[
  {
    "instruction": "Consider the following framework: MITRE ATT&CK framework. What is a possible CAPEC attack pattern that can be related to the following: 'Masquerading: Double File Extension (MITRE ATT&CK ID: 1036.007) in MITRE ATT&CK' in the MITRE ATT&CK framework framework.",
    "context": "",
    "output": "'Masquerading: Double File Extension (MITRE ATT&CK ID: 1036.007) in MITRE ATT&CK' can be mapped to Alternative Execution Due to Deceptive Filenames (CAPEC ID: 635) in CAPEC.",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Masquerading: Double File Extension (MITRE ATT&CK ID: 1036.007) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "@Name_reverse": "Alternative Execution Due to Deceptive Filenames (CAPEC ID: 635)",
      "attack_ptrn": {
        "@ID": "635",
        "@Name": "Alternative Execution Due to Deceptive Filenames",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "The extension of a file name is often used in various contexts to determine the application that is used to open and use it. If an attacker can cause an alternative application to be used, it may be able to execute malicious code, cause a denial of service or expose sensitive information.",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "165"
          }
        },
        "Prerequisites": {
          "Prerequisite": "The use of the file must be controlled by the file extension."
        },
        "Mitigations": {
          "Mitigation": "Applications should insure that the content of the file is consistent with format it is expecting, and not depend solely on the file extension."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "162"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1036.007",
            "Entry_Name": "Masquerading: Double File Extension"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2018-05-31"
          },
          "Modification": {
            "Modification_Name": "CAPEC Content Team",
            "Modification_Organization": "The MITRE Corporation",
            "Modification_Date": "2022-09-29",
            "Modification_Comment": "Updated Taxonomy_Mappings"
          }
        }
      }
    }
  },
  {
    "instruction": "Provide a related CAPEC attack pattern to the following 'Mail Command Injection (WASC ID: 30) in WASC' in the WASC framework framework.",
    "context": "",
    "output": "'Mail Command Injection (WASC ID: 30) in WASC' in the WASC framework framework has the following equivalent in CAPEC: Email Injection (CAPEC ID: 134)",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Mail Command Injection (WASC ID: 30) in WASC",
      "taxonomy_types": "WASC framework",
      "@Name_reverse": "Email Injection (CAPEC ID: 134)",
      "attack_ptrn": {
        "@ID": "134",
        "@Name": "Email Injection",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary manipulates the headers and content of an email message by injecting data via the use of delimiter characters native to the protocol.",
        "Extended_Description": {
          "xhtml:p": "Many applications allow users to send email messages by filling in fields. For example, a web site may have a link to \"share this site with a friend\" where the user provides the recipient's email address and the web application fills out all the other fields, such as the subject and body. In this pattern, an adversary adds header and body information to an email message by injecting additional content in an input field used to construct a header of the mail message. This attack takes advantage of the fact that RFC 822 requires that headers in a mail message be separated by a carriage return. As a result, an adversary can inject new headers or content simply by adding a delimiting carriage return and then supplying the new heading and body information. This attack will not work if the user can only supply the message body since a carriage return in the body is treated as a normal character."
        },
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "137",
            "Exclude_Related": {
              "@Exclude_ID": "403"
            }
          }
        },
        "Prerequisites": {
          "Prerequisite": [
            "The target application must allow the user to send email to some recipient, to specify the content at least one header field in the message, and must fail to sanitize against the injection of command separators.",
            "The adversary must have the ability to access the target mail application."
