[
  {
    "instruction": "Which technique is related to the following description:\nAdversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e \"script here\"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.\n\nAppleScripts do not need to call <code>osascript</code> to execute. However, they may be executed from within mach-O binaries by using the macOS Native APIs\u00a0<code>NSAppleScript</code>\u00a0or\u00a0<code>OSAScript</code>, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.",
    "context": "",
    "output": "The given description is related to sub technique AppleScript (T1059.002);\nsub technique AppleScript (T1059.002) is a type of technique Command and Scripting Interpreter (T1059);\nTherefore, the given description is related to technique Command and Scripting Interpreter (T1059).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description:\nAdversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents. These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.\n\nScripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e \"script here\"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.\n\nAppleScripts do not need to call <code>osascript</code> to execute. However, they may be executed from within mach-O binaries by using the macOS Native APIs\u00a0<code>NSAppleScript</code>\u00a0or\u00a0<code>OSAScript</code>, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility.\n\nAdversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they're already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute Native APIs, which otherwise would require compilation and execution in a mach-O binary file format. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via Python.",
      "answer": "The given description is related to sub technique AppleScript (T1059.002);\nsub technique AppleScript (T1059.002) is a type of technique Command and Scripting Interpreter (T1059);\nTherefore, the given description is related to technique Command and Scripting Interpreter (T1059).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description: Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).\n\nAdversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers. To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server. \n\nMicrosoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.). Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.?",
    "context": "",
    "output": "The given description is related to sub technique SQL Stored Procedures (T1505.001);\nsub technique SQL Stored Procedures (T1505.001) is a type of technique Server Software Component (T1505);\nTherefore, the given description is related to technique Server Software Component(T1505).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description: Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).\n\nAdversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers. To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server. \n\nMicrosoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.). Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.",
      "answer": "The given description is related to sub technique SQL Stored Procedures (T1505.001);\nsub technique SQL Stored Procedures (T1505.001) is a type of technique Server Software Component (T1505);\nTherefore, the given description is related to technique Server Software Component(T1505).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description: Adversaries may compromise access to third-party web services\u00a0that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.?",
    "context": "",
    "output": "The given description is related to sub technique Web Services (T1584.006);\nsub technique Web Services (T1584.006) is a type of technique Compromise Infrastructure (T1584);\nTherefore, the given description is related to technique Compromise Infrastructure(T1584).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description: Adversaries may compromise access to third-party web services\u00a0that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, SendGrid, etc. Adversaries may try to take ownership of a legitimate user's access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service), Exfiltration Over Web Service, or Phishing. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them. Additionally, leveraging compromised web-based email services may allow adversaries to leverage the trust associated with legitimate domains.",
      "answer": "The given description is related to sub technique Web Services (T1584.006);\nsub technique Web Services (T1584.006) is a type of technique Compromise Infrastructure (T1584);\nTherefore, the given description is related to technique Compromise Infrastructure(T1584).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description:\nAdversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface. Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data. Adversaries have also been observed leveraging third-party drivers like RawDisk to directly access disk content. This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.?",
    "context": "",
    "output": "The given description is related to sub technique Disk Content Wipe (T1561.001);\nsub technique Disk Content Wipe (T1561.001) is a type of technique Disk Wipe (T1561);\nTherefore, the given description is related to technique Disk Wipe (T1561).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description:\nAdversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.\n\nAdversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface. Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data. Adversaries have also been observed leveraging third-party drivers like RawDisk to directly access disk content. This behavior is distinct from Data Destruction because sections of the disk are erased instead of individual files.\n\nTo maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.",
      "answer": "The given description is related to sub technique Disk Content Wipe (T1561.001);\nsub technique Disk Content Wipe (T1561.001) is a type of technique Disk Wipe (T1561);\nTherefore, the given description is related to technique Disk Wipe (T1561).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description:\nAdversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* gsecdump\n* Mimikatz\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* <code>reg save HKLM\\sam sam</code>\n* <code>reg save HKLM\\system system</code>\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.\n\nNotes: \n\n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.",
    "context": "",
    "output": "The given description is related to sub technique Security Account Manager (T1003.002);\nsub technique Security Account Manager (T1003.002) is a type of technique OS Credential Dumping (T1003);\nTherefore, the given description is related to technique OS Credential Dumping (T1003).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description:\nAdversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.\n\nA number of tools can be used to retrieve the SAM file through in-memory techniques:\n\n* pwdumpx.exe\n* gsecdump\n* Mimikatz\n* secretsdump.py\n\nAlternatively, the SAM can be extracted from the Registry with Reg:\n\n* <code>reg save HKLM\\sam sam</code>\n* <code>reg save HKLM\\system system</code>\n\nCreddump7 can then be used to process the SAM database locally to retrieve hashes.\n\nNotes: \n\n* RID 500 account is the local, built-in administrator.\n* RID 501 is the guest account.\n* User accounts start with a RID of 1,000+.",
