 3666, "text_preview": "Adversary group targeting financial, technology, non-profit organisations." }, { "file": "llm_annotated_apt.jsonl", "line": 3671, "text_preview": "The Pitty Tiger group has been active since at least 2011. They have been seen u" }, { "file": "llm_annotated_apt.jsonl", "line": 3672, "text_preview": "A China-based actor that targets foreign embassies to collect data on government" }, { "file": "llm_annotated_apt.jsonl", "line": 3685, "text_preview": "Iranian state-sponsored cyber espionage group tasked with conducting information" }, { "file": "llm_annotated_apt.jsonl", "line": 3698, "text_preview": "Adversary group targeting diplomatic missions and governmental organisations." }, { "file": "llm_annotated_apt.jsonl", "line": 3699, "text_preview": "The group\u2019s existence came to light during Context\u2019s investigation of a number o" }, { "file": "llm_annotated_apt.jsonl", "line": 3734, "text_preview": "First observed activity in December 2013." }, { "file": "llm_annotated_apt.jsonl", "line": 3771, "text_preview": "A group of cyber actors utilizing infrastructure located in Iran have been condu" }, { "file": "llm_annotated_apt.jsonl", "line": 3799, "text_preview": "Cyber Anarchy Squad is a pro-Ukrainian hacktivist group known for targeting Russ" }, { "file": "llm_annotated_apt.jsonl", "line": 3807, "text_preview": "Operate since at least 2011, from several locations in China, with members in K" }, { "file": "llm_annotated_apt.jsonl", "line": 3824, "text_preview": "Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially mo" }, { "file": "llm_annotated_apt.jsonl", "line": 3866, "text_preview": "A Russian group that collects intelligence on the energy industry." }, { "file": "llm_annotated_apt.jsonl", "line": 3885, "text_preview": "FIN is a group targeting financial assets including assets able to do financial " }, { "file": "llm_annotated_apt.jsonl", "line": 3886, "text_preview": "Groups targeting financial organizations or people with significant financial as" }, { "file": "llm_annotated_apt.jsonl", "line": 3893, "text_preview": "Activity: defense and aerospace sectors, also interested in targeting entities i" }, { "file": "llm_annotated_apt.jsonl", "line": 3894, "text_preview": "Adversary group targeting telecommunication and technology organizations." }, { "file": "llm_annotated_apt.jsonl", "line": 3905, "text_preview": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat " }, { "file": "llm_annotated_apt.jsonl", "line": 3906, "text_preview": "From November 2017 to October 2018, we attributed 14 campaigns to the GC threat " }, { "file": "llm_annotated_apt.jsonl", "line": 3910, "text_preview": "Cyber espionage is an issue whose time has come. In this second report from the " }, { "file": "llm_annotated_apt.jsonl", "line": 3965, "text_preview": "This threat actor targets Uighurs\u2014a minority ethnic group located primarily in n" }, { "file": "llm_annotated_apt.jsonl", "line": 3968, "text_preview": "The organization often uses important North Korean time nodes such as holidays a" }, { "file": "llm_annotated_apt.jsonl", "line": 3991, "text_preview": "Adversary group targeting diplomatic missions, governmental and military organis" }, { "file": "llm_annotated_apt.jsonl", "line": 4011, "text_preview": "A group targeting various countries using Denial of Services attacked." }, { "file": "llm_annotated_apt.jsonl", "line": 4012, "text_preview": "This threat actor targets South Korean think tanks, industry, nuclear power oper" }, { "file": "llm_annotated_apt.jsonl", "line": 4019, "text_preview": "An actor group conducting large-scale social engineering and extortion campaign " }, { "file": "llm_annotated_apt.jsonl", "line": 4032, "text_preview": "Linkc is a newly emerged ransomware group that operates an onion-based data leak" }, { "file": "llm_annotated_apt.jsonl", "line": 4045, "text_preview": "Earliest activity back to November 2008. An established group of cyber attackers" }, { "file": "llm_annotated_apt.jsonl", "line": 4079, "text_preview": "Network Battalion 65 is an hactivist group with ties to Anonymous, known for att" }, { "file": "llm_annotated_apt.jsonl", "line": 4094, "text_preview": "This threat actor targets the South Korean government, transportation, and energ" }, { "file": "llm_annotated_apt.jsonl", "line": 4096, "text_preview": "This threat actor targets critical infrastructure entities in the oil and gas se" }, { "file": "llm_annotated_apt.jsonl", "line": 4097, "text_preview": "Group targeting Indian Army or related assets in India, as well as activists and" }, { "file": "llm_annotated_apt.jsonl", "line": 4129, "text_preview": "Agonizing Serpens is an Iranian-linked APT group that has been active since 2020" }, { "file": "llm_annotated_apt.jsonl", "line": 4137, "text_preview": "A self-proclaimed hacktivist group that carried out attacks against Iranian rail" }, { "file": "llm_annotated_apt.jsonl", "line": 4182, "text_preview": "Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassie" }, { "file": "llm_annotated_apt.jsonl", "line": 4207, "text_preview": "This blog post discusses the technical details of a state-sponsored attack manip" }, { "file": "llm_annotated_apt.jsonl", "line": 4217, "text_preview": "This group's activity was first observed in November 2013. It leverages a bankin" }, { "file": "llm_annotated_apt.jsonl", "line": 4257, "text_preview": "This threat actor targets civil society groups and Emirati journalists, activist" }, { "file": "llm_annotated_apt.jsonl", "line": 4286, "text_preview": "CopyCop is a Russian covert influence network that has established over 300 fict" }, { "file": "llm_annotated_apt.jsonl", "line": 4308, "text_preview": "Persistent cybercrime threat actor targeting aviation, aerospace, transportation" }, { "file": "llm_annotated_apt.jsonl", "line": 4356, "text_preview": "This threat actor targets organizations in the finance, defense, aerospace, tech" }, { "file": "llm_annotated_apt.jsonl", "line": 4362, "text_preview": "While it is not clear exactly what the attacker is looking for, what is clear is" }, { "file": "llm_annotated_apt.jsonl", "line": 4368, "text_preview": "This threat actor targets organizations in the satellite communications, telecom" }, { "file": "llm_annotated_apt.jsonl", "line": 4377, "text_preview": "A group targeting dissident groups in China and at the boundaries." }, { "file": "llm_annotated_apt.jsonl", "line": 4389, "text_preview": "Vermin is a threat actor group linked to the Luhansk People\u2019s Republic and belie" }, { "file": "llm_annotated_apt.jsonl", "line": 4462, "text_preview": "suspected Russian espionage group." }, { "file": "llm_annotated_apt.jsonl", "line": 4469, "text_preview": "financially motivated threat actor operating from China" }, { "file": "llm_annotated_apt.jsonl", "line": 4473, "text_preview": "Adversary targeting manufacturing and industrial organizations." }, { "file": "llm_annotated_apt.jsonl", "line": 4479, "text_preview": "This threat actor compromises civil society groups the Chinese Communist Party v" }, { "file": "llm_annotated_apt.jsonl", "line": 4554, "text_preview": "This threat actor targets organizations in the satellite communications, telecom" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 195, "text_preview": "FruitFly is designed to spy on mac users ." }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 197, "text_preview": "This piece of malware steals the content of the user's keychain while maintainin" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 800, "text_preview": "Adversaries may encode data with a standard data encoding system to make the con" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 801, "text_preview": "Adversaries may embed payloads within other files to conceal malicious content f" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 803, "text_preview": "An adversary may revert changes made to a cloud instance after they have perform" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 807, "text_preview": "Adversaries may attempt to hide their file-based artifacts by writing them to sp" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 811, "text_preview": "Adversaries may purchase technical information about victims that can be used du" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 812, "text_preview": "Adversaries may attempt to dump credentials to obtain account login and credenti" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 814, "text_preview": "Adversaries may collect data related to managed devices from configuration repos" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 816, "text_preview": "Adversaries may attempt to cause a denial of service (DoS) by directly sending a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 820, "text_preview": "Adversaries may obtain access to generative artificial intelligence tools, such " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 823, "text_preview": "An adversary may deface systems external to an organization in an attempt to del" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 825, "text_preview": "Adversaries may