[
  {
    "instruction": "Q: Answer which mitre technique is related to the description: Adversaries disable a network device\u2019s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of Modify System Image, forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., Reduce Key Space).\n\nOptions:\nA. Brute Force: Password Guessing, B. Hijack Execution Flow: Path Interception by Search Order Hijacking, C. Weaken Encryption: Disable Crypto Hardware, D. System Binary Proxy Execution: MMC",
    "context": "",
    "output": "C. Weaken Encryption: Disable Crypto Hardware",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Answer which mitre technique is related to the description: Adversaries disable a network device\u2019s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.\n\nMany network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of Modify System Image, forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., Reduce Key Space).",
      "options": "A. Brute Force: Password Guessing, B. Hijack Execution Flow: Path Interception by Search Order Hijacking, C. Weaken Encryption: Disable Crypto Hardware, D. System Binary Proxy Execution: MMC",
      "choice": "C. Weaken Encryption: Disable Crypto Hardware",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Q: Tell me which MITRE technique is referred to in the following description:\n\nAdversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.\n\nA. Gather Victim Org Information: Identify Business Tempo, B. Exploit Public-Facing Application, C. Boot or Logon Autostart Execution: Kernel Modules and Extensions, D. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay\nA:",
    "context": "",
    "output": "B. Exploit Public-Facing Application",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Tell me which MITRE technique is referred to in the following description:\n\nAdversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.\n\nExploited applications are often websites/web servers, but can also include databases (like SQL), standard services (like SMB or SSH), network device administration and management protocols (like SNMP and Smart Install), and any other system with Internet accessible open sockets. Depending on the flaw being exploited this may also involve Exploitation for Defense Evasion or Exploitation for Client Execution.\n\nIf an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via Escape to Host, or take advantage of weak identity and access management policies.\n\nAdversaries may also exploit edge network infrastructure and related appliances, specifically targeting devices that do not support robust host-based defenses.\n\nFor websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.",
      "options": "A. Gather Victim Org Information: Identify Business Tempo, B. Exploit Public-Facing Application, C. Boot or Logon Autostart Execution: Kernel Modules and Extensions, D. Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay",
      "choice": "B. Exploit Public-Facing Application",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Q: Tell me which MITRE technique is referred to in the following description:\n\nAdversaries may compromise a network device\u2019s encryption capability in order to bypass encryption that would otherwise protect data communications. \n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as Modify System Image, Reduce Key Space, and Disable Crypto Hardware, an adversary can negatively effect and/or eliminate a device\u2019s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts.\n\nOptions:\nA. Exfiltration Over Alternative Protocol, B. Active Scanning: Scanning IP Blocks, C. Modify Cloud Compute Infrastructure: Create Cloud Instance, D. Weaken Encryption",
    "context": "",
    "output": "D. Weaken Encryption",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Tell me which MITRE technique is referred to in the following description:\n\nAdversaries may compromise a network device\u2019s encryption capability in order to bypass encryption that would otherwise protect data communications. \n\nEncryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.\n\nAdversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as Modify System Image, Reduce Key Space, and Disable Crypto Hardware, an adversary can negatively effect and/or eliminate a device\u2019s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts.",
      "options": "A. Exfiltration Over Alternative Protocol, B. Active Scanning: Scanning IP Blocks, C. Modify Cloud Compute Infrastructure: Create Cloud Instance, D. Weaken Encryption",
      "choice": "D. Weaken Encryption",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Which MITRE ATT&CK technique is described in the following:\nAdversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS  and List Blobs in Azure .\nA. Inter-Process Communication, B. Cloud Storage Object Discovery, C. System Binary Proxy Execution: Mavinject, D. Forge Web Credentials: SAML Tokens",
    "context": "",
    "output": "B. Cloud Storage Object Discovery",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Which MITRE ATT&CK technique is described in the following:\nAdversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage.  Similar to File and Directory Discovery on a local host, after identifying available storage services (i.e. Cloud Infrastructure Discovery) adversaries may access the contents/objects stored in cloud infrastructure.\n\nCloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS  and List Blobs in Azure .",
      "options": "A. Inter-Process Communication, B. Cloud Storage Object Discovery, C. System Binary Proxy Execution: Mavinject, D. Forge Web Credentials: SAML Tokens",
      "choice": "B. Cloud Storage Object Discovery",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Tell me which MITRE technique is referred to in the following description:\n\nAdversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).\n\nA. Exfiltration Over Web Service: Exfiltration to Text Storage Sites, B. Steal or Forge Authentication Certificates, C. Gather Victim Network Information: Network Trust Dependencies, D. Obfuscated Files or Information: Encrypted/Encoded File\nAnswer:",
    "context": "",
    "output": "C. Gather Victim Network Information: Network Trust Dependencies",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Tell me which MITRE technique is referred to in the following description:\n\nAdversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).",
