Identifying Adversary Tactics and Techniques in Malware Binaries with an LLM Agent

TL;DR

This paper introduces TTPDetect, an LLM-based system that accurately identifies Tactics, Techniques, and Procedures in stripped malware binaries, improving detection precision and uncovering previously unreported malicious behaviors.

Contribution

The paper presents TTPDetect, the first LLM agent for recognizing TTPs in malware, combining retrieval and reasoning techniques, along with a new dataset for training and evaluation.

Findings

Achieves over 93% precision and recall in function-level TTP recognition.

Outperforms baseline methods by over 10% in accuracy.

Recovers 85.7% of documented TTPs and discovers new TTPs in real malware samples.

Abstract

Understanding TTPs (Tactics, Techniques, and Procedures) in malware binaries is essential for security analysis and threat intelligence, yet remains challenging in practice. Real-world malware binaries are typically stripped of symbols, contain large numbers of functions, and distribute malicious behavior across multiple code regions, making TTP attribution difficult. Recent large language models (LLMs) offer strong code understanding capabilities, but applying them directly to this task faces challenges in identifying analysis entry points, reasoning under partial observability, and misalignment with TTP-specific decision logic. We present TTPDetect, the first LLM agent for recognizing TTPs in stripped malware binaries. TTPDetect combines dense retrieval with LLM-based neural retrieval to narrow the space of analysis entry points. TTPDetect further employs a function-level analyzing agent consisting of a Context Explorer that performs on-demand, incremental context retrieval and a TTP-Specific Reasoning Guideline that achieves inference-time alignment. We build a new dataset that labels decompiled functions with TTPs across diverse malware families and platforms. TTPDetect achieves 93.25% precision and 93.81% recall on function-level TTP recognition, outperforming baselines by 10.38% and 18.78%, respectively. When evaluated on real world malware samples, TTPDetect recognizes TTPs with a precision of 87.37%. For malware with expert-written reports, TTPDetect recovers 85.7% of the documented TTPs and further discovers, on average, 10.5 previously unreported TTPs per malware.