[
  {
    "instruction": "Which procedure stands out in its technique association among the following options:\n[EKANS] removes backups of Volume Shadow Copies to disable any restoration capabilities., [Pysa] has the functionality to delete shadow copies., [Meteor] can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete`., [NOKKI] has used FTP for C2 communications.",
    "context": "",
    "output": "Among the following procedures above, the uniqueness lies in the association with techniques. Specifically, the procedure NOKKI has used FTP for C2 communications. is linked with technique Application Layer Protocol: File Transfer Protocols, distinguishing it from the other procedures, which are associated with technique Inhibit System Recovery.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which procedure stands out in its technique association among the following options:\n[EKANS] removes backups of Volume Shadow Copies to disable any restoration capabilities., [Pysa] has the functionality to delete shadow copies., [Meteor] can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete`., [NOKKI] has used FTP for C2 communications.",
      "answer": "Among the following procedures above, the uniqueness lies in the association with techniques. Specifically, the procedure NOKKI has used FTP for C2 communications. is linked with technique Application Layer Protocol: File Transfer Protocols, distinguishing it from the other procedures, which are associated with technique Inhibit System Recovery.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which of the following procedures is unique in terms of technique association:\n[Avaddon] modifies several registry keys for persistence and UAC bypass.; [MuddyWater] has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.; [Uroburos] can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other [Uroburos] components.; During [Operation Honeybee], the threat actors used batch files that modified registry keys.",
    "context": "",
    "output": "Among the listed procedures, only MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. is uniquely associated with technique User Execution: Malicious File, while the rest are linked to technique Modify Registry. Therefore, MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. stands out as distinct.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which of the following procedures is unique in terms of technique association:\n[Avaddon] modifies several registry keys for persistence and UAC bypass.; [MuddyWater] has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.; [Uroburos] can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other [Uroburos] components.; During [Operation Honeybee], the threat actors used batch files that modified registry keys.",
      "answer": "Among the listed procedures, only MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. is uniquely associated with technique User Execution: Malicious File, while the rest are linked to technique Modify Registry. Therefore, MuddyWater has attempted to get users to open malicious PDF attachment and to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails. stands out as distinct.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which of the following procedures is unique in terms of technique association:\n1. [TYPEFRAME] can install and store encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll</code> and <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs</code>.;\n2. [TrickBot] can identify the groups the user on a compromised host belongs to.;\n3. During the [SolarWinds Compromise], [APT29] used the `Get-ManagementRoleAssignment` PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.;\n4. [ShimRatReporter] gathered the local privileges for the infected host.",
    "context": "",
    "output": "Among the listed procedures, only TYPEFRAME can install and store encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll</code> and <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs</code>. is uniquely associated with technique Obfuscated Files or Information: Fileless Storage, while the rest are linked to technique Permission Groups Discovery. Therefore, TYPEFRAME can install and store encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll</code> and <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs</code>. stands out as distinct.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which of the following procedures is unique in terms of technique association:\n1. [TYPEFRAME] can install and store encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll</code> and <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs</code>.;\n2. [TrickBot] can identify the groups the user on a compromised host belongs to.;\n3. During the [SolarWinds Compromise], [APT29] used the `Get-ManagementRoleAssignment` PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.;\n4. [ShimRatReporter] gathered the local privileges for the infected host.",
      "answer": "Among the listed procedures, only TYPEFRAME can install and store encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll</code> and <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs</code>. is uniquely associated with technique Obfuscated Files or Information: Fileless Storage, while the rest are linked to technique Permission Groups Discovery. Therefore, TYPEFRAME can install and store encrypted configuration data under the Registry key <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll</code> and <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs</code>. stands out as distinct.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which of the following procedures is unique in terms of technique association:\n[WastedLocker] has a command to take ownership of a file and reset the ACL permissions using the <code>takeown.exe /F filepath</code> command.;\n[BlackCat] can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file system access to a different location after gaining access into compromised networks.;\n[JPIN] can use the command-line utility cacls.exe to change file permissions.;\n[Sandworm Team] has used Base64 encoding within malware variants.",