          ]
        },
        "Resources_Required": {
          "Resource": "None: No specialized resources are required to execute this type of attack."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "150"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "WASC",
            "Entry_ID": "30",
            "Entry_Name": "Mail Command Injection"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Prerequisites, Related_Attack_Patterns, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Help me map 'Gather Victim Identity Information (MITRE ATT&CK ID: 1589) in MITRE ATT&CK' from the MITRE ATT&CK framework framework to the CAPEC framework.",
    "context": "",
    "output": "No problem\n'Gather Victim Identity Information (MITRE ATT&CK ID: 1589) in MITRE ATT&CK' can be mapped to the following CAPEC attack pattern: Pretexting (CAPEC ID: 407)",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Gather Victim Identity Information (MITRE ATT&CK ID: 1589) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "@Name_reverse": "Pretexting (CAPEC ID: 407)",
      "attack_ptrn": {
        "@ID": "407",
        "@Name": "Pretexting",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary engages in pretexting behavior to solicit information from target persons, or manipulate the target into performing some action that serves the adversary's interests. During a pretexting attack, the adversary creates an invented scenario, assuming an identity or role to persuade a targeted victim to release information or perform some action. It is more than just creating a lie; in some cases it can be creating a whole new identity and then using that identity to manipulate the receipt of information.",
        "Extended_Description": {
          "xhtml:p": "Pretexting can also be used to impersonate people in certain jobs and roles that they never themselves have done. In simple form, these attacks can be leveraged to learn information about a target. More complicated iterations may seek to solicit a target to perform some action that assists the adversary in exploiting organizational weaknesses or obtaining access to secure facilities or systems. Pretexting is not a one-size fits all solution. Good information gathering techniques can make or break a good pretext. A solid pretext is an essential part of building trust. If an adversary\u2019s alias, story, or identity has holes or lacks credibility or even the perception of credibility the target will most likely catch on."
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "416"
            },
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "410"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "163"
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "The adversary must have the means and knowledge of how to communicate with the target in some manner.The adversary must have knowledge of the pretext that would influence the actions of the specific target."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "The adversary requires strong inter-personal and communication skills."
          }
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Confidentiality",
            "Impact": "Other",
            "Note": "Depending on the adversary's intentions and the specific nature their actions/requests, a successful pretexting attack can result in the compromise to the confidentiality of sensitive information in a variety of contexts."
          }
        },
        "Mitigations": {
          "Mitigation": "An organization should provide regular, robust cybersecurity training to its employees to prevent successful social engineering attacks."
        },
        "Example_Instances": {
          "Example": "The adversary dresses up like a jogger and runs in place by the entrance of a building, pretending to look for their access card. Because the hood obscures their face, it may be possible to solicit someone inside the building to let them inside."
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1589",
            "Entry_Name": "Gather Victim Identity Information"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-348"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Examples-Instances, Methods_of_Attack, Related_Attack_Patterns, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2017-08-04",
            "#text": "Social Information Gathering via Pretexting"
          }
        }
      }
    }
  },
  {
    "instruction": "Help me map 'Supply Chain Compromise: Compromise Software Supply Chain (MITRE ATT&CK ID: 1195.002) in MITRE ATT&CK' from the MITRE ATT&CK framework framework to the CAPEC framework.",
    "context": "",
    "output": "No problem\n'Supply Chain Compromise: Compromise Software Supply Chain (MITRE ATT&CK ID: 1195.002) in MITRE ATT&CK' can be mapped to the following CAPEC attack pattern: Developer Signing Maliciously Altered Software (CAPEC ID: 673)",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Supply Chain Compromise: Compromise Software Supply Chain (MITRE ATT&CK ID: 1195.002) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "@Name_reverse": "Developer Signing Maliciously Altered Software (CAPEC ID: 673)",
      "attack_ptrn": {
        "@ID": "673",
        "@Name": "Developer Signing Maliciously Altered Software",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": [
            "Software produced by a reputable developer is clandestinely infected with malicious code and then digitally signed by the unsuspecting developer, where the software has been altered via a compromised software development or build process prior to being signed. The receiver or user of the software has no reason to believe that it is anything but legitimate and proceeds to deploy it to organizational systems.",
            "This attack differs from CAPEC-206, since the developer is inadvertently signing malicious code they believe to be legitimate and which they are unware of any malicious modifications."
          ]
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "444",
            "Exclude_Related": {
              "@Exclude_ID": "515"
            }
          }
        },
        "Prerequisites": {
          "Prerequisite": "An adversary would need to have access to a targeted developer\u2019s software development environment, including to their software build processes, where the adversary could ensure code maliciously tainted prior to a build process is included in software packages built."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "High",
            "#text": "The adversary must have the skills to infiltrate a developer\u2019s software development/build environment and to implant malicious code in developmental software code, a build server, or a software repository containing dependency code, which would be referenced to be included during the software build process."
