Accurately identifying attacker Tactics, Techniques, and Procedures (TTPs) from stripped malware binaries is highly challenging due to large function sizes, dispersed behaviors, and the absence of clear analytical entry points. This work proposes TTPDetect—the first binary-oriented LLM agent that integrates dense and neural retrieval to locate critical functions and performs function-level TTP alignment through incremental context exploration and TTP-specific reasoning rules. Our contributions include pioneering the use of an LLM agent for binary TTP analysis, designing on-demand retrieval with reasoning-time alignment mechanisms, and constructing the first cross-platform, multi-family, function-level TTP-annotated dataset. Experiments show TTPDetect achieves 93.25% precision and 93.81% recall at the function level—over 10% improvement over baselines—and attains 87.37% precision on real-world samples, successfully reproducing 85.7% of known TTPs while uncovering an average of 10.5 novel TTPs per sample.

Understanding TTPs (Tactics, Techniques, and Procedures) in malware binaries is essential for security analysis and threat intelligence, yet remains challenging in practice. Real-world malware binaries are typically stripped of symbols, contain large numbers of functions, and distribute malicious behavior across multiple code regions, making TTP attribution difficult. Recent large language models (LLMs) offer strong code understanding capabilities, but applying them directly to this task faces challenges in identifying analysis entry points, reasoning under partial observability, and misalignment with TTP-specific decision logic. We present TTPDetect, the first LLM agent for recognizing TTPs in stripped malware binaries. TTPDetect combines dense retrieval with LLM-based neural retrieval to narrow the space of analysis entry points. TTPDetect further employs a function-level analyzing agent consisting of a Context Explorer that performs on-demand, incremental context retrieval and a TTP-Specific Reasoning Guideline that achieves inference-time alignment. We build a new dataset that labels decompiled functions with TTPs across diverse malware families and platforms. TTPDetect achieves 93.25% precision and 93.81% recall on function-level TTP recognition, outperforming baselines by 10.38% and 18.78%, respectively. When evaluated on real world malware samples, TTPDetect recognizes TTPs with a precision of 87.37%. For malware with expert-written reports, TTPDetect recovers 85.7% of the documented TTPs and further discovers, on average, 10.5 previously unreported TTPs per malware.