gather the victim's IP addresses that can be used during targeti" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 826, "text_preview": "Adversaries may launch a denial of service (DoS) attack targeting an endpoint's " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 844, "text_preview": "An adversary may compress or encrypt data that is collected prior to exfiltratio" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 845, "text_preview": "An adversary may attempt to modify a cloud account's compute service infrastruct" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 848, "text_preview": "Adversaries may attempt to discover group and permission settings. This informat" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 849, "text_preview": "Adversaries may target user email to collect sensitive information. Emails may c" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 853, "text_preview": "Adversaries may search websites owned by the victim for information that can be " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 857, "text_preview": "Adversaries may target resource intensive features of applications to cause a de" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 873, "text_preview": "Adversaries may use password cracking to attempt to recover usable credentials, " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 882, "text_preview": "Adversaries may develop malware and malware components that can be used during t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 886, "text_preview": "Adversaries may attempt to hide artifacts associated with their behaviors to eva" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 889, "text_preview": "Adversaries may gather information about the victim's business tempo that can be" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 890, "text_preview": "Adversaries may communicate using publish/subscribe (pub/sub) application layer " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 891, "text_preview": "Adversaries may gather information about the victim's host hardware that can be " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 892, "text_preview": "Adversaries may deliver payloads to remote systems by adding content to shared s" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 895, "text_preview": "Adversaries may employ a known symmetric encryption algorithm to conceal command" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 900, "text_preview": "Adversaries may abuse netbooting to load an unauthorized network device operatin" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 906, "text_preview": "Adversaries may acquire information about vulnerabilities that can be used durin" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 909, "text_preview": "Adversaries may exploit software vulnerabilities that can cause an application o" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 917, "text_preview": "Adversaries may attempt to make a payload difficult to analyze by removing symbo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 932, "text_preview": "Adversaries may modify systems in order to manipulate the data as it is accessed" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 935, "text_preview": "Adversaries may attempt to gather information about attached peripheral devices " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 937, "text_preview": "Adversaries may gather information about the victim's network topology that can " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 938, "text_preview": "Adversaries may create self-signed code signing certificates that can be used du" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 949, "text_preview": "Adversaries may gather information about the victim's network trust dependencies" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 954, "text_preview": "Adversaries may abuse software extensions to establish persistent access to vict" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 956, "text_preview": "Adversaries may manipulate hardware components in products prior to receipt by a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 961, "text_preview": "Adversaries may compromise third-party Virtual Private Servers (VPSs) that can b" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 963, "text_preview": "Adversaries may reduce the level of effort required to decrypt data transmitted " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 970, "text_preview": "Adversaries may maliciously modify components of a victim environment in order t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 972, "text_preview": "Adversaries may compromise email accounts that can be used during targeting. Adv" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 978, "text_preview": "Adversaries may search for common password storage locations to obtain user cred" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 984, "text_preview": "Adversaries may attempt to manipulate features of their artifacts to make them a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 991, "text_preview": "Adversaries may inject code into processes in order to evade process-based defen" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 993, "text_preview": "Adversaries may use traffic signaling to hide open ports or other malicious func" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1004, "text_preview": "Adversaries may create or modify shortcuts that can execute a program during sys" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1008, "text_preview": "Adversaries may employ various time-based methods to detect virtualization and a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1017, "text_preview": "Adversaries may bridge network boundaries by modifying a network device\u2019s Networ" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1022, "text_preview": "Adversaries may search private data from threat intelligence vendors for informa" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1023, "text_preview": "Adversaries may attempt to exfiltrate data over a different network medium than " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1025, "text_preview": "Adversaries may gather information about the victim's identity that can be used " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1027, "text_preview": "An adversary may compress and/or encrypt data that is collected prior to exfiltr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1031, "text_preview": "Adversaries may communicate using application layer protocols associated with el" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1033, "text_preview": "Adversaries may scan victims for vulnerabilities that can be used during targeti" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1035, "text_preview": "Adversaries may search freely available technical databases for information abou" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1046, "text_preview": "Adversaries may modify visual content available internally or externally to an e" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1051, "text_preview": "Adversaries may use binary padding to add junk data and change the on-disk repre" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1056, "text_preview": "Adversaries may buy, lease, rent, or obtain physical servers\u00a0that can be used du" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1058, "text_preview": "Adversaries may attempt to exfiltrate data over Bluetooth rather than the comman" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1061, "text_preview": "Adversaries may establish persistence by executing malicious content triggered b" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1066, "text_preview": "Adversaries can perform command and control between compromised hosts on potenti" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1068, "text_preview": "Adversaries may create email accounts that can be used during targeting. Adversa" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1073, "text_preview": "Adversaries may execute active reconnaissance scans to gather information that c" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1074, "text_preview": "Adversaries may use junk code / dead code to obfuscate a malware\u2019s functionality" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1075, "text_preview": "Adversaries may circumvent mechanisms designed to control elevate privileges to " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1076, "text_preview": "Adversaries may create a new process with an existing token to escalate privileg" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1082, "text_preview": "Adversaries may install code on externally facing portals, such as a VPN login p" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1084, "text_preview": "Adversaries may use voice communications to elicit sensitive information that ca" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1088, "text_preview": "Adversaries may gather information about the victim's network