[
  {
    "instruction": "What are the platforms that are related to the following technique description: Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.",
    "context": "",
    "output": "The provided description is related to MITRE technique Application Layer Protocol: Mail Protocols (T1071.003);\nTechnique Application Layer Protocol: Mail Protocols (T1071.003) is applicable to platforms: Network,  Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Network,  Windows,  macOS, Linux.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "What are the platforms that are related to the following technique description: Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nProtocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments.  Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.",
      "answer": "The provided description is related to MITRE technique Application Layer Protocol: Mail Protocols (T1071.003);\nTechnique Application Layer Protocol: Mail Protocols (T1071.003) is applicable to platforms: Network,  Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Network,  Windows,  macOS, Linux.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "Which platforms are related to the following technique description: Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API).\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\n\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.\n\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows Native API which is called from functions like `LoadLibrary` at run time.?",
    "context": "",
    "output": "The provided description is related to MITRE technique Shared Modules (T1129);\nTechnique Shared Modules (T1129) is applicable to platforms: Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Windows,  macOS, Linux.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "Which platforms are related to the following technique description: Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API).\n\nAdversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, adversaries can modularize functionality of their malware into shared objects that perform various functions such as managing C2 network communications or execution of specific actions on objective.\n\nThe Linux & macOS module loader can load and execute shared objects from arbitrary local paths. This functionality resides in `dlfcn.h` in functions such as `dlopen` and `dlsym`. Although macOS can execute `.so` files, common practice uses `.dylib` files.\n\nThe Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in `NTDLL.dll` and is part of the Windows Native API which is called from functions like `LoadLibrary` at run time.",
      "answer": "The provided description is related to MITRE technique Shared Modules (T1129);\nTechnique Shared Modules (T1129) is applicable to platforms: Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Windows,  macOS, Linux.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "What are the platforms that are related to the following technique description: Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.?",
    "context": "",
    "output": "The provided description is related to MITRE technique Obfuscated Files or Information: Indicator Removal from Tools (T1027.005);\nTechnique Obfuscated Files or Information: Indicator Removal from Tools (T1027.005) is applicable to platforms: Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Windows,  macOS, Linux.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "What are the platforms that are related to the following technique description: Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
      "answer": "The provided description is related to MITRE technique Obfuscated Files or Information: Indicator Removal from Tools (T1027.005);\nTechnique Obfuscated Files or Information: Indicator Removal from Tools (T1027.005) is applicable to platforms: Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Windows,  macOS, Linux.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "What are the platforms that are related to the following technique description: Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.  Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API.  Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.  \n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.  Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.?",
    "context": "",
    "output": "The provided description is related to MITRE technique Modify Registry (T1112);\nTechnique Modify Registry (T1112) is applicable to platforms: Windows;\nTherefore, the given procedure description is related to platforms: Windows.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "What are the platforms that are related to the following technique description: Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.\n\nAccess to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification.  Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.\n\nRegistry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API.  Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence.  \n\nThe Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system.  Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.",
      "answer": "The provided description is related to MITRE technique Modify Registry (T1112);\nTechnique Modify Registry (T1112) is applicable to platforms: Windows;\nTherefore, the given procedure description is related to platforms: Windows.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "Which platforms are related to the following technique description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>. Additionally, adversaries may monitor then replace users\u2019 clipboard with their data (e.g., Transmitted Data Manipulation).\n\nmacOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.",
    "context": "",
    "output": "The provided description is related to MITRE technique Clipboard Data (T1115);\nTechnique Clipboard Data (T1115) is applicable to platforms: Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Windows,  macOS, Linux.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "Which platforms are related to the following technique description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. \n\nFor example, on Windows adversaries can access clipboard data by using <code>clip.exe</code> or <code>Get-Clipboard</code>. Additionally, adversaries may monitor then replace users\u2019 clipboard with their data (e.g., Transmitted Data Manipulation).\n\nmacOS and Linux also have commands, such as <code>pbpaste</code>, to grab clipboard contents.",
