-
Notifications
You must be signed in to change notification settings - Fork 0
/
new-prompt.json
3 lines (3 loc) · 2.42 KB
/
new-prompt.json
1
2
3
{
"prompt": "Translate natural language sentences into patterns.\n\nALLOWED_PATTERNS: ExistenceEventuallyOther\nALLOWED_SYMBOLS: T1548 (Abuse Elevation Control Mechanism), T1530 (Data From Cloud Storage), T1059 (code execution: Command and Scripting Interpreter), T1586 (Compromise account), T1078 (Valid Accounts), T1055 (Process Injection), T1135 (Network Share Discovery), T1133 (External Remote Service), T1552 (Unsecured Credentials), T1078 (Valid Accounts), T1048 (Exfiltration Over Alternative Protocol), T1610 (Deploy Container), T1566 (Phising), T1621 (Multi-Factor Authentication Request Generation)\n\nNL: Attackers repeatedly tried to use the user's credentials which caused MFA to spam the user requesting access to the VPN. This leads to: Winthin the Uber environment, the user had access to a network share\nPATTERN: ExistenceEventuallyOther\nSYMBOLS: T1621, T1135\n\nNL: Attacker attempted to log in to the users Uber VPN account but were blocked due to multi-factor authentication. This leads to: Attackers repeatedly tried to use the user's credentials which caused MFA to spam the user requesting access to the VPN\nPATTERN: ExistenceEventuallyOther\nSYMBOLS: T1078, T1621\n\nNL: The adversary logs into the Kubernetes console. This leads to: The adversary can view plaintext AWS keys in the Kubernetes console.\nPATTERN: ExistenceEventuallyOther\nSYMBOLS: T1133, T1552\n\nNL: The adversary logs into the Kubernetes console. This leads to: The adversary authenticates to AWS S3 using the discovered credentials.\nPATTERN: ExistenceEventuallyOther\nSYMBOLS: T1133, T1078\n\nNL: The adversary logs into the Kubernetes Console. This leads to: The adversary deploys a new container on the Kubernetes cluster\nPATTERN: ExistenceEventuallyOthern\nSYMBOLS: T1133, T1610\n\nNL: Unknown malware was used to compromise the accounts/credentials of an external contractor. This leads to: Attacker attempted to log in to the users Uber VPN account but were blocked due to multi-factor authentication.\nPATTERN: ExistenceEventuallyOther\nSYMBOLS: T1586, T1078\n\nNL: The adversary authenticates to AWS S3 using the discovered credentials. This leads to: The adversary can access data in private S3 buckets.\nPATTERN: ExistenceEventuallyOther\nSYMBOLS: T1078, T1530\n\nNL: The adversary has the ability to run executables with command-line arguments. This leads to: The adversary injecting DLLs into processes\nPATTERN: ExistenceEventuallyOther\nSYMBOLS: T1059, T1055"
}