[
  {
    "instruction": "Give me an indicator example for attack pattern - Dictionary-based Password Attack (CAPEC ID: 16)",
    "context": "",
    "output": "Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": "Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words.",
      "@Name": "Dictionary-based Password Attack (CAPEC ID: 16)",
      "attack_ptrn": {
        "@ID": "16",
        "@Name": "Dictionary-based Password Attack",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": [
            "An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.",
            "Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts."
          ]
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "49"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "600"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "151"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "560"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "561"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "653"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Determine application's/system's password policy] Determine the password policies of the target application/system.",
              "Technique": [
                "Determine minimum and maximum allowed password lengths.",
                "Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).",
                "Determine account lockout policy (a strict account lockout policy will prevent brute force attacks)."
              ]
            },
            {
              "Step": "2",
              "Phase": "Explore",
              "Description": "[Select dictionaries] Pick the dictionaries to be used in the attack (e.g. different languages, specific terminology, etc.)",
              "Technique": [
                "Select dictionary based on particular users' preferred languages.",
                "Select dictionary based on the application/system's supported languages."
              ]
            },
            {
              "Step": "3",
              "Phase": "Explore",
              "Description": "[Determine username(s) to target] Determine username(s) whose passwords to crack.",
              "Technique": [
                "Obtain username(s) by sniffing network packets.",
                "Obtain username(s) by querying application/system (e.g. if upon a failed login attempt, the system indicates whether the entered username was valid or not)",
                "Obtain usernames from filesystem (e.g. list of directories in C:\\Documents and Settings\\ in Windows, and list in /etc/passwd in UNIX-like systems)"
              ]
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Use dictionary to crack passwords.] Use a password cracking tool that will leverage the dictionary to feed passwords to the system and see if they work.",
              "Technique": [
                "Try all words in the dictionary, as well as common misspellings of the words as passwords for the chosen username(s).",
                "Try common combinations of words in the dictionary, as well as common misspellings of the combinations as passwords for the chosen username(s)."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The system uses one factor password based authentication.",
            "The system does not have a sound password policy that is being enforced.",
            "The system does not implement an effective password throttling mechanism."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "A variety of password cracking tools and dictionaries are available to launch this type of an attack."
          }
        },
        "Resources_Required": {
          "Resource": "A machine with sufficient resources for the job (e.g. CPU, RAM, HD). Applicable dictionaries are required. Also a password cracking tool or a custom script that leverages the dictionary database to launch the attack."
        },
        "Indicators": {
          "Indicator": "Many invalid login attempts are coming from the same machine (same IP address) or for the same log in name. The login attempts use passwords that are dictionary words."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authentication"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Create a strong password policy and ensure that your system enforces this policy.",
            "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.",
            "Leverage multi-factor authentication for all authentication services."
          ]
        },
        "Example_Instances": {
          "Example": [
            "A system user selects the word \"treacherous\" as their passwords believing that it would be very difficult to guess. The password-based dictionary attack is used to crack this password and gain access to the account.",
            {
              "xhtml:p": [
                "The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks.",
                "Cisco LEAP is a mutual authentication algorithm that supports dynamic derivation of session keys. With Cisco LEAP, mutual authentication relies on a shared secret, the user's logon password (which is known by the client and the network), and is used to respond to challenges between the user and the Remote Authentication Dial-In User Service (RADIUS) server.",
                "Methods exist for someone to write a tool to launch an offline dictionary attack on password-based authentications that leverage Microsoft MS-CHAP, such as Cisco LEAP. The tool leverages large password lists to efficiently launch offline dictionary attacks against LEAP user accounts, collected through passive sniffing or active techniques."
              ],
              "#text": "See also: CVE-2003-1096"
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "521"
            },
            {
              "@CWE_ID": "262"
            },
            {
              "@CWE_ID": "263"
            },
            {
              "@CWE_ID": "654"
            },
            {
              "@CWE_ID": "307"
            },
            {
              "@CWE_ID": "308"
            },
            {
              "@CWE_ID": "309"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Consequences, Description, Mitigations, Related_Attack_Patterns, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "How can I detect attack pattern: Encryption Brute Forcing (CAPEC ID: 20)",
    "context": "",
    "output": "The indicators of Encryption Brute Forcing (CAPEC ID: 20) are: None. This attack happens offline.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": "None. This attack happens offline.",
      "@Name": "Encryption Brute Forcing (CAPEC ID: 20)",
      "attack_ptrn": {
        "@ID": "20",
        "@Name": "Encryption Brute Forcing",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.",
        "Likelihood_Of_Attack": "Low",
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "112"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "668"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "Determine the ciphertext and the encryption algorithm."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "Perform an exhaustive brute force search of the key space, producing candidate plaintexts and observing if they make sense."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "Ciphertext is known.",
            "Encryption algorithm and key size are known."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "Brute forcing encryption does not require much skill."