      "answer": "The provided description is related to MITRE technique Clipboard Data (T1115);\nTechnique Clipboard Data (T1115) is applicable to platforms: Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Windows,  macOS, Linux.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "Which platforms are related to the following technique description: Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: <code>chown</code> (short for change owner), and <code>chmod</code> (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.?",
    "context": "",
    "output": "The provided description is related to MITRE technique File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222.002);\nTechnique File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222.002) is applicable to platforms: macOS, Linux;\nTherefore, the given procedure description is related to platforms: macOS, Linux.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "Which platforms are related to the following technique description: Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).\n\nMost Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform\u2019s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: <code>chown</code> (short for change owner), and <code>chmod</code> (short for change mode).\n\nAdversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via Unix Shell Configuration Modification or tainting/hijacking other instrumental binary/configuration files via Hijack Execution Flow.",
      "answer": "The provided description is related to MITRE technique File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222.002);\nTechnique File and Directory Permissions Modification: Linux and Mac File and Directory Permissions Modification (T1222.002) is applicable to platforms: macOS, Linux;\nTherefore, the given procedure description is related to platforms: macOS, Linux.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "Which platforms are related to the following technique description: Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes. Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.?",
    "context": "",
    "output": "The provided description is related to MITRE technique Input Capture: Keylogging (T1056.001);\nTechnique Input Capture: Keylogging (T1056.001) is applicable to platforms: Network,  Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Network,  Windows,  macOS, Linux.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "Which platforms are related to the following technique description: Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.\n\nKeylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes. Some methods include:\n\n* Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data.\n* Reading raw keystroke data from the hardware buffer.\n* Windows Registry modifications.\n* Custom drivers.\n* Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.",
      "answer": "The provided description is related to MITRE technique Input Capture: Keylogging (T1056.001);\nTechnique Input Capture: Keylogging (T1056.001) is applicable to platforms: Network,  Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Network,  Windows,  macOS, Linux.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "What are the platforms that are related to the following technique description: Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
    "context": "",
    "output": "The provided description is related to MITRE technique Obfuscated Files or Information: Indicator Removal from Tools (T1027.005);\nTechnique Obfuscated Files or Information: Indicator Removal from Tools (T1027.005) is applicable to platforms: Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Windows,  macOS, Linux.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "What are the platforms that are related to the following technique description: Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.\n\nA good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.",
      "answer": "The provided description is related to MITRE technique Obfuscated Files or Information: Indicator Removal from Tools (T1027.005);\nTechnique Obfuscated Files or Information: Indicator Removal from Tools (T1027.005) is applicable to platforms: Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Windows,  macOS, Linux.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "Which platforms are related to the following technique description: Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.",
    "context": "",
    "output": "The provided description is related to MITRE technique Encrypted Channel: Symmetric Cryptography (T1573.001);\nTechnique Encrypted Channel: Symmetric Cryptography (T1573.001) is applicable to platforms: Network,  Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Network,  Windows,  macOS, Linux.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "Which platforms are related to the following technique description: Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.",
      "answer": "The provided description is related to MITRE technique Encrypted Channel: Symmetric Cryptography (T1573.001);\nTechnique Encrypted Channel: Symmetric Cryptography (T1573.001) is applicable to platforms: Network,  Windows,  macOS, Linux;\nTherefore, the given procedure description is related to platforms: Network,  Windows,  macOS, Linux.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  },
  {
    "instruction": "What are the platforms that are related to the following technique description: Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.?",
    "context": "",
    "output": "The provided description is related to MITRE technique Masquerading: Match Legitimate Name or Location (T1036.005);\nTechnique Masquerading: Match Legitimate Name or Location (T1036.005) is applicable to platforms: Linux,  Windows,  macOS, Containers;\nTherefore, the given procedure description is related to platforms: Linux,  Windows,  macOS, Containers.",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform",
    "parsed_raw_data": {
      "question": "What are the platforms that are related to the following technique description: Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.",
      "answer": "The provided description is related to MITRE technique Masquerading: Match Legitimate Name or Location (T1036.005);\nTechnique Masquerading: Match Legitimate Name or Location (T1036.005) is applicable to platforms: Linux,  Windows,  macOS, Containers;\nTherefore, the given procedure description is related to platforms: Linux,  Windows,  macOS, Containers.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_platform_mapping_CoT_procedure_platform"
    }
  }
]