[
  {
    "instruction": "Background Execution: The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.\n System Services: Launchctl: Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.\n\nAdversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w \"%s/Library/LaunchAgents/%s\"</code> or <code>/bin/launchctl load</code> to execute Launch Agents or Launch Daemons..\nQ: Is System Services: Launchctl a type of Discovery.\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "No",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Execution: The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.\n System Services: Launchctl: Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.\n\nAdversaries use launchctl to execute commands and programs as Launch Agents or Launch Daemons. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w \"%s/Library/LaunchAgents/%s\"</code> or <code>/bin/launchctl load</code> to execute Launch Agents or Launch Daemons.",
      "question": "Is System Services: Launchctl a type of Discovery",
      "yes/no": "No",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Q: Is System Location Discovery: System Language Discovery related to Defense Evasion.\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "No",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Discovery: The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques an adversary may use to gain knowledge about the system and internal network. These techniques help adversaries observe the environment and orient themselves before deciding how to act. They also allow adversaries to explore what they can control and what\u2019s around their entry point in order to discover how it could benefit their current objective. Native operating system tools are often used toward this post-compromise information-gathering objective.\n System Location Discovery: System Language Discovery: Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions. \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.\n\nOn a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.",
      "question": "Is System Location Discovery: System Language Discovery related to Defense Evasion",
      "yes/no": "No",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is Office Application Startup a type of Credential Access",
    "context": "",
    "output": "No.\nThe provided context is correlated with Persistence",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Persistence: The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.\n Office Application Startup: Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.\n\nA variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page. These persistence mechanisms can work within Outlook or be used through Office 365.",
      "question": "Is Office Application Startup a type of Credential Access",
      "yes/no": "No.\nThe provided context is correlated with Persistence",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is Remote Services: Distributed Component Object Model a type of Lateral Movement",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Lateral Movement: The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.\n Remote Services: Distributed Component Object Model: Adversaries may use Valid Accounts to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.\n\nThe Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.\n\nPermissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. By default, only Administrators may remotely activate and launch COM objects through DCOM.\n\nThrough DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications as well as other Windows objects that contain insecure methods. DCOM can also execute macros in existing documents and may also invoke Dynamic Data Exchange (DDE) execution directly through a COM created instance of a Microsoft Office application, bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with Windows Management Instrumentation.",
      "question": "Is Remote Services: Distributed Component Object Model a type of Lateral Movement",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is Remote Services a type of Credential Access",
    "context": "",
    "output": "No.\nThe correct answer is Lateral Movement",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Lateral Movement: The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.\n Remote Services: Adversaries may use Valid Accounts to log into a service that accepts remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.\n\nIn an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP). They could also login to accessible SaaS or IaaS services, such as those that federate their identities to the domain. \n\nLegitimate applications (such as Software Deployment Tools and other administrative programs) may utilize Remote Services to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including VNC to send the screen and control buffers and SSH for secure file transfer. Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.",
      "question": "Is Remote Services a type of Credential Access",
      "yes/no": "No.\nThe correct answer is Lateral Movement",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is Application Layer Protocol: File Transfer Protocols related to Lateral Movement",
    "context": "",
    "output": "No.\nThe correct answer is Command and Control",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Command and Control: The adversary is trying to communicate with compromised systems to control them.\n\nCommand and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network. Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. There are many ways an adversary can establish command and control with various levels of stealth depending on the victim\u2019s network structure and defenses.\n Application Layer Protocol: File Transfer Protocols: Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMB, FTP, FTPS, and TFTP that transfer files may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.",
      "question": "Is Application Layer Protocol: File Transfer Protocols related to Lateral Movement",
      "yes/no": "No.\nThe correct answer is Command and Control",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Background Lateral Movement: The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.\n Taint Shared Content: Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses Shortcut Modification of directory .LNK files that use Masquerading to look like the real directories, which are hidden through Hidden Files and Directories. The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. \n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS..\nQ: Is Taint Shared Content a type of Lateral Movement.\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Lateral Movement: The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.\n Taint Shared Content: Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.\n\nA directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses Shortcut Modification of directory .LNK files that use Masquerading to look like the real directories, which are hidden through Hidden Files and Directories. The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user's expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. \n\nAdversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.",
      "question": "Is Taint Shared Content a type of Lateral Movement",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Background Collection: The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.\n Data from Configuration Repository: Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives..\nQ: Is Data from Configuration Repository a type of Initial Access.\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "No.\nThe provided context is correlated with Collection",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Collection: The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary's objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.\n Data from Configuration Repository: Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.\n\nAdversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.",
      "question": "Is Data from Configuration Repository a type of Initial Access",
      "yes/no": "No.\nThe provided context is correlated with Collection",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Q: Is Data from Removable Media a type of Initial Access.\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "No.\nThe provided context is correlated with Persistence",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Persistence: The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.\n Data from Removable Media: Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within cmd may be used to gather information. \n\nSome adversaries may also use Automated Collection on removable media.",
      "question": "Is Data from Removable Media a type of Initial Access",
      "yes/no": "No.\nThe provided context is correlated with Persistence",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  },
  {
    "instruction": "Background Persistence: The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.\n Pre-OS Boot: Bootkit: Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).  The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. \n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code..\nAnswer in Yes or No.\n\nQuestion: Is Pre-OS Boot: Bootkit related to Persistence",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_two_background_tactics_techniques",
    "parsed_raw_data": {
      "background": "Persistence: The adversary is trying to maintain their foothold.\n\nPersistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.\n Pre-OS Boot: Bootkit: Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.\n\nA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).  The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. \n\nThe MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.",
      "question": "Is Pre-OS Boot: Bootkit related to Persistence",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_two_background_tactics_techniques"
    }
  }
]