          }
        },
        "Resources_Required": {
          "Resource": {
            "xhtml:p": [
              "A powerful enough computer for the job with sufficient CPU, RAM and HD. Exact requirements will depend on the size of the brute force job and the time requirement for completion. Some brute forcing jobs may require grid or distributed computing (e.g. DES Challenge).",
              "On average, for a binary key of size N, 2^(N/2) trials will be needed to find the key that would decrypt the ciphertext to obtain the original plaintext.",
              "Obviously as N gets large the brute force approach becomes infeasible."
            ]
          }
        },
        "Indicators": {
          "Indicator": "None. This attack happens offline."
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Confidentiality",
            "Impact": "Read Data"
          }
        },
        "Mitigations": {
          "Mitigation": [
            "Use commonly accepted algorithms and recommended key sizes. The key size used will depend on how important it is to keep the data confidential and for how long.",
            "In theory a brute force attack performing an exhaustive key space search will always succeed, so the goal is to have computational security. Moore's law needs to be taken into account that suggests that computing resources double every eighteen months."
          ]
        },
        "Example_Instances": {
          "Example": "In 1997 the original DES challenge used distributed net computing to brute force the encryption key and decrypt the ciphertext to obtain the original plaintext. Each machine was given its own section of the key space to cover. The ciphertext was decrypted in 96 days."
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "326"
            },
            {
              "@CWE_ID": "327"
            },
            {
              "@CWE_ID": "693"
            },
            {
              "@CWE_ID": "1204"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": {
            "Modification_Name": "CAPEC Content Team",
            "Modification_Organization": "The MITRE Corporation",
            "Modification_Date": "2021-06-24",
            "Modification_Comment": "Updated Related_Attack_Patterns, Related_Weaknesses"
          }
        }
      }
    }
  },
  {
    "instruction": "How can I detect attack pattern: Manipulating User-Controlled Variables (CAPEC ID: 77)",
    "context": "",
    "output": "The indicators of Manipulating User-Controlled Variables (CAPEC ID: 77) are: A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": "A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool.",
      "@Name": "Manipulating User-Controlled Variables (CAPEC ID: 77)",
      "attack_ptrn": {
        "@ID": "77",
        "@Name": "Manipulating User-Controlled Variables",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "22",
            "Exclude_Related": {
              "@Exclude_ID": "512"
            }
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Probe target application] The adversary first probes the target application to determine important information about the target. This information could include types software used, software versions, what user input the application consumes, and so on."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Find user-controlled variables] Using the information found by probing the application, the adversary attempts to manipulate many user-controlled variables and observes the effects on the application. If the adversary notices any significant changes to the application, they will know that a certain variable is useful to the application.",
              "Technique": [
                "Adversaries will try to alter many common variable names such as \"count\", \"tempFile\", \"i\", etc. The hope is that they can alter the flow of the application without knowing the inner-workings.",
                "Adversaries will try to alter known environment variables."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Manipulate user-controlled variables] Once the adversary has found a user-controller variable(s) that is important to the application, they will manipulate it to change the normal behavior in a way that benefits the adversary."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "A variable consumed by the application server is exposed to the client.",
            "A variable consumed by the application server can be overwritten by the user.",
            "The application server trusts user supplied data to compute business logic.",
            "The application server does not perform proper input validation."
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Low",
              "#text": "The malicious user can easily try some well-known global variables and find one which matches."
            },
            {
              "@Level": "Medium",
              "#text": "The adversary can use automated tools to probe for variables that they can control."
            }
          ]
        },
        "Indicators": {
          "Indicator": "A web penetration tool probing a web server may generate abnormal activities recorded on log files. Abnormal traffic such as a high number of request coming from the same client may also rise the warnings from a monitoring system or an intrusion detection tool."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "Run Arbitrary Code"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            {
              "xhtml:p": [
                "Do not allow override of global variables and do Not Trust Global Variables.",
                "If the register_globals option is enabled, PHP will create global variables for each GET, POST, and cookie variable included in the HTTP request. This means that a malicious user may be able to set variables unexpectedly. For instance make sure that the server setting for PHP does not expose global variables."