    "context": "",
    "output": "Among the listed procedures, only Sandworm Team has used Base64 encoding within malware variants. is uniquely associated with technique Obfuscated Files or Information, while the rest are linked to technique File and Directory Permissions Modification: Windows File and Directory Permissions Modification. Therefore, Sandworm Team has used Base64 encoding within malware variants. stands out as distinct.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which of the following procedures is unique in terms of technique association:\n[WastedLocker] has a command to take ownership of a file and reset the ACL permissions using the <code>takeown.exe /F filepath</code> command.;\n[BlackCat] can use Windows commands such as `fsutil behavior set SymLinkEvaluation R2L:1` to redirect file system access to a different location after gaining access into compromised networks.;\n[JPIN] can use the command-line utility cacls.exe to change file permissions.;\n[Sandworm Team] has used Base64 encoding within malware variants.",
      "answer": "Among the listed procedures, only Sandworm Team has used Base64 encoding within malware variants. is uniquely associated with technique Obfuscated Files or Information, while the rest are linked to technique File and Directory Permissions Modification: Windows File and Directory Permissions Modification. Therefore, Sandworm Team has used Base64 encoding within malware variants. stands out as distinct.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which procedure stands out in its technique association among the following options:\n1. [APT32] has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.,\n2. [Maze] has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. [Maze] has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.,\n3. [FIN6] has used Pastebin and Google Storage to host content for their operations.,\n4. [Gamaredon Group] has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.?",
    "context": "",
    "output": "Among the following procedures above, the uniqueness lies in the association with techniques. Specifically, the procedure Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files. is linked with technique Data Encrypted for Impact, distinguishing it from the other procedures, which are associated with technique Web Service.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which procedure stands out in its technique association among the following options:\n1. [APT32] has used Dropbox, Amazon S3, and Google Drive to host malicious downloads.,\n2. [Maze] has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. [Maze] has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files.,\n3. [FIN6] has used Pastebin and Google Storage to host content for their operations.,\n4. [Gamaredon Group] has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.",
      "answer": "Among the following procedures above, the uniqueness lies in the association with techniques. Specifically, the procedure Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files. is linked with technique Data Encrypted for Impact, distinguishing it from the other procedures, which are associated with technique Web Service.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which procedure stands out in its technique association among the following options:\n1. [Pupy] can user PowerView to execute \u201cnet user\u201d commands and create local system accounts.,\n2. [EvilGrab] has the capability to capture keystrokes.,\n3. [APT39] has created accounts on multiple compromised hosts to perform actions within the network.,\n4. [Empire] has a module for creating a local user if permissions allow.?",
    "context": "",
    "output": "Among the following procedures above, the uniqueness lies in the association with techniques. Specifically, the procedure EvilGrab has the capability to capture keystrokes. is linked with technique Input Capture: Keylogging, distinguishing it from the other procedures, which are associated with technique Create Account: Local Account.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which procedure stands out in its technique association among the following options:\n1. [Pupy] can user PowerView to execute \u201cnet user\u201d commands and create local system accounts.,\n2. [EvilGrab] has the capability to capture keystrokes.,\n3. [APT39] has created accounts on multiple compromised hosts to perform actions within the network.,\n4. [Empire] has a module for creating a local user if permissions allow.",
      "answer": "Among the following procedures above, the uniqueness lies in the association with techniques. Specifically, the procedure EvilGrab has the capability to capture keystrokes. is linked with technique Input Capture: Keylogging, distinguishing it from the other procedures, which are associated with technique Create Account: Local Account.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which procedure stands out in its technique association among the following options:\n1. [Cannon] adds the Registry key <code>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</code> to establish persistence.\n2. [REvil] can launch an instance of itself with administrative rights using runas.\n3. [Bankshot] grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.\n4. [KONNI] has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.",
    "context": "",
