[
  {
    "instruction": "What are some techniques to mitigate T1037.002 (Login Hook)?",
    "context": "",
    "output": "You can mitigate Login Hook (T1037.002) by:\n\n* A file created for the purposes of deceiving an adversary.\n\n* A Decoy Object is created and deployed for the purposes of deceiving attackers.\n\n* Executing or opening a file in a synthetic \"sandbox\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.\n\n* Emulating instructions in a file looking for specific patterns.\n\n* Using a digital signature to authenticate a file before opening.\n\n* Blocking the execution of files on a host in accordance with defined application policy rules.\n\n* Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.\n\n* File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.\n\n* Employing a pattern matching algorithm to statically analyze the content of files.\n\n* Employing a pattern matching rule language to analyze the content of files.\n\n* Encrypting a file using a cryptographic key.\n\n* File eviction techniques evict files from system storage.\n\n* Employing file hash comparisons to detect known malware.\n\n* Detecting any suspicious changes to files in a computer system.\n\n* The file removal technique deletes malicious artifacts or programs from a computer system.\n\n* Restricting access to a local file by configuring operating system functionality.\n\n* Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components\n\n* Monitoring platform components such as operating systems software, hardware devices, or firmware.\n\n* Restoring a file for an entity to access.\n\n* Restoring an object for an entity to access. This is the broadest class for object restoral.\n\nBy utilizing these methods, you can mitigate Login Hook (T1037.002) effectively.",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "mitigate",
      "ddmo_node_name": "T1037.002 (Login Hook)",
      "ddmo_explanation": "You can mitigate Login Hook (T1037.002) by:\n\n* A file created for the purposes of deceiving an adversary.\n\n* A Decoy Object is created and deployed for the purposes of deceiving attackers.\n\n* Executing or opening a file in a synthetic \"sandbox\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.\n\n* Emulating instructions in a file looking for specific patterns.\n\n* Using a digital signature to authenticate a file before opening.\n\n* Blocking the execution of files on a host in accordance with defined application policy rules.\n\n* Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.\n\n* File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.\n\n* Employing a pattern matching algorithm to statically analyze the content of files.\n\n* Employing a pattern matching rule language to analyze the content of files.\n\n* Encrypting a file using a cryptographic key.\n\n* File eviction techniques evict files from system storage.\n\n* Employing file hash comparisons to detect known malware.\n\n* Detecting any suspicious changes to files in a computer system.\n\n* The file removal technique deletes malicious artifacts or programs from a computer system.\n\n* Restricting access to a local file by configuring operating system functionality.\n\n* Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components\n\n* Monitoring platform components such as operating systems software, hardware devices, or firmware.\n\n* Restoring a file for an entity to access.\n\n* Restoring an object for an entity to access. This is the broadest class for object restoral.\n\nBy utilizing these methods, you can mitigate Login Hook (T1037.002) effectively.",
      "mitigations": [
        "A file created for the purposes of deceiving an adversary.",
        "A Decoy Object is created and deployed for the purposes of deceiving attackers.",
        "Executing or opening a file in a synthetic \"sandbox\" environment to determine if the file is a malicious program or if the file exploits another program such as a document reader.",
        "Emulating instructions in a file looking for specific patterns.",
        "Using a digital signature to authenticate a file before opening.",
        "Blocking the execution of files on a host in accordance with defined application policy rules.",
        "Execution Isolation techniques prevent application processes from accessing non-essential system resources, such as memory, devices, or files.",
        "File Analysis is an analytic process to determine a file's status. For example: virus, trojan, benign, malicious, trusted, unauthorized, sensitive, etc.",
        "Employing a pattern matching algorithm to statically analyze the content of files.",
        "Employing a pattern matching rule language to analyze the content of files.",
        "Encrypting a file using a cryptographic key.",
        "File eviction techniques evict files from system storage.",
        "Employing file hash comparisons to detect known malware.",
        "Detecting any suspicious changes to files in a computer system.",
        "The file removal technique deletes malicious artifacts or programs from a computer system.",
        "Restricting access to a local file by configuring operating system functionality.",
        "Hardening components of a Platform with the intention of making them more difficult to exploit. Platforms includes components such as: * BIOS UEFI Subsystems * Hardware security devices such as Trusted Platform Modules * Boot process logic or code * Kernel software components",
        "Monitoring platform components such as operating systems software, hardware devices, or firmware.",
        "Restoring a file for an entity to access.",
        "Restoring an object for an entity to access. This is the broadest class for object restoral."
