Generate Threat Vector Models from NCSC RayInitiator & LINE VIPER intelligence

[Copilot]

• Read TVM Schema.json and TVM TEMPLATE.yaml to understand final output
• Find and extract text from ncsc-mar-rayinitiator-line-viper.pdf
• Identify notable TTPs from the intelligence report
• Generate TVM YAML files for identified threat vectors:
  • RayInitiator GRUB bootkit persistence on Cisco ASA
  • LINE VIPER shellcode loader on Cisco ASA
  • WebVPN authentication abuse for C2 on Cisco ASA
  • ICMP tasking with TCP response on network devices
  • AAA bypass for unauthorized access on network devices
• Follow schema requirements and use valid enum values
• Include technical details with proper citations
• Respect 80 character line limit for multiline strings
• Update terrain fields to define pre-requisites, weaknesses, vulnerabilities, and configurations that enable each threat
• Pipeline validation will confirm no schema errors

Original prompt

Goal

You are a Detection Engineer specialized in processing threat intelligence and turning it into OpenTide constructs called Threat Vector Models (TVM), which are YAML files representing new TTPs of interest using a structured schema (structure and values).

Your task is to process the incoming intelligence, extract it, then generate as many TVMs as relevant. You can not leverage intelligence apart from the one provided to you, including from your training dataset.

Workflow

• Read TVM Schema. Son and TVM TEMPLATE.yaml to correctly understand the final output
• Extract the source report, and parse out the PDF into text. Use this text as your intelligence context.
• Identify the notable TTPs, model them as TVM idea, and for each one of them proceed to fully generating the TVM YAML file.
• Remember that you can keep looking up the source intelligence to enrich your output
• Use optional fields only if relevant
• From the template, keep fields you don't use commented out but in the right location.
• Ensure that you obey to the schema and don't invent values. Look up things on the schema to discover options when unsure.
• Ensure you have no validation errors

Styling

Citations

When you use a references, ensure that you cite it using [x] where x is the number of the reference URL you entered under references

Focus

Do not focus on mitigation, defenses, or controls. Focus on the threat, TTP, behaviour, impact and technical details. Be as technical as possible.

Prose

Be well written, technical, to the point. Use markdown where relevant to format your output. Respect an 80 character per line limit on multilines strings

Sources

• https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[behemothsecurity]

@copilot I added the report in this PR , that you couldn't access over the network.

Reprocess this PR, and ensure you are using the below updated guidance.

---

Goal

You are a Detection Engineer specialized in processing threat intelligence and turning it into OpenTide constructs called Threat Vector Models (TVM), which are YAML files representing new TTPs of interest using a structured schema (structure and values).

Your task is to process the incoming intelligence, extract it, then generate as many TVMs as relevant. You can not leverage intelligence apart from the one provided to you, including from your training dataset.

Workflow

• Read TVM Schema.json and TVM TEMPLATE.yaml to correctly understand the final output
• Find the source report (ncsc-mar-rayinitiator-line-viper.pdf), and parse out the PDF into text. Use this text as your intelligence context.
• Identify the notable TTPs, model them as TVM idea, and for each one of them proceed to fully generating the TVM YAML file.
• Remember that you can keep looking up the source intelligence to enrich your output
• Use optional fields only if relevant
• From the template, keep fields you don't use commented out but in the right location.
• Ensure that you obey to the schema and don't invent values. Look up things on the schema to discover options when unsure.
• Ensure you have no validation errors

JSON Schemas

OpenTide leverages extremely large JSON Schemas. You can not familiarize yourself just by looking up a short extract. You MUST lookup the JSON Schemas from fields you discover from the template. You MUST read enough structure of the JSON Schemas to discover all enums. You MUST pick valid values from those enums.

Styling

Citations

When you use a references, ensure that you cite it using [x] where x is the number of the reference URL you entered under references

Focus

Do not focus on mitigation, defenses, or controls. Focus on the threat, TTP, behaviour, impact and technical details. Be as technical as possible.

Prose

Be well written, technical, to the point. Use markdown where relevant to format your output. Respect an 80 character per line limit on multilines strings

Restrictions

You are NOT to generate any type of tools outside of your workspace and you CAN NOT commit them to the repository. You are only allowed to create YAML files as a final output of your execution.

Sources

https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf - IMPORTANT : Added to this PR as a PDF file (ncsc-mar-rayinitiator-line-viper.pdf).

[Copilot]

@copilot I added the report in this PR , that you couldn't access over the network.

Reprocess this PR, and ensure you are using the below updated guidance.
...

I've reprocessed the PR using the updated guidance and the PDF you provided. I generated 5 comprehensive TVM YAML files from the NCSC RayInitiator & LINE VIPER intelligence report:

1. RayInitiator GRUB bootkit persistence on Cisco ASA - Multi-stage bootkit that patches GRUB and survives firmware upgrades
2. LINE VIPER shellcode loader on Cisco ASA - User-mode malware with extensive capabilities including CLI execution, packet capture, AAA bypass, and syslog suppression
3. WebVPN authentication abuse for C2 on Cisco ASA - HTTPS-based C2 using WebVPN authentication with RSA and AES encryption
4. ICMP tasking with TCP response on network devices - Alternative C2 using ICMP for tasking and raw TCP for responses
5. AAA bypass for unauthorized access on network devices - Critical capability to bypass authentication without generating logs

All TVMs:

• Follow the tvm::2.1 schema structure
• Use valid enum values from the JSON schema
• Include technical details extracted from the PDF with proper citations [1]
• Focus on threat behavior and technical details (not mitigations)
• Respect the 80-character line limit for multiline strings
• Keep optional fields commented out in their proper locations

Commit: b5cca64

[behemothsecurity]

@copilot The terrain definition is not currently compliant with the schema definition and intent.

• Terrain defines the pre-requisites for the threat to work
• E.g. weaknesses, vulnerabilities, configurations, technology usage

New directive : identify for each TVM the appropriate terrain, leveraging the information from the intelligence report. Update the terrain for each TVM. Ensure that the terrain is appropriate for the TVM in consideration.

[Copilot]

@copilot The terrain definition is not currently compliant with the schema definition and intent.

• Terrain defines the pre-requisites for the threat to work
  ...

Updated the terrain field for all 5 TVMs to focus on pre-requisites, weaknesses, and configurations:

1. RayInitiator bootkit - Cisco ASA 5500-X without secure boot, EoL devices lacking cryptographic verification
2. LINE VIPER loader - Compromised devices with patched firmware, requires bootkit hooks in lina binary for WebVPN XML processing
3. WebVPN C2 - WebVPN functionality enabled with inadequate XML validation in authentication requests
4. ICMP C2 - ICMP traffic permitted to LAN interfaces through VPN tunnels, bypassing WAN monitoring
5. AAA bypass - LINE VIPER deployed with memory-resident hooks and sufficient privileges to modify AAA logic

Each terrain now describes the conditions, configurations, or vulnerabilities that must exist for the threat to succeed.

Commit: d48f9e8