          }
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Integrity",
                "Confidentiality"
              ],
              "Impact": [
                "Read Data",
                "Modify Data"
              ]
            },
            {
              "Scope": [
                "Access Control",
                "Authorization"
              ],
              "Impact": [
                "Gain Privileges",
                "Execute Unauthorized Commands"
              ]
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Have a security concept of operations (CONOPS) for the IDE that includes: Protecting the IDE via logical isolation using firewall and DMZ technologies/architectures; Maintaining strict security administration and configuration management of configuration management tools, developmental software and dependency code repositories, compilers, and system build tools.",
            "Employ intrusion detection and malware detection capabilities on IDE systems where feasible."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": "An adversary who has infiltrated an organization\u2019s build environment maliciously alters code intended to be included in a product\u2019s software build via software dependency inclusion, part of the software build process. When the software product has been built, the developer electronically signs the finished product using their signing key. The recipient of the software product, an end user/customer, believes the software to reflect the developer\u2019s intent with respect to functionality unaware of the adversary\u2019s malicious intent harbored within."
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1195.002",
            "Entry_Name": "Supply Chain Compromise: Compromise Software Supply Chain"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-658"
            },
            {
              "@External_Reference_ID": "REF-659"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2021-06-24"
          },
          "Modification": {
            "Modification_Name": "CAPEC Content Team",
            "Modification_Organization": "The MITRE Corporation",
            "Modification_Date": "2022-09-29",
            "Modification_Comment": "Updated Taxonomy_Mappings"
          }
        }
      }
    }
  },
  {
    "instruction": "Provide a related CAPEC attack pattern to the following 'Abuse Elevation Control Mechanism (MITRE ATT&CK ID: 1548) in MITRE ATT&CK' in the MITRE ATT&CK framework framework.",
    "context": "",
    "output": "'Abuse Elevation Control Mechanism (MITRE ATT&CK ID: 1548) in MITRE ATT&CK' in the MITRE ATT&CK framework framework has the following equivalent in CAPEC: Privilege Escalation (CAPEC ID: 233)",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Abuse Elevation Control Mechanism (MITRE ATT&CK ID: 1548) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "@Name_reverse": "Privilege Escalation (CAPEC ID: 233)",
      "attack_ptrn": {
        "@ID": "233",
        "@Name": "Privilege Escalation",
        "@Abstraction": "Meta",
        "@Status": "Draft",
        "Description": "An adversary exploits a weakness enabling them to elevate their privilege and perform an action that they are not supposed to be authorized to perform.",
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "269"
            },
            {
              "@CWE_ID": "1264"
            },
            {
              "@CWE_ID": "1311"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1548",
            "Entry_Name": "Abuse Elevation Control Mechanism"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-600",
            "@Section": "Testing for Privelege Escalation"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-12-07",
              "Modification_Comment": "Updated Description, Description Summary, Relationships, Type (Category -> Attack_Pattern)"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Related_Weaknesses, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated References, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated @Abstraction"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-10-21",
              "Modification_Comment": "Updated @Abstraction"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Consider the following framework: MITRE ATT&CK framework. Provide a related CAPEC attack pattern to 'Steal or Forge Kerberos Tickets (MITRE ATT&CK ID: 1558) in MITRE ATT&CK'",
    "context": "",
    "output": "Sure, a possible mapping from 'Steal or Forge Kerberos Tickets (MITRE ATT&CK ID: 1558) in MITRE ATT&CK', in the MITRE ATT&CK framework framework, to CAPEC can be via the following attack pattern: Use of Known Kerberos Credentials (CAPEC ID: 652)",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Steal or Forge Kerberos Tickets (MITRE ATT&CK ID: 1558) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "@Name_reverse": "Use of Known Kerberos Credentials (CAPEC ID: 652)",
      "attack_ptrn": {
        "@ID": "652",
        "@Name": "Use of Known Kerberos Credentials",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.",
        "Extended_Description": {
          "xhtml:p": "Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application."
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "560",
              "Exclude_Related": {
                "@Exclude_ID": "515"
              }
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "151"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.",
              "Technique": [
                "An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.",
                "An adversary guesses the credentials to a weak Kerberos service account.",
                "An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.",
                "An adversary conducts a Kerberoasting attack."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access.",
              "Technique": [
                "Manually or automatically enter each Kerberos service account credential through the target's interface.",
                "Attempt a Pass the Ticket attack."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain"
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks."