      ],
      "prompts": []
    }
  },
  {
    "instruction": "What are some techniques to mitigate PowerShell Profile (T1546.013)?",
    "context": "",
    "output": "Here are several methods to mitigate PowerShell Profile (T1546.013):\n\n* Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.\n\n* Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.\n\n* Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.\n\nThese approaches can help you mitigate PowerShell Profile (T1546.013) efficiently.",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "mitigate",
      "ddmo_node_name": "PowerShell Profile (T1546.013)",
      "ddmo_explanation": "Here are several methods to mitigate PowerShell Profile (T1546.013):\n\n* Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.\n\n* Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.\n\n* Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.\n\nThese approaches can help you mitigate PowerShell Profile (T1546.013) efficiently.",
      "mitigations": [
        "Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.",
        "Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.",
        "Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates."
      ],
      "prompts": []
    }
  },
  {
    "instruction": "How would you mitigate CMSTP (T1218.003)?",
    "context": "",
    "output": "Here are some techniques to mitigate T1218.003 (CMSTP):\n\n* Block execution of code on a system through application control, and/or script blocking.\n\n* Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.\n\nBy utilizing these methods, you can mitigate T1218.003 (CMSTP) effectively.",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "mitigate",
      "ddmo_node_name": "CMSTP (T1218.003)",
      "ddmo_explanation": "Here are some techniques to mitigate T1218.003 (CMSTP):\n\n* Block execution of code on a system through application control, and/or script blocking.\n\n* Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.\n\nBy utilizing these methods, you can mitigate T1218.003 (CMSTP) effectively.",
      "mitigations": [
        "Block execution of code on a system through application control, and/or script blocking.",
        "Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries."
      ],
      "prompts": []
    }
  },
  {
    "instruction": "What is a method to detect Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE-757)?",
    "context": "",
    "output": "To detect Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE-757), consider:\n\n* Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.\n\nUtilizing this method effectively detects Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE-757).",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "detect",
      "ddmo_node_name": "Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE-757)",
      "ddmo_explanation": "To detect Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE-757), consider:\n\n* Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues.\n\nUtilizing this method effectively detects Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') (CWE-757).",
      "detections": [
        "Fuzz testing (fuzzing) is a powerful technique for generating large numbers of diverse inputs - either randomly or algorithmically - and dynamically invoking the code with those inputs. Even with random inputs, it is often capable of generating unexpected results such as crashes, memory corruption, or resource consumption. Fuzzing effectively produces repeatable test cases that clearly indicate bugs, which helps developers to diagnose the issues."
      ],
      "prompts": []
    }
  },
  {
    "instruction": "Can I mitigate CWE-182 (Collapse of Data into Unsafe Value)? How?",
    "context": "",
    "output": "Here are some techniques to mitigate Collapse of Data into Unsafe Value (CWE-182):\n\n* Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.\n\n* Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\" Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\n\n* Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.\n\n* Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function).\n\nBy utilizing these methods, you can mitigate Collapse of Data into Unsafe Value (CWE-182) effectively.",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "mitigate",
      "ddmo_node_name": "CWE-182 (Collapse of Data into Unsafe Value)",
      "ddmo_explanation": "Here are some techniques to mitigate Collapse of Data into Unsafe Value (CWE-182):\n\n* Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.\n\n* Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\" Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\n\n* Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.\n\n* Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function).\n\nBy utilizing these methods, you can mitigate Collapse of Data into Unsafe Value (CWE-182) effectively.",
      "mitigations": [
        "Avoid making decisions based on names of resources (e.g. files) if those resources can have alternate names.",
        "Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\" Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.",
        "Inputs should be decoded and canonicalized to the application's current internal representation before being validated (CWE-180). Make sure that the application does not decode the same input twice (CWE-174). Such errors could be used to bypass allowlist validation schemes by introducing dangerous inputs after they have been checked.",
        "Canonicalize the name to match that of the file system's representation of the name. This can sometimes be achieved with an available API (e.g. in Win32 the GetFullPathName function)."