security appliance" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1091, "text_preview": "Adversaries may use search engines to collect information about victims that can" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1092, "text_preview": "Adversaries may gather information about the victim's business relationships tha" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1097, "text_preview": "An adversary may delete a cloud instance after they have performed malicious act" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1101, "text_preview": "Adversaries may leverage the network bandwidth resources of co-opted systems to " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1109, "text_preview": "Adversaries may gather employee names that can be used during targeting. Employe" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1113, "text_preview": "Adversaries may exfiltrate data, such as sensitive documents, through the use of" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1114, "text_preview": "Adversaries may gather information about the victim's client configurations that" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1115, "text_preview": "Adversaries may disable or modify a firewall within a cloud environment to bypas" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1118, "text_preview": "Adversaries may buy, steal, or download malware that can be used during targetin" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1121, "text_preview": "Adversaries may delete or modify artifacts generated within systems to remove ev" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1124, "text_preview": "Adversaries may rent Virtual Private Servers (VPSs)\u00a0that can be used during targ" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1129, "text_preview": "Adversaries may dynamically establish connections to command and control infrast" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1134, "text_preview": "Adversaries may use `JamPlus` to proxy the execution of a malicious script. `Jam" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1143, "text_preview": "Adversaries disable a network device\u2019s dedicated hardware encryption, which may " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1167, "text_preview": "Adversaries may forge web cookies that can be used to gain access to web applica" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1169, "text_preview": "Adversaries may duplicate then impersonate another user's existing token to esca" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1172, "text_preview": "Adversaries may use port knocking to hide open ports used for persistence or com" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1179, "text_preview": "An adversary may deface systems internal to an organization in an attempt to int" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1181, "text_preview": "Adversaries may make new tokens and impersonate users to escalate privileges and" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1189, "text_preview": "Adversaries may search content delivery network (CDN) data about victims that ca" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1190, "text_preview": "Adversaries may employ various user activity checks to detect and avoid virtuali" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1194, "text_preview": "Adversaries may steal data by exfiltrating it over an existing command and contr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1196, "text_preview": "Adversaries may gather information about the victim's organization that can be u" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1203, "text_preview": "Adversaries may inject malicious code into processes via VDSO hijacking in order" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1205, "text_preview": "Adversaries may intentionally exclude certain files, folders, directories, file " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1209, "text_preview": "Adversaries may gather information about the victim's networks that can be used " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1217, "text_preview": "Adversaries may search freely available websites and/or domains for information " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1218, "text_preview": "Adversaries may disable network device-based firewall mechanisms entirely or add" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1219, "text_preview": "Adversaries may manipulate accounts to maintain and/or elevate access to victim " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1225, "text_preview": "Adversaries may attempt to exfiltrate data over a USB connected physical device." }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1227, "text_preview": "Adversaries may search and gather information about victims from closed (e.g., p" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1229, "text_preview": "Adversaries may send phishing messages to gain access to victim systems. All for" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1240, "text_preview": "Adversaries may insert, delete, or manipulate data in order to influence externa" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1242, "text_preview": "Adversaries may obfuscate command and control traffic to make it more difficult " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1245, "text_preview": "Adversaries may make changes to the operating system of embedded network devices" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1249, "text_preview": "Adversaries may remove indicators from tools if they believe their malicious too" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1264, "text_preview": "Adversaries may attempt to mimic features of valid code signatures to increase t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1266, "text_preview": "Adversaries may utilize polymorphic code (also known as metamorphic or mutating " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1268, "text_preview": "Adversaries may establish persistence and/or elevate privileges using system mec" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1272, "text_preview": "Adversaries may bridge network boundaries by compromising perimeter network devi" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1276, "text_preview": "Adversaries may gather information about the victim's host firmware that can be " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1277, "text_preview": "Adversaries may employ an encryption algorithm to conceal command and control tr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1280, "text_preview": "Adversaries may exfiltrate data to text storage sites instead of their primary c" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1281, "text_preview": "Adversaries may gather information about the victim's host software that can be " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1285, "text_preview": "Adversaries may search social media for information about victims that can be us" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1289, "text_preview": "Adversaries may manipulate application software prior to receipt by a final cons" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1290, "text_preview": "Adversaries may rename legitimate / system utilities to try to evade security me" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1293, "text_preview": "Adversaries may iteratively probe infrastructure using brute-forcing and crawlin" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1311, "text_preview": "An adversary may exfiltrate data in fixed size chunks instead of whole files or " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1312, "text_preview": "Adversaries can use stolen session cookies to authenticate to web applications a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1324, "text_preview": "Adversaries may impersonate a trusted person or organization in order to persuad" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1325, "text_preview": "Adversaries may modify settings that directly affect the size, locations, and re" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1327, "text_preview": "Adversaries may poison Address Resolution Protocol (ARP) caches to position them" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1334, "text_preview": "Adversaries may gather information about identities and roles within the victim " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1335, "text_preview": "Adversaries may encode data to make the content of command and control traffic m" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1337, "text_preview": "Adversaries may send phishing messages to elicit sensitive information that can " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1352, "text_preview": "Adversaries may purchase or otherwise acquire an existing access to a target sys" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1360, "text_preview": "Adversaries may physically introduce computer accessories, networking