            },
            {
              "Step": "5",
              "Phase": "Exploit",
              "Description": "[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The system/application leverages Kerberos authentication.",
            "The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.",
            "The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.",
            "The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.",
            "The targeted network allows for network sniffing attacks to succeed."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "Once an adversary obtains a known Kerberos credential, leveraging it is trivial."
          }
        },
        "Resources_Required": {
          "Resource": "A valid Kerberos ticket or a known Kerberos service account credential."
        },
        "Indicators": {
          "Indicator": [
            "Authentication attempts use expired or invalid credentials.",
            "Authentication attempts are originating from IP addresses or locations that are inconsistent with an account's normal IP addresses or locations.",
            "Data is being transferred and/or removed from systems/applications within the network.",
            "Suspicious or Malicious software is downloaded/installed on systems within the domain.",
            "Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authentication"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Confidentiality",
                "Authorization"
              ],
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.",
            "Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.",
            "Do not reuse Kerberos service account credentials across systems.",
            "Deny remote use of Kerberos service account credentials to log into domain systems.",
            "Do not allow Kerberos service accounts to be a local administrator on more than one system.",
            "Enable at least AES Kerberos encryption for tickets.",
            "Monitor system and domain logs for abnormal credential access."
          ]
        },
        "Example_Instances": {
          "Example": [
            "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]",
            "PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]"
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "522"
            },
            {
              "@CWE_ID": "307"
            },
            {
              "@CWE_ID": "308"
            },
            {
              "@CWE_ID": "309"
            },
            {
              "@CWE_ID": "262"
            },
            {
              "@CWE_ID": "263"
            },
            {
              "@CWE_ID": "654"
            },
            {
              "@CWE_ID": "294"
            },
            {
              "@CWE_ID": "836"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1558",
            "Entry_Name": "Steal or Forge Kerberos Tickets"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-584"
            },
            {
              "@External_Reference_ID": "REF-585"
            },
            {
              "@External_Reference_ID": "REF-586"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "#text": "Kerberos centers around a ticketing system that is used to request/grant access to resources and to then access the requested resources. If one of these tickets is acquired, an adversary could gain access to a specific resource; access any resource a user has privileges to access; gain access to services that use Kerberos as an authentication mechanism and generate tickets to access a particular resource and the system that hosts the resource; or generate Ticket Granting Tickets (TGTs) for any domain account within Active Directory."
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2020-07-30"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Description, Notes, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Extended_Description, Prerequisites"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Consider the following framework: OWASP Attacks framework. What is a possible CAPEC attack pattern that can be related to the following: 'Resource Injection in OWASP Attacks' in the OWASP Attacks framework framework.",
    "context": "",
    "output": "'Resource Injection in OWASP Attacks' can be mapped to Resource Injection (CAPEC ID: 240) in CAPEC.",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Resource Injection in OWASP Attacks",
      "taxonomy_types": "OWASP Attacks framework",
      "@Name_reverse": "Resource Injection (CAPEC ID: 240)",
      "attack_ptrn": {
        "@ID": "240",
        "@Name": "Resource Injection",
        "@Abstraction": "Meta",
        "@Status": "Stable",
        "Description": "An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Prerequisites": {
          "Prerequisite": "The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)"
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Ensure all input content that is delivered to client is sanitized against an acceptable content specification.",
            "Perform input validation for all content.",
            "Enforce regular patching of software."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "99"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "OWASP Attacks",
            "Entry_Name": "Resource Injection"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-12-07",
              "Modification_Comment": "Updated Description, Description Summary"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Consider the following framework: MITRE ATT&CK framework. Provide a related CAPEC attack pattern to 'Compromise Infrastructure: DNS Server (MITRE ATT&CK ID: 1584.002) in MITRE ATT&CK'",