      ],
      "prompts": []
    }
  },
  {
    "instruction": "What are some possible ways to mitigate Use of a Broken or Risky Cryptographic Algorithm (CWE-327)?",
    "context": "",
    "output": "To mitigate Use of a Broken or Risky Cryptographic Algorithm (CWE-327), you can:\n\n* When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 140-2 certification [REF-1192]. Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267]\n\n* Ensure that the design allows one cryptographic algorithm to be replaced with another in the next generation or version. Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. With hardware, design the product at the Intellectual Property (IP) level so that one cryptographic algorithm can be replaced with another in the next generation of the hardware product.\n\n* Carefully manage and protect cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography itself is irrelevant.\n\n* Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Industry-standard implementations will save development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature.\n\n* When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.\n\nThese methods can help you mitigate Use of a Broken or Risky Cryptographic Algorithm (CWE-327) successfully.",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "mitigate",
      "ddmo_node_name": "Use of a Broken or Risky Cryptographic Algorithm (CWE-327)",
      "ddmo_explanation": "To mitigate Use of a Broken or Risky Cryptographic Algorithm (CWE-327), you can:\n\n* When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 140-2 certification [REF-1192]. Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267]\n\n* Ensure that the design allows one cryptographic algorithm to be replaced with another in the next generation or version. Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. With hardware, design the product at the Intellectual Property (IP) level so that one cryptographic algorithm can be replaced with another in the next generation of the hardware product.\n\n* Carefully manage and protect cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography itself is irrelevant.\n\n* Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Industry-standard implementations will save development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature.\n\n* When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks.\n\nThese methods can help you mitigate Use of a Broken or Risky Cryptographic Algorithm (CWE-327) successfully.",
      "mitigations": [
        "When there is a need to store or transmit sensitive data, use strong, up-to-date cryptographic algorithms to encrypt that data. Select a well-vetted algorithm that is currently considered to be strong by experts in the field, and use well-tested implementations. As with all cryptographic mechanisms, the source code should be available for analysis. For example, US government systems require FIPS 140-2 certification [REF-1192]. Do not develop custom or private cryptographic algorithms. They will likely be exposed to attacks that are well-understood by cryptographers. Reverse engineering techniques are mature. If the algorithm can be compromised if attackers find out how it works, then it is especially weak. Periodically ensure that the cryptography has not become obsolete. Some older algorithms, once thought to require a billion years of computing time, can now be broken in days or hours. This includes MD4, MD5, SHA1, DES, and other algorithms that were once regarded as strong. [REF-267]",
        "Ensure that the design allows one cryptographic algorithm to be replaced with another in the next generation or version. Where possible, use wrappers to make the interfaces uniform. This will make it easier to upgrade to stronger algorithms. With hardware, design the product at the Intellectual Property (IP) level so that one cryptographic algorithm can be replaced with another in the next generation of the hardware product.",
        "Carefully manage and protect cryptographic keys (see CWE-320). If the keys can be guessed or stolen, then the strength of the cryptography itself is irrelevant.",
        "Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Industry-standard implementations will save development time and may be more likely to avoid errors that can occur during implementation of cryptographic algorithms. Consider the ESAPI Encryption feature.",
        "When using industry-approved techniques, use them correctly. Don't cut corners by skipping resource-intensive steps (CWE-325). These steps are often essential for preventing common attacks."
      ],
      "prompts": []
    }
  },
  {
    "instruction": "How would you mitigate XML Schema Poisoning (CAPEC-146)?",
    "context": "",
    "output": "To mitigate XML Schema Poisoning (CAPEC-146), try the following approaches:\n\n* Design: Protect the schema against unauthorized modification.\n\n* Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.\n\n* Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.\n\nThese techniques can assist you to mitigate XML Schema Poisoning (CAPEC-146) efficiently.",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "mitigate",
      "ddmo_node_name": "XML Schema Poisoning (CAPEC-146)",
      "ddmo_explanation": "To mitigate XML Schema Poisoning (CAPEC-146), try the following approaches:\n\n* Design: Protect the schema against unauthorized modification.\n\n* Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.\n\n* Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.\n\nThese techniques can assist you to mitigate XML Schema Poisoning (CAPEC-146) efficiently.",
      "mitigations": [
        "Design: Protect the schema against unauthorized modification.",
        "Implementation: For applications that use a known schema, use a local copy or a known good repository instead of the schema reference supplied in the XML document. Additionally, ensure that the proper permissions are set on local files to avoid unauthorized modification.",
        "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification."