    "output": "Among the following procedures above, the uniqueness lies in the association with techniques. Specifically, the procedure Cannon adds the Registry key <code>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</code> to establish persistence. is linked with technique Boot or Logon Autostart Execution: Winlogon Helper DLL, distinguishing it from the other procedures, which are associated with technique Access Token Manipulation: Create Process with Token.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which procedure stands out in its technique association among the following options:\n1. [Cannon] adds the Registry key <code>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</code> to establish persistence.\n2. [REvil] can launch an instance of itself with administrative rights using runas.\n3. [Bankshot] grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.\n4. [KONNI] has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.",
      "answer": "Among the following procedures above, the uniqueness lies in the association with techniques. Specifically, the procedure Cannon adds the Registry key <code>HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon</code> to establish persistence. is linked with technique Boot or Logon Autostart Execution: Winlogon Helper DLL, distinguishing it from the other procedures, which are associated with technique Access Token Manipulation: Create Process with Token.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which of the following techniques is unique in terms of platforms association:\nData from Information Repositories: Sharepoint,\n-Modify System Image: Downgrade System Image,\n-Office Application Startup,\n-Office Application Startup: Add-ins?",
    "context": "",
    "output": "Among the listed techniques, only Modify System Image: Downgrade System Image is uniquely associated with platforms Network, while the rest are linked to platforms Windows, Office 365. Therefore, Modify System Image: Downgrade System Image stands out as distinct.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which of the following techniques is unique in terms of platforms association:\nData from Information Repositories: Sharepoint,\n-Modify System Image: Downgrade System Image,\n-Office Application Startup,\n-Office Application Startup: Add-ins",
      "answer": "Among the listed techniques, only Modify System Image: Downgrade System Image is uniquely associated with platforms Network, while the rest are linked to platforms Windows, Office 365. Therefore, Modify System Image: Downgrade System Image stands out as distinct.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which of the following procedures is unique in terms of technique association:\n[Ursnif] has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.,\n*[BRONZE BUTLER] has obtained and used open-source tools such as [Mimikatz], [gsecdump], and [Windows Credential Editor].,\n*[Carberp] has hooked several Windows API functions to steal credentials.,\n*[FinFisher] hooks processes by modifying IAT pointers to CreateWindowEx.",
    "context": "",
    "output": "Among the listed procedures, only BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor. is uniquely associated with technique Obtain Capabilities: Tool, while the rest are linked to technique Input Capture: Credential API Hooking. Therefore, BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor. stands out as distinct.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which of the following procedures is unique in terms of technique association:\n[Ursnif] has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers.,\n*[BRONZE BUTLER] has obtained and used open-source tools such as [Mimikatz], [gsecdump], and [Windows Credential Editor].,\n*[Carberp] has hooked several Windows API functions to steal credentials.,\n*[FinFisher] hooks processes by modifying IAT pointers to CreateWindowEx.",
      "answer": "Among the listed procedures, only BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor. is uniquely associated with technique Obtain Capabilities: Tool, while the rest are linked to technique Input Capture: Credential API Hooking. Therefore, BRONZE BUTLER has obtained and used open-source tools such as Mimikatz, gsecdump, and Windows Credential Editor. stands out as distinct.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  },
  {
    "instruction": "Which of the following procedures is unique in terms of technique association:\n[Gelsemium] has the ability to use TCP and UDP in C2 communications.,\n*[APT39] has created accounts on multiple compromised hosts to perform actions within the network.,\n*[Pupy] can user PowerView to execute \u201cnet user\u201d commands and create local system accounts.,\n*[Empire] has a module for creating a local user if permissions allow.",
    "context": "",
    "output": "Among the listed procedures, only Gelsemium has the ability to use TCP and UDP in C2 communications. is uniquely associated with technique Non-Application Layer Protocol, while the rest are linked to technique Create Account: Local Account. Therefore, Gelsemium has the ability to use TCP and UDP in C2 communications. stands out as distinct.",
    "category": "MitreFlan",
    "instruction_type": "loo_technique_procedure_LoO",
    "parsed_raw_data": {
      "question": "Which of the following procedures is unique in terms of technique association:\n[Gelsemium] has the ability to use TCP and UDP in C2 communications.,\n*[APT39] has created accounts on multiple compromised hosts to perform actions within the network.,\n*[Pupy] can user PowerView to execute \u201cnet user\u201d commands and create local system accounts.,\n*[Empire] has a module for creating a local user if permissions allow.",
      "answer": "Among the listed procedures, only Gelsemium has the ability to use TCP and UDP in C2 communications. is uniquely associated with technique Non-Application Layer Protocol, while the rest are linked to technique Create Account: Local Account. Therefore, Gelsemium has the ability to use TCP and UDP in C2 communications. stands out as distinct.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "loo_technique_procedure_LoO"
    }
  }
]