[
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Initial Access related to the following description:\n\nAdversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple\u2019s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.\n\nBased on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:\n\n1. Checks extended attribute \u2013 Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.\n\n2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.\n\n3. Code Signing \u2013 Gatekeeper checks for a valid code signature from an Apple Developer ID.\n\n4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an \u201cunauthorized app\u201d and the security policy will be modified.\n\nAdversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. Exploitation for Defense Evasion), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.\n\nApplications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using Drive-by Compromise.",
    "context": "",
    "output": "The given description is related to sub technique Gatekeeper Bypass (T1553.001);\nSub technique Gatekeeper Bypass (T1553.001) is a type of technique Subvert Trust Controls (T1553);\nTherefore, the correct answer is no, the given description is not related to technique Initial Access.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Initial Access related to the following description:\n\nAdversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apple\u2019s security model to ensure only trusted applications are executed on a host. Gatekeeper was built on top of File Quarantine in Snow Leopard (10.6, 2009) and has grown to include Code Signing, security policy compliance, Notarization, and more. Gatekeeper also treats applications running for the first time differently than reopened applications.\n\nBased on an opt-in system, when files are downloaded an extended attribute (xattr) called `com.apple.quarantine` (also known as a quarantine flag) can be set on the file by the application performing the download. Launch Services opens the application in a suspended state. For first run applications with the quarantine flag set, Gatekeeper executes the following functions:\n\n1. Checks extended attribute \u2013 Gatekeeper checks for the quarantine flag, then provides an alert prompt to the user to allow or deny execution.\n\n2. Checks System Policies - Gatekeeper checks the system security policy, allowing execution of apps downloaded from either just the App Store or the App Store and identified developers.\n\n3. Code Signing \u2013 Gatekeeper checks for a valid code signature from an Apple Developer ID.\n\n4. Notarization - Using the `api.apple-cloudkit.com` API, Gatekeeper reaches out to Apple servers to verify or pull down the notarization ticket and ensure the ticket is not revoked. Users can override notarization, which will result in a prompt of executing an \u201cunauthorized app\u201d and the security policy will be modified.\n\nAdversaries can subvert one or multiple security controls within Gatekeeper checks through logic errors (e.g. Exploitation for Defense Evasion), unchecked file types, and external libraries. For example, prior to macOS 13 Ventura, code signing and notarization checks were only conducted on first launch, allowing adversaries to write malicious executables to previously opened applications in order to bypass Gatekeeper security checks.\n\nApplications and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the curl command may not set the quarantine flag. Additionally, it is possible to avoid setting the quarantine flag using Drive-by Compromise.",
      "yes/no": "The given description is related to sub technique Gatekeeper Bypass (T1553.001);\nSub technique Gatekeeper Bypass (T1553.001) is a type of technique Subvert Trust Controls (T1553);\nTherefore, the correct answer is no, the given description is not related to technique Initial Access.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Persistence related to the following description: Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.\n\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory. Adversaries may extract credentials from memory via Exploitation for Credential Access.\n Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.",
    "context": "",
    "output": "The given description is related to sub technique Password Managers (T1555.005);\nSub technique Password Managers T1555.005 is a type of technique Credentials from Password Stores (T1555);\nTherefore, the correct answer is yes, the given description is related to technique Persistence.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Persistence related to the following description: Adversaries may acquire user credentials from third-party password managers. Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.\n\nAdversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory. Adversaries may extract credentials from memory via Exploitation for Credential Access.\n Adversaries may also try brute forcing via Password Guessing to obtain the master password of a password manager.",
      "yes/no": "The given description is related to sub technique Password Managers (T1555.005);\nSub technique Password Managers T1555.005 is a type of technique Credentials from Password Stores (T1555);\nTherefore, the correct answer is yes, the given description is related to technique Persistence.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Command and Control related to the following description:\n\nAn adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).\n \n\nThis account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.\n\nIn some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.",
    "context": "",
    "output": "The given description is related to sub technique Additional Cloud Roles (T1098.003);\nSub technique Additional Cloud Roles (T1098.003) is a type of technique Account Manipulation (T1098);\nTherefore, the correct answer is yes, the given description is related to technique Command and Control.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Command and Control related to the following description:\n\nAn adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).\n \n\nThis account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.\n\nIn some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.",