hardware, " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1362, "text_preview": "Adversaries may abuse legitimate extensible development features of servers to e" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1375, "text_preview": "Adversaries may scan victim IP blocks to gather information that can be used dur" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1379, "text_preview": "Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smar" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1386, "text_preview": "Adversaries who successfully compromise a system may attempt to maintain persist" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1388, "text_preview": "Adversaries may create an account to maintain access to victim systems. With a s" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1390, "text_preview": "Adversaries may compromise third-party servers that can be used during targeting" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1397, "text_preview": "Adversaries may attempt to get a listing of software and software versions that " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1405, "text_preview": "Adversaries may attempt to exfiltrate data via a physical medium, such as a remo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1409, "text_preview": "Adversaries may buy and/or steal code signing certificates that can be used duri" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1412, "text_preview": "Adversaries may inject malicious code into processes via ptrace (process trace) " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1418, "text_preview": "Adversaries may manipulate network traffic in order to hide and evade detection " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1421, "text_preview": "Adversaries may search within public scan databases for information about victim" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1424, "text_preview": "Adversaries may gather the victim's physical location(s) that can be used during" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1426, "text_preview": "Adversaries may build capabilities that can be used during targeting. Rather tha" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1429, "text_preview": "Adversaries may use steganographic techniques to hide command and control traffi" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1430, "text_preview": "An adversary may rely upon a user clicking a malicious link in order to gain exe" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1435, "text_preview": "Adversaries may environmentally key payloads or other features of malware to eva" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1436, "text_preview": "Adversaries may use fallback or alternate communication channels if the primary " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1438, "text_preview": "Adversaries may use NTFS file attributes to hide their malicious data in order t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1455, "text_preview": "Adversaries may add junk data to protocols used for command and control to make " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1461, "text_preview": "Adversaries may use Patch System Image to hard code a password in the operating " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1467, "text_preview": "Adversaries may install an older version of the operating system of a network de" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1470, "text_preview": "Adversaries may exploit a system or application vulnerability to bypass security" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1770, "text_preview": "Adversaries may circumvent mechanisms designed to control elevated privileges to" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1773, "text_preview": "Adversaries may delete, alter, or hide generated artifacts on a device, includin" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1775, "text_preview": "Adversaries may exploit the lack of authentication in signaling system network n" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1776, "text_preview": "Adversaries may match or approximate the name or location of legitimate files or" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1779, "text_preview": "Adversaries may attempt to get a listing of applications that are installed on a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1782, "text_preview": "Adversaries may attempt to get a listing of security applications and configurat" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1783, "text_preview": "Adversaries may inject malicious code into processes via ptrace (process trace) " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1784, "text_preview": "Adversaries may maliciously modify components of a victim environment in order t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1789, "text_preview": "Adversaries may attempt to avoid detection by hiding malicious behavior from the" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1790, "text_preview": "Adversaries may employ various means to detect and avoid virtualization and anal" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1795, "text_preview": "Adversaries may dynamically establish connections to command and control infrast" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1796, "text_preview": "Adversaries may attempt to get a listing of services running on remote hosts, in" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1797, "text_preview": "Adversaries may steal data by exfiltrating it over an existing command and contr" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1800, "text_preview": "Adversaries may make, forward, or block phone calls without user authorization. " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1807, "text_preview": "Adversaries may use execution guardrails to constrain execution or actions based" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1809, "text_preview": "Adversaries may modify system software binaries to establish persistent access t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1810, "text_preview": "Adversaries may perform software packing to conceal their code. Software packing" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1817, "text_preview": "Adversaries may execute their own malicious payloads by hijacking the way operat" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1821, "text_preview": "Adversaries may exploit software vulnerabilities to gain initial access to a mob" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1822, "text_preview": "Adversaries may employ various system checks to detect and avoid virtualization " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1826, "text_preview": "Adversaries may manipulate products or product delivery mechanisms prior to rece" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1827, "text_preview": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensit" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1828, "text_preview": "Adversaries may undermine security controls that will either warn users of untru" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1833, "text_preview": "Adversaries may manipulate application software prior to receipt by a final cons" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1838, "text_preview": "Adversaries may destroy data and files on specific devices or in large numbers t" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1840, "text_preview": "Adversaries may gain access to mobile devices through transfers or swaps from vi" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1841, "text_preview": "Adversaries may use methods of capturing user input to obtain credentials or col" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1843, "text_preview": "An adversary could use knowledge of the techniques used by security software to " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1848, "text_preview": "Adversaries may delete, alter, or send SMS messages without user authorization. " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1850, "text_preview": "Adversaries may employ a known symmetric encryption algorithm to conceal command" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1852, "text_preview": "Adversaries may manipulate hardware components in products prior to receipt by a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1854, "text_preview": "Adversaries may insert, delete, or alter data in order to manipulate external ou" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1858, "text_preview": "Adversaries may search common password storage locations to obtain user credenti" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1859, "text_preview": "Adversaries may utilize hooking to hide the presence of artifacts associated wit" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1863, "text_preview": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or bl" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1865, "text_preview": "Adversaries may establish persistence using system mechanisms that trigger