[
  {
    "instruction": "Q: Is technique Boot or Logon Initialization Scripts: Logon Script (Windows) (T1037.001) accurately described in the following description:\n\nAdversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the <code>HKCU\\Environment\\UserInitMprLogonScript</code> Registry key.\n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "Is technique Boot or Logon Initialization Scripts: Logon Script (Windows) (T1037.001) accurately described in the following description:\n\nAdversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system. This is done via adding a path to a script to the <code>HKCU\\Environment\\UserInitMprLogonScript</code> Registry key.\n\nAdversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique System Location Discovery: System Language Discovery (T1614.001) accurately described in the following description:\n\nAdversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions. \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.\n\nOn a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "Is technique System Location Discovery: System Language Discovery (T1614.001) accurately described in the following description:\n\nAdversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.\n\nThere are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Query Registry and calls to Native API functions. \n\nFor example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.\n\nOn a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Q: Is technique Use Alternate Authentication Material (T1574.009) accurately described in the following description:\n\nAdversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths  and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\\unsafe path with space\\program.exe</code> vs. <code>\"C:\\safe path with space\\program.exe\"</code>).  (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\\program files\\myapp.exe</code>, an adversary may create a program at <code>C:\\program.exe</code> that will be run instead of the intended program.  \n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "No.\nThe provided context is correlated with Hijack Execution Flow: Path Interception by Unquoted Path",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "Is technique Use Alternate Authentication Material (T1574.009) accurately described in the following description:\n\nAdversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.\n\nService paths  and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\\unsafe path with space\\program.exe</code> vs. <code>\"C:\\safe path with space\\program.exe\"</code>).  (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\\program files\\myapp.exe</code>, an adversary may create a program at <code>C:\\program.exe</code> that will be run instead of the intended program.  \n\nThis technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.",
      "yes/no": "No.\nThe provided context is correlated with Hijack Execution Flow: Path Interception by Unquoted Path",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: Is technique Boot or Logon Autostart Execution: Security Support Provider (T1547.005) accurately described in the following description:\n\nAdversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\n\nThe SSP configuration is stored in two Registry keys: <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages</code> and <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "Is technique Boot or Logon Autostart Execution: Security Support Provider (T1547.005) accurately described in the following description:\n\nAdversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs.\n\nThe SSP configuration is stored in two Registry keys: <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Security Packages</code> and <code>HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Q: You are given the following description:\nDescription - Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol..\n\nIs the following description related to technique Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002).\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "You are given the following description:\nDescription - Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAsymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin. \n\nNetwork protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol..\n\nIs the following description related to technique Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol (T1048.002)",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: You are given the following description:\nDescription - Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. \n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). \n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users\u2019 phones..\n\nIs the following description related to technique Multi-Factor Authentication Interception (T1111)",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "You are given the following description:\nDescription - Adversaries may target multi-factor authentication (MFA) mechanisms, (i.e., smart cards, token generators, etc.) to gain access to credentials that can be used to access systems, services, and network resources. Use of MFA is recommended and provides a higher level of security than usernames and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms. \n\nIf a smart card is used for multi-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. \n\nAdversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user's personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). \n\nOther methods of MFA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Service providers can also be targeted: for example, an adversary may compromise an SMS messaging service in order to steal MFA codes sent to users\u2019 phones..\n\nIs the following description related to technique Multi-Factor Authentication Interception (T1111)",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Q: You are given the following description:\nDescription - Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).\n\nAdversaries may upload or inject malicious web content, such as JavaScript, into websites. This may be done in a number of ways, including:\n\n* Inserting malicious scripts into web pages or other user controllable web content such as forum posts\n* Modifying script files served to websites from publicly writeable cloud storage buckets\n* Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., Malvertising)\n\nIn addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in Gather Victim Host Information) to ensure it is vulnerable prior to attempting exploitation.\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Drive-by Compromise..\n\nIs the following description related to technique Screen Capture (T1608.004).\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "No.\nThe provided context is related to Stage Capabilities: Drive-by Target",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "You are given the following description:\nDescription - Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in Drive-by Compromise. In such cases, the user's web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as Application Access Token. Prior to Drive-by Compromise, adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired (Acquire Infrastructure) or previously compromised (Compromise Infrastructure).\n\nAdversaries may upload or inject malicious web content, such as JavaScript, into websites. This may be done in a number of ways, including:\n\n* Inserting malicious scripts into web pages or other user controllable web content such as forum posts\n* Modifying script files served to websites from publicly writeable cloud storage buckets\n* Crafting malicious web advertisements and purchasing ad space on a website through legitimate ad providers (i.e., Malvertising)\n\nIn addition to staging content to exploit a user's web browser, adversaries may also stage scripting content to profile the user's browser (as in Gather Victim Host Information) to ensure it is vulnerable prior to attempting exploitation.\n\nWebsites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted campaign is referred to a strategic web compromise or watering hole attack.\n\nAdversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure (Domains) to help facilitate Drive-by Compromise..\n\nIs the following description related to technique Screen Capture (T1608.004)",
      "yes/no": "No.\nThe provided context is related to Stage Capabilities: Drive-by Target",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: You are given the following description:\nDescription - Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including Empire,  PowerSploit, PoshC2, and PSAttack.\n\nPowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI)..\n\nIs the following description related to technique Hide Artifacts: File/Path Exclusions (T1059.001)",
    "context": "",
    "output": "No.\nThe provided context is correlated with Command and Scripting Interpreter: PowerShell",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "You are given the following description:\nDescription - Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).\n\nPowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.\n\nA number of PowerShell-based offensive testing tools are available, including Empire,  PowerSploit, PoshC2, and PSAttack.\n\nPowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell's underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI)..\n\nIs the following description related to technique Hide Artifacts: File/Path Exclusions (T1059.001)",
      "yes/no": "No.\nThe provided context is correlated with Command and Scripting Interpreter: PowerShell",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Q: Is technique Gather Victim Network Information: Network Trust Dependencies (T1590.003) accurately described in the following description:\n\nAdversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship)..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "Yes",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "Is technique Gather Victim Network Information: Network Trust Dependencies (T1590.003) accurately described in the following description:\n\nAdversaries may gather information about the victim's network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.\n\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Active Scanning or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Trusted Relationship).",
      "yes/no": "Yes",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  },
  {
    "instruction": "Q: You are given the following description:\nDescription - Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.  Some data encoding systems may also result in data compression, such as gzip..\n\nIs the following description related to technique Search Closed Sources: Purchase Technical Data (T1132).\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "No",
    "category": "MitreFlan",
    "instruction_type": "mitre_yes_no_description_technique",
    "parsed_raw_data": {
      "question": "You are given the following description:\nDescription - Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.  Some data encoding systems may also result in data compression, such as gzip..\n\nIs the following description related to technique Search Closed Sources: Purchase Technical Data (T1132)",
      "yes/no": "No",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_yes_no_description_technique"
    }
  }
]