      "answer": "The given description is related to sub technique Security Account Manager (T1003.002);\nsub technique Security Account Manager (T1003.002) is a type of technique OS Credential Dumping (T1003);\nTherefore, the given description is related to technique OS Credential Dumping (T1003).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description:\nAdversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place.\n\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the Launch Daemon configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.\n\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.?",
    "context": "",
    "output": "The given description is related to sub technique Emond (T1546.014);\nsub technique Emond (T1546.014) is a type of technique Event Triggered Execution (T1546);\nTherefore, the given description is related to technique Event Triggered Execution (T1546).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description:\nAdversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a Launch Daemon that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place.\n\nThe rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the Launch Daemon configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.\n\nAdversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication. Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.",
      "answer": "The given description is related to sub technique Emond (T1546.014);\nsub technique Emond (T1546.014) is a type of technique Event Triggered Execution (T1546);\nTherefore, the given description is related to technique Event Triggered Execution (T1546).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description:\nAdversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance. A cloud metadata API has been used in at least one high profile compromise.\n\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.\n\nThe de facto standard across cloud service providers is to host the Instance Metadata API at <code>http://169.254.169.254</code>.",
    "context": "",
    "output": "The given description is related to sub technique Cloud Instance Metadata API (T1552.005);\nsub technique Cloud Instance Metadata API (T1552.005) is a type of technique Unsecured Credentials (T1552);\nTherefore, the given description is related to technique Unsecured Credentials (T1552).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description:\nAdversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.\n\nMost cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance. A cloud metadata API has been used in at least one high profile compromise.\n\nIf adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, adversaries may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows them to gain access to the sensitive information via a request to the Instance Metadata API.\n\nThe de facto standard across cloud service providers is to host the Instance Metadata API at <code>http://169.254.169.254</code>.",
      "answer": "The given description is related to sub technique Cloud Instance Metadata API (T1552.005);\nsub technique Cloud Instance Metadata API (T1552.005) is a type of technique Unsecured Credentials (T1552);\nTherefore, the given description is related to technique Unsecured Credentials (T1552).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description: Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.  \n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process\u2019s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process\u2019s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code>. More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.   \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.",
    "context": "",
    "output": "The given description is related to sub technique Extra Window Memory Injection (T1055.011);\nsub technique Extra Window Memory Injection (T1055.011) is a type of technique Process Injection (T1055);\nTherefore, the given description is related to technique Process Injection(T1055).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description: Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process. \n\nBefore creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value.  \n\nAlthough small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process\u2019s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process\u2019s EWM.\n\nExecution granted through EWM injection may allow access to both the target process's memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code>. More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process.   \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.",
      "answer": "The given description is related to sub technique Extra Window Memory Injection (T1055.011);\nsub technique Extra Window Memory Injection (T1055.011) is a type of technique Process Injection (T1055);\nTherefore, the given description is related to technique Process Injection(T1055).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description: Adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).",
    "context": "",
    "output": "The given description is related to sub technique Botnet (T1584.005);\nsub technique Botnet (T1584.005) is a type of technique Compromise Infrastructure (T1584);\nTherefore, the given description is related to technique Compromise Infrastructure(T1584).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description: Adversaries may compromise numerous third-party systems to form a botnet\u00a0that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks. Instead of purchasing/renting a botnet from a booter/stresser service, adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale Phishing or Distributed Denial of Service (DDoS).",
      "answer": "The given description is related to sub technique Botnet (T1584.005);\nsub technique Botnet (T1584.005) is a type of technique Compromise Infrastructure (T1584);\nTherefore, the given description is related to technique Compromise Infrastructure(T1584).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  },
  {
    "instruction": "Which technique is related to the following description: Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. \n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage.  With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart.  The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as Weaken Encryption.  Downgrading of a system image can be done on its own, or it can be used in conjunction with Patch System Image.",
    "context": "",
    "output": "The given description is related to sub technique Downgrade System Image (T1601.002);\nsub technique Downgrade System Image (T1601.002) is a type of technique Modify System Image (T1601);\nTherefore, the given description is related to technique Modify System Image(T1601).",
    "category": "MitreFlan",
    "instruction_type": "cot_technique_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which technique is related to the following description: Adversaries may install an older version of the operating system of a network device to weaken security.  Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. \n\nOn embedded devices, downgrading the version typically only requires replacing the operating system file in storage.  With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart.  The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.\n\nDowngrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as Weaken Encryption.  Downgrading of a system image can be done on its own, or it can be used in conjunction with Patch System Image.",
      "answer": "The given description is related to sub technique Downgrade System Image (T1601.002);\nsub technique Downgrade System Image (T1601.002) is a type of technique Modify System Image (T1601);\nTherefore, the given description is related to technique Modify System Image(T1601).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_technique_mapping_CoT"
    }
  }
]