execu" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1869, "text_preview": "An adversary may encrypt files stored on a mobile device to prevent the user fro" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1872, "text_preview": "Adversaries may send malicious content to users in order to gain access to their" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1877, "text_preview": "Adversaries may interrupt availability of system and network resources by inhibi" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1879, "text_preview": "Adversaries may compress and/or encrypt data that is collected prior to exfiltra" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1884, "text_preview": "Adversaries may explicitly employ a known encryption algorithm to conceal comman" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1886, "text_preview": "Adversaries may attempt to manipulate features of their artifacts to make them a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1887, "text_preview": "Adversaries may use steganography techniques in order to prevent the detection o" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1888, "text_preview": "Adversaries may attempt to hide artifacts associated with their behaviors to eva" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1890, "text_preview": "Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1900, "text_preview": "Adversaries may block a command message from reaching its intended target to pre" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1901, "text_preview": "Adversaries may stop or disable services on a system to render those services un" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1902, "text_preview": "Adversaries may modify parameters used to instruct industrial control system dev" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1903, "text_preview": "Adversaries may modify the tasking of a controller to allow for the execution of" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1904, "text_preview": "Adversaries may seek to capture radio frequency (RF) communication used for remo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1905, "text_preview": "Adversaries may cause a sustained or permanent loss of view where the ICS equipm" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1906, "text_preview": "Adversaries may activate firmware update mode on devices to prevent expected res" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1907, "text_preview": "Adversaries may manipulate physical process control within the industrial enviro" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1912, "text_preview": "Adversaries may collect point and tag values to gain a more comprehensive unders" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1913, "text_preview": "Adversaries may forcibly restart or shutdown a device in an ICS environment to d" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1917, "text_preview": "Adversaries may target protection function alarms to prevent them from notifying" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1918, "text_preview": "Adversaries may gather information about a PLCs or controllers current operating" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1919, "text_preview": "Adversaries may compromise protective system functions designed to prevent the e" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1920, "text_preview": "Adversaries may gather information about the physical process state. This inform" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1923, "text_preview": "Adversaries may attempt to upload a program from a PLC to gather information abo" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1924, "text_preview": "Adversaries may leverage weaknesses to exploit internet-facing software for init" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1925, "text_preview": "Adversaries may target and collect data from information repositories. This can " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1926, "text_preview": "Adversaries may target devices that are transient across ICS networks and extern" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1927, "text_preview": "Adversaries may manipulate the I/O image of PLCs through various means to preven" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1931, "text_preview": "Adversaries may block or prevent a reporting message from reaching its intended " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1932, "text_preview": "Adversaries may send unauthorized command messages to instruct control system as" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1934, "text_preview": "Adversaries may attempt to manipulate the information reported back to operators" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1935, "text_preview": "Adversaries may attempt to remove indicators of their presence on a system in an" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1937, "text_preview": "Adversaries may cause a denial of view in attempt to disrupt and prevent operato" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1938, "text_preview": "Adversaries may attempt to leverage Application Program Interfaces (APIs) used f" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1940, "text_preview": "Adversaries may compromise safety system functions designed to maintain safe ope" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1941, "text_preview": "Adversaries may cause loss of productivity and revenue through disruption and ev" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1942, "text_preview": "Adversaries may use a spearphishing attachment, a variant of spearphishing, as a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1943, "text_preview": "Adversaries may leverage AutoRun functionality or scripts to execute malicious c" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1946, "text_preview": "Adversaries may spoof reporting messages in control system environments for evas" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1947, "text_preview": "Adversaries may exploit a software vulnerability to take advantage of a programm" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1948, "text_preview": "Adversaries may leverage manufacturer or supplier set default credentials on con" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1950, "text_preview": "Adversaries may repetitively or successively change I/O point values to perform " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1951, "text_preview": "Adversaries with privileged network access may seek to modify network traffic in" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1952, "text_preview": "Adversaries may exploit a software vulnerability to take advantage of a programm" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1956, "text_preview": "Adversaries may setup a rogue master to leverage control server functions to com" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1958, "text_preview": "Adversaries may attempt to disrupt essential components or systems to prevent ow" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1959, "text_preview": "Adversaries may steal operational information on a production environment as a d" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1960, "text_preview": "System firmware on modern assets is often designed with an update feature. Older" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1964, "text_preview": "Adversaries may attempt to perform screen capture of devices in the control syst" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1966, "text_preview": "Adversaries may steal the credentials of a specific user or service account usin" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1968, "text_preview": "Adversaries may attempt to get a listing of other systems by IP address, hostnam" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1969, "text_preview": "Adversaries may use a connection proxy to direct network traffic between systems" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1973, "text_preview": "Adversaries may modify alarm settings to prevent alerts that may inform operator" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1976, "text_preview": "Adversaries may perform network connection enumeration to discover information a" }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1980, "text_preview": "Adversaries may target and collect data from local system sources, such as file " }, { "file": "llm_annotated_mitre_v2.jsonl", "line": 1981, "text_preview": "Adversaries may modify software and device credentials to prevent operator and r" }, { "file": "llm_annotated_news.jsonl", "line": 11, "text_preview": "Over 200 organizations and 5,000 consumer devices were affected, with peak activ" }, { "file": "llm_annotated_news.jsonl", "line": 23, "text_preview": "The exfiltration tool supports five simultaneous connections per file for accele" }, { "file": "llm_annotated_news.jsonl", "line": 30, "text_preview": "Security agencies from the