      "yes/no": "The given description is related to sub technique Additional Cloud Roles (T1098.003);\nSub technique Additional Cloud Roles (T1098.003) is a type of technique Account Manipulation (T1098);\nTherefore, the correct answer is yes, the given description is related to technique Command and Control.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Command and Control related to the following description:\n\nAdversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
    "context": "",
    "output": "The given description is related to sub technique Exfiltration over USB (T1052.001);\nSub technique Exfiltration over USB (T1052.001) is a type of technique Exfiltration Over Physical Medium (T1052);\nTherefore, the correct answer is no, the given description is not related to technique Command and Control.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Command and Control related to the following description:\n\nAdversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.",
      "yes/no": "The given description is related to sub technique Exfiltration over USB (T1052.001);\nSub technique Exfiltration over USB (T1052.001) is a type of technique Exfiltration Over Physical Medium (T1052);\nTherefore, the correct answer is no, the given description is not related to technique Command and Control.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Exfiltration related to the following description: Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \u201c@\u201d symbol: for example, `hxxp://google.com@1157586937`.\n\nAdversaries may also embed \u201ctracking pixels\u201d, \"web bugs\", or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.  These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server. \n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.\n\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., Steal Web Session Cookie) in addition to their username and password. This may enable the adversary to then bypass MFA via Web Session Cookie.\n\nAdversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as \u201cquishing\u201d). These links may direct a victim to a credential phishing page. By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans. These QR codes may be scanned by or delivered directly  to a user\u2019s mobile device (i.e., Phishing), which may be less secure in several relevant ways. For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile\u2019s smaller form factor.\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.",
    "context": "",
    "output": "The given description is related to sub technique Spearphishing Link (T1598.003);\nSub technique Spearphishing Link T1598.003 is a type of technique Phishing for Information (T1598);\nTherefore, the correct answer is no, the given description is not related to technique Exfiltration.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Exfiltration related to the following description: Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.\n\nAll forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. The given website may be a clone of a legitimate site (such as an online or corporate login portal) or may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an \u201c@\u201d symbol: for example, `hxxp://google.com@1157586937`.\n\nAdversaries may also embed \u201ctracking pixels\u201d, \"web bugs\", or \"web beacons\" within phishing messages to verify the receipt of an email, while also potentially profiling and tracking victim information such as IP address.  These mechanisms often appear as small images (typically one pixel in size) or otherwise obfuscated objects and are typically delivered as HTML code containing a link to a remote server. \n\nAdversaries may also be able to spoof a complete website using what is known as a \"browser-in-the-browser\" (BitB) attack. By generating a fake browser popup window with an HTML-based address bar that appears to contain a legitimate URL (such as an authentication portal), they may be able to prompt users to enter their credentials while bypassing typical URL verification methods.\n\nAdversaries can use phishing kits such as `EvilProxy` and `Evilginx2` to perform adversary-in-the-middle phishing by proxying the connection between the victim and the legitimate website. On a successful login, the victim is redirected to the legitimate website, while the adversary captures their session cookie (i.e., Steal Web Session Cookie) in addition to their username and password. This may enable the adversary to then bypass MFA via Web Session Cookie.\n\nAdversaries may also send a malicious link in the form of Quick Response (QR) Codes (also known as \u201cquishing\u201d). These links may direct a victim to a credential phishing page. By using a QR code, the URL may not be exposed in the email and may thus go undetected by most automated email security scans. These QR codes may be scanned by or delivered directly  to a user\u2019s mobile device (i.e., Phishing), which may be less secure in several relevant ways. For example, mobile users may not be able to notice minor differences between genuine and credential harvesting websites due to mobile\u2019s smaller form factor.\n\nFrom the fake website, information is gathered in web forms and sent to the adversary. Adversaries may also use information from previous reconnaissance efforts (ex: Search Open Websites/Domains or Search Victim-Owned Websites) to craft persuasive and believable lures.",
      "yes/no": "The given description is related to sub technique Spearphishing Link (T1598.003);\nSub technique Spearphishing Link T1598.003 is a type of technique Phishing for Information (T1598);\nTherefore, the correct answer is no, the given description is not related to technique Exfiltration.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Q: Is technique Collection related to the following description: Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple\u2019s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple\u2019s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple\u2019s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "The given description is related to sub technique JavaScript (T1059.007);\nSub technique JavaScript T1059.007 is a type of technique Command and Scripting Interpreter (T1059);\nTherefore, the correct answer is yes, the given description is related to technique Collection.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Collection related to the following description: Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.\n\nJScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the Component Object Model and Internet Explorer HTML Application (HTA) pages.\n\nJavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple\u2019s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple\u2019s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple\u2019s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and AppleScript. Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.\n\nAdversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a Drive-by Compromise or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of Obfuscated Files or Information.",