      ],
      "prompts": []
    }
  },
  {
    "instruction": "What are ways to detect T1574.013 (KernelCallbackTable)?",
    "context": "",
    "output": "You can detect KernelCallbackTable (T1574.013) using the following method:\n\n* Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious behaviors that could relate to post-compromise behavior. Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances. for known bad sequence of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>WriteProcessMemory()</code> and <code>NtQueryInformationProcess()</code> with the parameter set to <code>ProcessBasicInformation</code> may be used for this technique.(Citations: Lazarus APT January 2022)\n\nThe aforementioned strategy facilitates a way to successfully detect KernelCallbackTable (T1574.013).",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "detect",
      "ddmo_node_name": "T1574.013 (KernelCallbackTable)",
      "ddmo_explanation": "You can detect KernelCallbackTable (T1574.013) using the following method:\n\n* Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious behaviors that could relate to post-compromise behavior. Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances. for known bad sequence of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>WriteProcessMemory()</code> and <code>NtQueryInformationProcess()</code> with the parameter set to <code>ProcessBasicInformation</code> may be used for this technique.(Citations: Lazarus APT January 2022)\n\nThe aforementioned strategy facilitates a way to successfully detect KernelCallbackTable (T1574.013).",
      "detections": [
        "Analyze process behavior to determine if a process is performing actions it usually does not, such as opening network connections, reading files, or other suspicious behaviors that could relate to post-compromise behavior. Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances. for known bad sequence of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as <code>WriteProcessMemory()</code> and <code>NtQueryInformationProcess()</code> with the parameter set to <code>ProcessBasicInformation</code> may be used for this technique.(Citations: Lazarus APT January 2022)"
      ],
      "prompts": []
    }
  },
  {
    "instruction": "What are some possible ways to detect Outlook Home Page (T1137.004)?",
    "context": "",
    "output": "To detect Outlook Home Page (T1137.004), you can:\n\n* Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage. Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.(Citations: Microsoft Detect Outlook Forms, SensePost NotRuler)\n\nThe aforementioned strategy facilitates a way to successfully detect Outlook Home Page (T1137.004).",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "detect",
      "ddmo_node_name": "Outlook Home Page (T1137.004)",
      "ddmo_explanation": "To detect Outlook Home Page (T1137.004), you can:\n\n* Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage. Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.(Citations: Microsoft Detect Outlook Forms, SensePost NotRuler)\n\nThe aforementioned strategy facilitates a way to successfully detect Outlook Home Page (T1137.004).",
      "detections": [
        "Microsoft has released a PowerShell script to safely gather mail forwarding rules and custom forms in your mail environment as well as steps to interpret the output. SensePost, whose tool Ruler can be used to carry out malicious rules, forms, and Home Page attacks, has released a tool to detect Ruler usage. Collect process execution information including process IDs (PID) and parent process IDs (PPID) and look for abnormal chains of activity resulting from Office processes. Non-standard process execution trees may also indicate suspicious or malicious behavior.(Citations: Microsoft Detect Outlook Forms, SensePost NotRuler)"
      ],
      "prompts": []
    }
  },
  {
    "instruction": "How would you mitigate Executable Installer File Permissions Weakness (T1574.005)?",
    "context": "",
    "output": "You can mitigate Executable Installer File Permissions Weakness (T1574.005) using the following methods:\n\n* Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.\n\n* Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.\n\n* Manage the creation, modification, use, and permissions associated to user accounts.\n\nThese methods can help you mitigate Executable Installer File Permissions Weakness (T1574.005) successfully.",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_open",
    "parsed_raw_data": {
      "ddmo_mitigate_detect": "mitigate",
      "ddmo_node_name": "Executable Installer File Permissions Weakness (T1574.005)",
      "ddmo_explanation": "You can mitigate Executable Installer File Permissions Weakness (T1574.005) using the following methods:\n\n* Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.\n\n* Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.\n\n* Manage the creation, modification, use, and permissions associated to user accounts.\n\nThese methods can help you mitigate Executable Installer File Permissions Weakness (T1574.005) successfully.",
      "mitigations": [
        "Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.",
        "Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.",
        "Manage the creation, modification, use, and permissions associated to user accounts."
      ],
      "prompts": []
    }
  }
]