US, Australia, Canada, Germany, Japan, Netherlands, N" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 66, "text_preview": "This vulnerability allows local attackers to disclose sensitive information on a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 78, "text_preview": "XWiki Platform Web Templates are templates for XWiki Platform, a generic wiki pl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 96, "text_preview": "GraphQL Playground (graphql-playground-html NPM package) before version 1.6.22 h" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 104, "text_preview": "OpenSearch Data Prepper is a component of the OpenSearch project that accepts, f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 120, "text_preview": "OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Ga" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 128, "text_preview": "A vulnerability has been identified in LOGO! 12/24RCE (6ED1052-1MD08-0BA1) (All " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 137, "text_preview": "A vulnerability has been identified in SIMATIC Reader RF610R CMIIT (6GT2811-6BC1" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 190, "text_preview": "Pterodactyl is a free, open-source game server management panel. Pterodactyl imp" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 200, "text_preview": "n8n is an open source workflow automation platform. Prior to versions 2.4.0 and " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 222, "text_preview": "A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 226, "text_preview": "This vulnerability allows local attackers to disclose sensitive information on a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 227, "text_preview": "n8n is an open source workflow automation platform. Prior to version 2.5.0, when" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 234, "text_preview": "Missing Authentication for Critical Function in the Bosch Video Streaming Gatewa" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 238, "text_preview": "A res_pjsip_session crash was discovered in Asterisk Open Source 13.x before 13." }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 257, "text_preview": "Grav Admin Plugin is an HTML user interface that provides a way to configure Gra" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 262, "text_preview": "Statamic is a, Laravel + Git powered CMS designed for building websites. In affe" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 289, "text_preview": "Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to v" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 363, "text_preview": "Piccolo is an ORM and query builder which supports asyncio. In versions 0.120.0 " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 373, "text_preview": "OliveTin gives access to predefined shell commands from a web interface. In vers" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 390, "text_preview": "Electron is a framework for writing cross-platform desktop applications using Ja" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 424, "text_preview": "This vulnerability allows remote attackers to execute arbitrary code on affected" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 445, "text_preview": "Miniflux is a feed reader. Since v2.0.25, Miniflux will automatically proxy imag" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 453, "text_preview": "A vulnerability has been identified in RUGGEDCOM i800, RUGGEDCOM i800NC, RUGGEDC" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 455, "text_preview": "A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM0" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 467, "text_preview": "libspdm is a sample implementation that follows the DMTF SPDM specifications. A " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 515, "text_preview": "In the DES implementation, the affected product versions use a default key for e" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 519, "text_preview": "Decidim is a participatory democracy framework. Starting in version 0.0.1 and pr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 535, "text_preview": "In ISC DHCP 4.1-ESV-R1 -> 4.1-ESV-R16, ISC DHCP 4.4.0 -> 4.4.2 (Other branches o" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 541, "text_preview": "Issue summary: Applications using RSASVE key encapsulation to establish\na secret" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 564, "text_preview": "Pax Technology PAXSTORE v7.0.8_20200511171508 and lower is affected by a token s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 566, "text_preview": "This is a concurrency issue that can result in the wrong caller principal being " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 568, "text_preview": "Within the Umbraco CMS, a configuration element named \"UmbracoApplicationUrl\" (o" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 572, "text_preview": "In affected versions of TensorFlow under certain cases, loading a saved model ca" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 627, "text_preview": "Ratpack is a toolkit for creating web applications. In versions prior to 1.9.0, " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 631, "text_preview": "This vulnerability allows local attackers to escalate privileges on affected ins" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 648, "text_preview": "A vulnerability has been identified in SIMATIC Automation Tool (All versions < V" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 683, "text_preview": "OpenZeppelin Contracts is a library for secure smart contract development. Start" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 709, "text_preview": "osquery is a SQL powered operating system instrumentation, monitoring, and analy" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 710, "text_preview": "Mastodon is a free, open-source social network server based on ActivityPub. When" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 718, "text_preview": "Flarum is a forum software for building communities. Flarum's translation system" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 720, "text_preview": "Nuclei is a vulnerability scanner. Prior to version 2.9.9, a security issue in t" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 737, "text_preview": "This vulnerability allows remote attackers to execute arbitrary code on affected" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 763, "text_preview": "OpenProject is an open-source, web-based project management software. In the new" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 799, "text_preview": "This affects all versions of package uvicorn. The request logger provided by the" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 802, "text_preview": "HVM soft-reset crashes toolstack libxl requires all data structures passed acros" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 822, "text_preview": "Expr is an expression language and expression evaluation for Go. Prior to versio" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 863, "text_preview": "Sylius is an Open Source eCommerce Framework on Symfony. CurrencySwitchControlle" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 908, "text_preview": "This vulnerability allows remote attackers to execute arbitrary code on affected" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 911, "text_preview": "Vault Key Sealed With SHA1 PCRs\n\n\n\n\n\n\nThe measured boot solution implemented in " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 913, "text_preview": "Langfuse is an open source large language model engineering platform. Starting i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 920, "text_preview": "nLight ECLYPSE (nECY) system Controllers running software prior to 1.17.21245.75" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 927, "text_preview": "n8n is an open source workflow automation platform. Prior to version 2.8.0, when" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 961, "text_preview": "The imgcrypt library provides API exensions for containerd to support encrypted " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 964, "text_preview": "H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 998, "text_preview": "FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformati" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1009, "text_preview": "XWiki Platform is a generic wiki platform offering runtime services for applicat" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1018, "text_preview": "This vulnerability allows remote attackers to disclose sensitive information on " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1022, "text_preview": "Nextcloud is an open-source, self-hosted productivity platform. Prior to version" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1029, "text_preview": "This vulnerability allows local attackers to escalate privileges on affected ins" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1066, "text_preview": "Graylog before 3.3.3 lacks SSL Certificate Validation for LDAP