      "yes/no": "The given description is related to sub technique JavaScript (T1059.007);\nSub technique JavaScript T1059.007 is a type of technique Command and Scripting Interpreter (T1059);\nTherefore, the correct answer is yes, the given description is related to technique Collection.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Collection related to the following description: Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).",
    "context": "",
    "output": "The given description is related to sub technique Scanning IP Blocks (T1595.001);\nSub technique Scanning IP Blocks T1595.001 is a type of technique Active Scanning (T1595);\nTherefore, the correct answer is no, the given description is not related to technique Collection.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Collection related to the following description: Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.\n\nAdversaries may scan IP blocks in order to Gather Victim Network Information, such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts. Information from these scans may reveal opportunities for other forms of reconnaissance (ex: Search Open Websites/Domains or Search Open Technical Databases), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: External Remote Services).",
      "yes/no": "The given description is related to sub technique Scanning IP Blocks (T1595.001);\nSub technique Scanning IP Blocks T1595.001 is a type of technique Active Scanning (T1595);\nTherefore, the correct answer is no, the given description is not related to technique Collection.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Q: Is technique Defense Evasion related to the following description:\n\nAdversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running <code>verclsid.exe /S /C {CLSID}</code>, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "The given description is related to sub technique Verclsid (T1218.012);\nSub technique Verclsid (T1218.012) is a type of technique System Binary Proxy Execution (T1218);\nTherefore, the correct answer is yes, the given description is related to technique Defense Evasion.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Defense Evasion related to the following description:\n\nAdversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.\n\nAdversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running <code>verclsid.exe /S /C {CLSID}</code>, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to Regsvr32). Since the binary may be signed and/or native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.",
      "yes/no": "The given description is related to sub technique Verclsid (T1218.012);\nSub technique Verclsid (T1218.012) is a type of technique System Binary Proxy Execution (T1218);\nTherefore, the correct answer is yes, the given description is related to technique Defense Evasion.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Lateral Movement related to the following description:\n\nAdversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.",
    "context": "",
    "output": "The given description is related to sub technique Remote Desktop Protocol (T1021.001);\nSub technique Remote Desktop Protocol (T1021.001) is a type of technique Remote Services (T1021);\nTherefore, the correct answer is yes, the given description is related to technique Lateral Movement.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Lateral Movement related to the following description:\n\nAdversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.\n\nRemote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). \n\nAdversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features or Terminal Services DLL for Persistence.",
      "yes/no": "The given description is related to sub technique Remote Desktop Protocol (T1021.001);\nSub technique Remote Desktop Protocol (T1021.001) is a type of technique Remote Services (T1021);\nTherefore, the correct answer is yes, the given description is related to technique Lateral Movement.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Resource Development related to the following description: Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. \n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.\n\nMany cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.\n\nAdversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.",
    "context": "",
    "output": "The given description is related to sub technique Traffic Duplication (T1020.001);\nSub technique Traffic Duplication T1020.001 is a type of technique Automated Exfiltration (T1020);\nTherefore, the correct answer is no, the given description is not related to technique Resource Development.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Is technique Resource Development related to the following description: Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised infrastructure. Traffic mirroring is a native feature for some devices, often used for network analysis. For example, devices may be configured to forward network traffic to one or more destinations for analysis by a network analyzer or other monitoring device. \n\nAdversaries may abuse traffic mirroring to mirror or redirect network traffic through other infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through ROMMONkit or Patch System Image.\n\nMany cloud-based environments also support traffic mirroring. For example, AWS Traffic Mirroring, GCP Packet Mirroring, and Azure vTap allow users to define specified instances to collect traffic from and specified targets to send collected traffic to.\n\nAdversaries may use traffic duplication in conjunction with Network Sniffing, Input Capture, or Adversary-in-the-Middle depending on the goals and objectives of the adversary.",
      "yes/no": "The given description is related to sub technique Traffic Duplication (T1020.001);\nSub technique Traffic Duplication T1020.001 is a type of technique Automated Exfiltration (T1020);\nTherefore, the correct answer is no, the given description is not related to technique Resource Development.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_technique_mapping_CoT"
    }
  }
]