    "context": "",
    "output": "Sure, a possible mapping from 'Compromise Infrastructure: DNS Server (MITRE ATT&CK ID: 1584.002) in MITRE ATT&CK', in the MITRE ATT&CK framework framework, to CAPEC can be via the following attack pattern: DNS Cache Poisoning (CAPEC ID: 142)",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Compromise Infrastructure: DNS Server (MITRE ATT&CK ID: 1584.002) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "@Name_reverse": "DNS Cache Poisoning (CAPEC ID: 142)",
      "attack_ptrn": {
        "@ID": "142",
        "@Name": "DNS Cache Poisoning",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "A domain name server translates a domain name (such as www.example.com) into an IP address that Internet hosts use to contact Internet resources. An adversary modifies a public DNS cache to cause certain names to resolve to incorrect addresses that the adversary specifies. The result is that client applications that rely upon the targeted cache for domain name resolution will be directed not to the actual address of the specified domain name but to some other address. Adversaries can use this to herd clients to sites that install malware on the victim's computer or to masquerade as part of a Pharming attack.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "141"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "89"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Explore resolver caches] Check DNS caches on local DNS server and client's browser with DNS cache enabled.",
              "Technique": [
                "Run tools that check the resolver cache in the memory to see if it contains a target DNS entry.",
                "Figure out if the client's browser has DNS cache enabled."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Attempt sending crafted records to DNS cache] A request is sent to the authoritative server for target website and wait for the iterative name resolver. An adversary sends bogus request to the DNS local server, and then floods responses that trick a DNS cache to remember malicious responses, which are wrong answers of DNS query.",
              "Technique": [
                "Adversary must know the transaction ID by intercepting a DNS query, or sending a bogus query with known transaction ID.",
                "If the transaction ID used to identify each query instance is randomized in some new DNS software, the attack must guess the transaction ID. Slow the response of the real DNS server by causing Denial-of-service. This gives adversaries enough time to guess transaction",
                "Adversary crafts DNS response with the same transaction ID as in the request. The adversary sends out DNS responses before the authorized DNS server. This forces DNS local cache stores fake DNS response (wrong answer). The fake DNS responses usually include a malicious website's IP address."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Redirect users to malicious website] As the adversary succeeds in exploiting the vulnerability, the victim connects to a malicious site using a good web site's domain name.",
              "Technique": [
                "Redirecting Web traffic to a site that looks enough like the original so as to not raise any suspicion.",
                "Adversary-in-the-Middle (CAPEC-94) intercepts secure communication between two parties."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "A DNS cache must be vulnerable to some attack that allows the adversary to replace addresses in its lookup table.Client applications must trust the corrupted cashed values and utilize them for their domain name resolutions."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Medium",
            "#text": "To overwrite/modify targeted DNS cache"
          }
        },
        "Resources_Required": {
          "Resource": "The adversary must have the resources to modify the targeted cache. In addition, in most cases the adversary will wish to host the sites to which users will be redirected, although in some cases redirecting to a third party site will accomplish the adversary's goals."
        },
        "Mitigations": {
          "Mitigation": [
            "Configuration: Make sure your DNS servers have been updated to the latest versions",
            "Configuration: UNIX services like rlogin, rsh/rcp, xhost, and nfs are all susceptible to wrong information being held in a cache. Care should be taken with these services so they do not rely upon DNS caches that have been exposed to the Internet.",
            "Configuration: Disable client side DNS caching."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": [
              "In this example, an adversary sends request to a local DNS server to look up www.example .com. The associated IP address of www.example.com is 1.3.5.7.",
              "Local DNS usually caches IP addresses and do not go to remote DNS every time. Since the local record is not found, DNS server tries to connect to remote DNS for queries. However, before the remote DNS returns the right IP address 1.3.5.7, the adversary floods local DNS with crafted responses with IP address 2.4.6.8. The result is that 2.4.6.8 is stored in DNS cache. Meanwhile, 2.4.6.8 is associated with a malicious website www.maliciousexampsle.com",
              "When users connect to www.example.com, the local DNS will direct it to www.maliciousexample.com, this works as part of a Pharming attack."