servers. It allow" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1084, "text_preview": "A vulnerability has been identified in Industrial Edge Device Kit - arm64 V1.17 " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1093, "text_preview": "PLANKA 2.0.0 lacks X-Frame-Options and CSP frame-ancestors headers, allowing the" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1101, "text_preview": "Nextcloud Text is an open source plaintext editing application which ships with " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1104, "text_preview": "Mastodon is a free, open-source social network server based on ActivityPub. Prio" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1114, "text_preview": "In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1136, "text_preview": "matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. I" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1156, "text_preview": "Metabase is an open source business analytics engine. To edit SQL Snippets, Meta" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1180, "text_preview": "This vulnerability allows local attackers to escalate privileges on affected ins" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1186, "text_preview": "Soft Serve is a self-hostable Git server for the command line. Prior to version " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1213, "text_preview": "Incorrect Authorization vulnerability in Micro Focus Container Deployment Founda" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1227, "text_preview": "EspoCRM is an open source customer relationship management application. Versions" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1270, "text_preview": "RISC Zero is a zero-knowledge verifiable general computing platform, with Ethere" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1278, "text_preview": "soroban-sdk is a Rust SDK for Soroban contracts. Prior to versions 22.0.10, 23.5" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1292, "text_preview": "A vulnerability has been identified in RUGGEDCOM i800 (All versions < V4.3.8), R" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1303, "text_preview": "A vulnerability has been identified in SCALANCE X200-4P IRT (All versions < V5.5" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1352, "text_preview": "DataHub is an open-source metadata platform. The HMAC signature for DataHub Fron" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1382, "text_preview": "In django-basic-auth-ip-whitelist before 0.3.4, a potential timing attack exists" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1383, "text_preview": "Silverstripe Admin provides a basic management interface for the Silverstripe Fr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1388, "text_preview": "immich is a high performance self-hosted photo and video management solution. Pr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1394, "text_preview": "Discourse is an open source discussion platform. Prior to versions 2025.12.2, 20" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1426, "text_preview": "Pydio Cells 2.0.4 web application offers an administrative console named \u201cCells " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1428, "text_preview": "This vulnerability allows remote atackers to execute arbitrary code on affected " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1429, "text_preview": "PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueB" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1450, "text_preview": "Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable t" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1458, "text_preview": "An issue was discovered where there are multiple externally accessible pages tha" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1463, "text_preview": "OpenProject is an open-source, web-based project management software. To enable " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1504, "text_preview": "Decidim is a participatory democracy framework. Starting in version 0.4.rc3 and " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1514, "text_preview": "This vulnerability allows remote attackers to disclose sensitive information on " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1548, "text_preview": "Icinga is a monitoring system which checks the availability of network resources" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1565, "text_preview": "In BookStack before version 0.30.4, a user with permissions to edit a page could" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1569, "text_preview": "Raspberry Pi 3 B+ and 4 B devices through 2021-08-09, in certain specific use ca" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1580, "text_preview": "The Web server component of TIBCO Software Inc.'s TIBCO EBX, TIBCO EBX, TIBCO EB" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1588, "text_preview": "The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1606, "text_preview": "A vulnerability has been identified in Cerberus PRO EN Engineering Tool (All ver" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1621, "text_preview": "This vulnerability allows local attackers to escalate privileges on affected ins" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1627, "text_preview": "Discourse is an open source discussion platform. Discourse groups can be configu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1693, "text_preview": "TensorFlow is an open source platform for machine learning. In affected versions" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1696, "text_preview": "Hyperledger Fabric is an open source permissioned distributed ledger framework. " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1718, "text_preview": "js-stellar-sdk is a Javascript library for communicating with a Stellar Horizon " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1724, "text_preview": "A vulnerability has been identified in IEC 1Ph 7.4kW Child socket (8EM1310-2EH04" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1753, "text_preview": "This vulnerability allows local attackers to disclose sensitive information on a" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1769, "text_preview": "Puppet Server and PuppetDB provide useful performance and debugging information " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1802, "text_preview": "Synapse is a Matrix reference homeserver written in python (pypi package matrix-" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1803, "text_preview": "django-filter is a generic system for filtering Django QuerySets based on user s" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1812, "text_preview": "FastAPI Api Key provides a backend-agnostic library that provides an API key sys" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1816, "text_preview": "Saml2 Authentication services for ASP.NET (NuGet package Sustainsys.Saml2) great" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1837, "text_preview": "solidus_auth_devise provides authentication services for the Solidus webstore fr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1841, "text_preview": "A vulnerability has been identified in SCALANCE X302-7 EEC (230V), SCALANCE X302" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1882, "text_preview": "A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1909, "text_preview": "A vulnerability has been identified in SCALANCE X302-7 EEC (230V), SCALANCE X302" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1924, "text_preview": "In Anchore Engine version 0.7.0, a specially crafted container image manifest, f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1935, "text_preview": "A flaw in the binding process of Govee\u2019s cloud platform and devices allows a rem" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1954, "text_preview": "A vulnerability has been identified in SINUMERIK Analyse MyCondition (All versio" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1957, "text_preview": "Artifact Hub is a web-based application that enables finding, installing, and pu" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1959, "text_preview": "Parse Server is an open source backend server. In affected versions the Parse Cl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 1980, "text_preview": "Buffer over-reads were discovered in the CoAP library in Arm Mbed OS 5.15.3. The" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2016, "text_preview": "This vulnerability allows remote attackers to execute arbitrary code on affected" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2026, "text_preview": "BuildKit is a toolkit for converting source code to build artifacts in an effici" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2032, "text_preview": "Spin is an open source developer tool for building and running serverless applic" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2036, "text_preview": "Jetty is a java based web server and servlet engine. In affected versions servle" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2039, "text_preview": "Syft is a a CLI tool and Go library for generating a Software Bill of Materials " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2040, "text_preview": "A vulnerability exists in a SDM600 endpoint.