      "options": "A. Exfiltration Over Web Service: Exfiltration to Text Storage Sites, B. Steal or Forge Authentication Certificates, C. Gather Victim Network Information: Network Trust Dependencies, D. Obfuscated Files or Information: Encrypted/Encoded File",
      "choice": "C. Gather Victim Network Information: Network Trust Dependencies",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Give the MITRE ATT&CK technique relevant to the following:\nAdversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.\n\nPossible answers:\nA. System Script Proxy Execution: SyncAppvPublishingServer, B. Data Manipulation: Stored Data Manipulation, C. Office Application Startup, D. Account Manipulation: Additional Cloud Credentials",
    "context": "",
    "output": "B. Data Manipulation: Stored Data Manipulation",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Give the MITRE ATT&CK technique relevant to the following:\nAdversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
      "options": "A. System Script Proxy Execution: SyncAppvPublishingServer, B. Data Manipulation: Stored Data Manipulation, C. Office Application Startup, D. Account Manipulation: Additional Cloud Credentials",
      "choice": "B. Data Manipulation: Stored Data Manipulation",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Answer which mitre technique is related to the description: Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. \n\nOnce compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server. As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.\n\nPossible answers:\nA. Resource Hijacking, B. Inhibit System Recovery, C. Remote Service Session Hijacking: SSH Hijacking, D. Compromise Infrastructure: Serverless",
    "context": "",
    "output": "D. Compromise Infrastructure: Serverless",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Answer which mitre technique is related to the description: Adversaries may compromise serverless cloud infrastructure, such as Cloudflare Workers or AWS Lambda functions, that can be used during targeting. By utilizing serverless infrastructure, adversaries can make it more difficult to attribute infrastructure used during operations back to them. \n\nOnce compromised, the serverless runtime environment can be leveraged to either respond directly to infected machines or to Proxy traffic to an adversary-owned command and control server. As traffic generated by these functions will appear to come from subdomains of common cloud providers, it may be difficult to distinguish from ordinary traffic to these providers.",
      "options": "A. Resource Hijacking, B. Inhibit System Recovery, C. Remote Service Session Hijacking: SSH Hijacking, D. Compromise Infrastructure: Serverless",
      "choice": "D. Compromise Infrastructure: Serverless",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Question: Which MITRE ATT&CK technique is described in the following:\nAdversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* gsecdump\n* Mimikatz\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* <code>reg save HKLM\\sam sam</code>\n* <code>reg save HKLM\\system system</code>\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.\n\nNotes: \n\n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.\nA. Hijack Execution Flow: COR_PROFILER, B. OS Credential Dumping: Security Account Manager, C. Data from Information Repositories, D. Exfiltration Over Web Service: Exfiltration to Text Storage Sites\nAnswer:",
    "context": "",
    "output": "B. OS Credential Dumping: Security Account Manager",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Which MITRE ATT&CK technique is described in the following:\nAdversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* gsecdump\n* Mimikatz\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* <code>reg save HKLM\\sam sam</code>\n* <code>reg save HKLM\\system system</code>\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.\n\nNotes: \n\n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.",
      "options": "A. Hijack Execution Flow: COR_PROFILER, B. OS Credential Dumping: Security Account Manager, C. Data from Information Repositories, D. Exfiltration Over Web Service: Exfiltration to Text Storage Sites",
      "choice": "B. OS Credential Dumping: Security Account Manager",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Question: Give the MITRE ATT&CK technique relevant to the following:\nAdversaries may use the technique to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.\nA. Execution Guardrails, B. System Script Proxy Execution, C. Hide Artifacts: Hidden Window, D. Command and Scripting Interpreter: Unix Shell\nAnswer:",
    "context": "",
    "output": "A. Execution Guardrails",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Give the MITRE ATT&CK technique relevant to the following:\nAdversaries may use the technique to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
      "options": "A. Execution Guardrails, B. System Script Proxy Execution, C. Hide Artifacts: Hidden Window, D. Command and Scripting Interpreter: Unix Shell",
      "choice": "A. Execution Guardrails",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  },
  {
    "instruction": "Answer which mitre technique is related to the description: Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.\nA. Active Scanning: Vulnerability Scanning, B. Process Injection: Process Doppelg\u00e4nging, C. Process Injection: VDSO Hijacking, D. Phishing",
    "context": "",
    "output": "C. Process Injection: VDSO Hijacking",
    "category": "MitreFlan",
    "instruction_type": "mitre_options_technique",
    "parsed_raw_data": {
      "question": "Answer which mitre technique is related to the description: Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process. \n\nVDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via Ptrace System Calls. However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).\n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.",
      "options": "A. Active Scanning: Vulnerability Scanning, B. Process Injection: Process Doppelg\u00e4nging, C. Process Injection: VDSO Hijacking, D. Phishing",
      "choice": "C. Process Injection: VDSO Hijacking",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_options_technique"
    }
  }
]