            ]
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "348"
            },
            {
              "@CWE_ID": "345"
            },
            {
              "@CWE_ID": "349"
            },
            {
              "@CWE_ID": "346"
            },
            {
              "@CWE_ID": "350"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1584.002",
            "Entry_Name": "Compromise Infrastructure: DNS Server"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-22",
              "@Section": "DNS Cache Poisoning"
            },
            {
              "@External_Reference_ID": "REF-23",
              "@Section": "DNS Threats & Weaknesses of the Domain Name System"
            },
            {
              "@External_Reference_ID": "REF-27"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Phases, Attack_Prerequisites, Description Summary, Examples-Instances, Payload_Activation_Impact, Related_Vulnerabilities, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Related_Weaknesses, Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Help me map 'Gather Victim Host Information: Software (MITRE ATT&CK ID: 1592.002) in MITRE ATT&CK' from the MITRE ATT&CK framework framework to the CAPEC framework.",
    "context": "",
    "output": "No problem\n'Gather Victim Host Information: Software (MITRE ATT&CK ID: 1592.002) in MITRE ATT&CK' can be mapped to the following CAPEC attack pattern: Application Fingerprinting (CAPEC ID: 541)",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Gather Victim Host Information: Software (MITRE ATT&CK ID: 1592.002) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "@Name_reverse": "Application Fingerprinting (CAPEC ID: 541)",
      "attack_ptrn": {
        "@ID": "541",
        "@Name": "Application Fingerprinting",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary engages in fingerprinting activities to determine the type or version of an application installed on a remote target.",
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "224"
          }
        },
        "Prerequisites": {
          "Prerequisite": "None"
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "204"
            },
            {
              "@CWE_ID": "205"
            },
            {
              "@CWE_ID": "208"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1592.002",
            "Entry_Name": "Gather Victim Host Information: Software"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2023-01-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Consider the following framework: MITRE ATT&CK/WASC/OWASP Attacks frameworks. What is a possible CAPEC attack pattern that can be related to the following: 'Brute Force (MITRE ATT&CK ID: 1110) in MITRE ATT&CK, Brute Force (WASC ID: 11) in WASC, Brute force attack in OWASP Attacks' in the MITRE ATT&CK/WASC/OWASP Attacks frameworks framework.",
    "context": "",
    "output": "'Brute Force (MITRE ATT&CK ID: 1110) in MITRE ATT&CK, Brute Force (WASC ID: 11) in WASC, Brute force attack in OWASP Attacks' can be mapped to Brute Force (CAPEC ID: 112) in CAPEC.",
    "category": "CAPECFlan",
    "instruction_type": "reverse_capec_taxonomy_mapping",
    "parsed_raw_data": {
      "taxonomy": "Brute Force (MITRE ATT&CK ID: 1110) in MITRE ATT&CK, Brute Force (WASC ID: 11) in WASC, Brute force attack in OWASP Attacks",
      "taxonomy_types": "MITRE ATT&CK/WASC/OWASP Attacks frameworks",
      "@Name_reverse": "Brute Force (CAPEC ID: 112)",
      "attack_ptrn": {
        "@ID": "112",
        "@Name": "Brute Force",
        "@Abstraction": "Meta",
        "@Status": "Draft",
        "Description": "In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.",
        "Extended_Description": {
          "xhtml:p": "Examples of secrets can include, but are not limited to, passwords, encryption keys, database lookup keys, and initial values to one-way functions. The key factor in this attack is the attackers' ability to explore the possible secret space rapidly. This, in turn, is a function of the size of the secret space and the computational power the attacker is able to bring to bear on the problem. If the attacker has modest resources and the secret space is large, the challenge facing the attacker is intractable. Assuming a finite secret space, a brute force attack will eventually succeed. The defender must rely on making sure that the time and resources necessary to do so will exceed the value of the information."
        },
        "Typical_Severity": "High",
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Determine secret testing procedure] Determine how a potential guess of the secret may be tested. This may be accomplished by comparing some manipulation of the secret to a known value, use of the secret to manipulate some known set of data and determining if the result displays specific characteristics (for example, turning cryptotext into plaintext), or by submitting the secret to some external authority and having the external authority respond as to whether the value was the correct secret. Ideally, the attacker will want to determine the correctness of their guess independently since involvement of an external authority is usually slower and can provide an indication to the defender that a brute-force attack is being attempted.",
              "Technique": "Determine if there is a way to parallelize the attack. Most brute force attacks can take advantage of parallel techniques by dividing the search space among available resources, thus dividing the average time to success by the number of resources available. If there is a single choke point, such as a need to check answers with an external authority, the attackers' position is significantly degraded."