\nAn attacker could exploit this vuln" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2052, "text_preview": "Arduino App Lab is a cross-platform IDE for developing Arduino Apps. Prior to 0." }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2060, "text_preview": "Internet Routing Registry daemon version 4 is an IRR database server, processing" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2063, "text_preview": "This vulnerability allows remote attackers to execute arbitrary code on affected" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2125, "text_preview": "DES cipher, which has inadequate encryption strength, is used Hitachi Energy FOX" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2126, "text_preview": "Matrix JavaScript SDK is the Matrix Client-Server software development kit (SDK)" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2150, "text_preview": "This vulnerability allows remote attackers to execute arbitrary code on affected" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2153, "text_preview": "Wasmtime is a standalone runtime for WebAssembly. In affected versions wasmtime'" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2158, "text_preview": "Envoy is an open source edge and service proxy designed for cloud-native applica" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2160, "text_preview": "OpenTelemetry-Go Contrib is a collection of third-party packages for OpenTelemet" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2170, "text_preview": "@fastify/passport is a port of passport authentication library for the Fastify e" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2204, "text_preview": "The Omron SYSMAC Cx product family PLCs (CS series, CJ series, and CP series) th" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2222, "text_preview": "Matrix Javascript SDK is the Matrix Client-Server SDK for JavaScript. Prior to v" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2241, "text_preview": "Angular is a development platform for building mobile and desktop web applicatio" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2244, "text_preview": "ZITADEL is an open source identity management platform. Starting in version 2.50" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2246, "text_preview": "Insertion of Sensitive Information into Log File vulnerability in Hitachi Virtua" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2258, "text_preview": "A vulnerability has been identified in SCALANCE X302-7 EEC (230V), SCALANCE X302" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2276, "text_preview": "Kirby is an open source CMS. An editor with write access to the Kirby Panel can " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2281, "text_preview": "LogRhythm Platform Manager (PM) 7.4.9 has Incorrect Access Control. Users within" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2306, "text_preview": "The Notary Project is a set of specifications and tools intended to provide a cr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2319, "text_preview": "GoCD is a continuous delivery server. GoCD helps you automate and streamline the" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2345, "text_preview": "A vulnerability exists in the SDM600 API web services authorization validation i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2375, "text_preview": "Label Studio is an open source data labeling tool. In all current versions of La" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2379, "text_preview": "A vulnerability has been identified in RUGGEDCOM i800 (All versions), RUGGEDCOM " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2400, "text_preview": "vLLM, an inference and serving engine for large language models (LLMs), has an i" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2413, "text_preview": "Pterodactyl is a free, open-source game server management panel. When a user dis" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2416, "text_preview": "Ash Authentication is an authentication framework for Elixir applications. Appli" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2426, "text_preview": "This vulnerability allows local attackers to escalate privileges on affected ins" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2430, "text_preview": "A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM0" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2444, "text_preview": "Apereo CAS is an open source multilingual single sign-on solution for the web. A" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2514, "text_preview": "A vulnerability has been identified in SCALANCE SC622-2C (6GK5622-2GS00-2AC2) (A" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2527, "text_preview": "OpenSearch is an open source distributed and RESTful search engine. OpenSearch u" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2555, "text_preview": "The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2561, "text_preview": "Pannellum is a lightweight, free, and open source panorama viewer for the web. I" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2566, "text_preview": "anuko/timetracker is an, open source time tracking system. In affected versions " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2586, "text_preview": "TensorFlow is an open source platform for machine learning. In affected versions" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2588, "text_preview": "TensorFlow is an open source platform for machine learning. In affected versions" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2594, "text_preview": "This vulnerability allows remote attackers to execute arbitrary code on affected" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2628, "text_preview": "Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. In versi" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2662, "text_preview": "Kanboard is open source project management software that focuses on the Kanban m" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2665, "text_preview": "Open Neural Network Exchange (ONNX) is an open standard for machine learning int" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2699, "text_preview": "

An elevation of privilege vulnerability exists in the way that the Wininit.dl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2741, "text_preview": "An issue was discovered in Squid before 4.13 and 5.x before 5.0.4. Due to incorr" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2812, "text_preview": "Use of a Broken or Risky Cryptographic Algorithm vulnerability in Air Conditioni" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2823, "text_preview": "CubeFS is an open-source cloud-native file storage system. A vulnerability was f" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2837, "text_preview": "Preact, a lightweight web development framework, JSON serialization protection t" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2853, "text_preview": "Fleet is open source device management software. In versions prior to 4.80.1, Fl" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2860, "text_preview": "Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operat" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2871, "text_preview": "Tenancy multi-tenant is an open source multi-domain controller for the Laravel w" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2907, "text_preview": "[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery0" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2914, "text_preview": "A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2940, "text_preview": "Tremor is an event processing system for unstructured data. A vulnerability exis" }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2981, "text_preview": "The client in Northern.tech Mender 3.2.0, 3.2.1, and 3.2.2 has Incorrect Access " }, { "file": "llm_annotated_nvd_v2.jsonl", "line": 2992, "text_preview": "vyper is a Pythonic Smart Contract Language for the EVM. Multiple evaluation of " }, { "file": "llm_annotated_vendor_blogs.jsonl", "line": 35, "text_preview": "AI-driven localization is eroding language barriers, enabling threat actors to s" }, { "file": "llm_annotated_vendor_blogs.jsonl", "line": 37, "text_preview": "Commercial Surveillance Vendors now account for more zero-day exploits than trad" }, { "file": "llm_annotated_vendor_blogs.jsonl", "line": 45, "text_preview": "The time between initial access and secondary group handoff collapsed from over " } ], "parse_errors": [], "label_distribution": { "SYSTEM": 13085, "ORGANIZATION": 3734, "MALWARE": 7821, "TOOL": 3683, "VULNERABILITY": 7617, "THREAT_ACTOR": 4028, "CVE_ID": 1417, "URL": 3180, "HASH": 3322, "DOMAIN": 2658, "FILEPATH": 8012, "EMAIL": 2106, "IP_ADDRESS": 3994 }, "cross_file_dupes": [] }