            },
            {
              "Step": "2",
              "Phase": "Explore",
              "Description": "[Reduce search space] Find ways to reduce the secret space. The smaller the attacker can make the space they need to search for the secret value, the greater their chances for success. There are a great many ways in which the search space may be reduced.",
              "Technique": [
                "If possible, determine how the secret was selected. If the secret was determined algorithmically (such as by a random number generator) the algorithm may have patterns or dependencies that reduce the size of the secret space. If the secret was created by a human, behavioral factors may, if not completely reduce the space, make some types of secrets more likely than others. (For example, humans may use the same secrets in multiple places or use secrets that look or sound familiar for ease of recall.)",
                "If the secret was chosen algorithmically, cryptanalysis can be applied to the algorithm to discover patterns in this algorithm. (This is true even if the secret is not used in cryptography.) Periodicity, the need for seed values, or weaknesses in the generator all can result in a significantly smaller secret space.",
                "If the secret was chosen by a person, social engineering and simple espionage can indicate patterns in their secret selection. If old secrets can be learned (and a target may feel they have little need to protect a secret that has been replaced) hints as to their selection preferences can be gleaned. These can include character substitutions a target employs, patterns in sources (dates, famous phrases, music lyrics, family members, etc.). Once these patterns have been determined, the initial efforts of a brute-force attack can focus on these areas.",
                "Some algorithmic techniques for secret selection may leave indicators that can be tested for relatively easily and which could then be used to eliminate large areas of the search space for consideration. For example, it may be possible to determine that a secret does or does not start with a given character after a relatively small number of tests. Alternatively, it might be possible to discover the length of the secret relatively easily. These discoveries would significantly reduce the search space, thus increasing speed with which the attacker discovers the secret."
              ]
            },
            {
              "Step": "3",
              "Phase": "Explore",
              "Description": "[Expand victory conditions] It is sometimes possible to expand victory conditions. For example, the attacker might not need to know the exact secret but simply needs a value that produces the same result using a one-way function. While doing this does not reduce the size of the search space, the presence of multiple victory conditions does reduce the likely amount of time that the attacker will need to explore the space before finding a workable value."
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Gather information so attack can be performed independently.] If possible, gather the necessary information so a successful search can be determined without consultation of an external authority. This can be accomplished by capturing cryptotext (if the goal is decoding the text) or the encrypted password dictionary (if the goal is learning passwords)."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "The attacker must be able to determine when they have successfully guessed the secret. As such, one-time pads are immune to this type of attack since there is no way to determine when a guess is correct."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "The attack simply requires basic scripting ability to automate the exploration of the search space. More sophisticated attackers may be able to use more advanced methods to reduce the search space and increase the speed with which the secret is located."
          }
        },
        "Resources_Required": {
          "Resource": "None: No specialized resources are required to execute this type of attack. Ultimately, the speed with which an attacker discovers a secret is directly proportional to the computational resources the attacker has at their disposal. This attack method is resource expensive: having large amounts of computational power do not guarantee timely success, but having only minimal resources makes the problem intractable against all but the weakest secret selection procedures."
        },
        "Indicators": {
          "Indicator": [
            "Repeated submissions of incorrect secret values may indicate a brute force attack. For example, repeated bad passwords when accessing user accounts or repeated queries to databases using non-existent keys.",
            "Attempts to download files protected by secrets (usually using encryption) may be a precursor to an offline attack to break the file's encryption and read its contents. This is especially significant if the file itself contains other secret values, such as password files.",
            "If the attacker is able to perform the checking offline then there will likely be no indication that an attack is ongoing."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Select a provably large secret space for selection of the secret. Provably large means that the procedure by which the secret is selected does not have artifacts that significantly reduce the size of the total secret space.",
            "Use a secret space that is well known and with no known patterns that may reduce functional size.",
            "Do not provide the means for an attacker to determine success independently. This forces the attacker to check their guesses against an external authority, which can slow the attack and warn the defender. This mitigation may not be possible if testing material must appear externally, such as with a transmitted cryptotext."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "330"
            },
            {
              "@CWE_ID": "326"
            },
            {
              "@CWE_ID": "521"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1110",
              "Entry_Name": "Brute Force"
            },
            {
              "@Taxonomy_Name": "WASC",
              "Entry_ID": "11",
              "Entry_Name": "Brute Force"
            },
            {
              "@Taxonomy_Name": "OWASP Attacks",
              "Entry_Name": "Brute force attack"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Related_Attack_Patterns, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Description, Mitigations, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  }
]