              ]
            },
            "A software system should be reluctant to trust variables that have been initialized outside of its trust boundary. Ensure adequate checking is performed when relying on input from outside a trust boundary.",
            "Separate the presentation layer and the business logic layer. Variables at the business logic layer should not be exposed at the presentation layer. This is to prevent computation of business logic from user controlled input data.",
            "Use encapsulation when declaring your variables. This is to lower the exposure of your variables.",
            "Assume all input is malicious. Create an allowlist that defines all valid input to the software system based on the requirements specifications. Input that does not match against the allowlist should be rejected by the program."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": [
              "PHP is a study in bad security. The main idea pervading PHP is \"ease of use,\" and the mantra \"don't make the developer go to any extra work to get stuff done\" applies in all cases. This is accomplished in PHP by removing formalism from the language, allowing declaration of variables on first use, initializing everything with preset values, and taking every meaningful variable from a transaction and making it available. In cases of collision with something more technical, the simple almost always dominates in PHP.",
              "One consequence of all this is that PHP allows users of a Web application to override environment variables with user-supplied, untrusted query variables. Thus, critical values such as the CWD and the search path can be overwritten and directly controlled by a remote anonymous user.",
              "Another similar consequence is that variables can be directly controlled and assigned from the user-controlled values supplied in GET and POST request fields. So seemingly normal code like this, does bizarre things:",
              "Normally, this loop will execute its body ten times. The first iteration will be an undefined zero, and further trips though the loop will result in an increment of the variable $count. The problem is that the coder does not initialize the variable to zero before entering the loop. This is fine because PHP initializes the variable on declaration. The result is code that seems to function, regardless of badness. The problem is that a user of the Web application can supply a request such as",
              "and cause $count to start out at the value 9, resulting in only one trip through the loop. Yerg.",
              "Depending on the configuration, PHP may accept user-supplied variables in place of environment variables. PHP initializes global variables for all process environment variables, such as $PATH and $HOSTNAME. These variables are of critical importance because they may be used in file or network operations. If an adversary can supply a new $PATH variable (such as PATH='/var'), the program may be exploitable.",
              "PHP may also take field tags supplied in GET/POST requests and transform them into global variables. This is the case with the $count variable we explored in our previous example.",
              "Consider another example of this problem in which a program defines a variable called $tempfile. An adversary can supply a new temp file such as $tempfile = \"/etc/passwd\". Then the temp file may get erased later via a call to unlink($tempfile);. Now the passwd file has been erased--a bad thing indeed on most OSs.",
              "Also consider that the use of include() and require() first search $PATH, and that using calls to the shell may execute crucial programs such as ls. In this way, ls may be \"Trojaned\" (the adversary can modify $PATH to cause a Trojan copy of ls to be loaded). This type of attack could also apply to loadable libraries if $LD_LIBRARY_PATH is modified.",
              "Finally, some versions of PHP may pass user data to syslog as a format string, thus exposing the application to a format string buffer overflow."
            ],
            "xhtml:div": [
              {
                "@style": "margin-left:1em;",
                "@class": "informative",
                "xhtml:br": [
                  null,
                  null,
                  null
                ],
                "#text": "while($count < 10){// Do something$count++;}"
              },
              {
                "@style": "margin-left:1em;",
                "@class": "informative",
                "#text": "GET /login.php?count=9"
              }
            ],
            "#text": "See also: File upload allows arbitrary file read by setting hidden form variables to match internal variable names (CVE-2000-0860)"
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "15"
            },
            {
              "@CWE_ID": "94"
            },
            {
              "@CWE_ID": "96"
            },
            {
              "@CWE_ID": "285"
            },
            {
              "@CWE_ID": "302"
            },
            {
              "@CWE_ID": "473"
            },
            {
              "@CWE_ID": "1321"
            }
          ]
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-1"
            },
            {
              "@External_Reference_ID": "REF-520"
            },
            {
              "@External_Reference_ID": "REF-521"
            },
            {
              "@External_Reference_ID": "REF-522",
              "@Section": "Chapter 29. Using Register Globals"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Execution_Flow, Mitigations, Skills_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Example_Instances, Execution_Flow, Skills_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Example_Instances"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "What are the possible indicators of capec - Eavesdropping on a Monitor (CAPEC ID: 699)",
    "context": "",
    "output": "Possible indicators: The target will not observe any indicators of the attack from the computer user\u2019s perspective. The only indication of this attack would be a visible SDR with antenna that can be seen in close proximity to a display cable which is not normally present. This requires that the target is aware of what SDRs look like and can recognize that it may be out of place.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": "The target will not observe any indicators of the attack from the computer user\u2019s perspective. The only indication of this attack would be a visible SDR with antenna that can be seen in close proximity to a display cable which is not normally present. This requires that the target is aware of what SDRs look like and can recognize that it may be out of place.",
      "@Name": "Eavesdropping on a Monitor (CAPEC ID: 699)",
      "attack_ptrn": {
        "@ID": "699",
        "@Name": "Eavesdropping on a Monitor",
        "@Abstraction": "Meta",
        "@Status": "Draft",
        "Description": "An Adversary can eavesdrop on the content of an external monitor through the air without modifying any cable or installing software, just capturing this signal emitted by the cable or video port, with this the attacker will be able to impact the confidentiality of the data without being detected by traditional security tools",
        "Extended_Description": {
          "xhtml:p": [
            "This attack gives the adversary the ability to view an external monitor with an insignificant delay. There is also no indicator of compromise from the victim visible on the monitor.",
            "The eavesdrop is possible due to a signal leakage, that is produced at different points of the connection, including the source port, the connection between the cable and PC, the cable itself, and the connection between the cable and the monitor. That signal leakage can be captured near any of the leak points, but also in a near location, like the next room or a few meters away, using an SDR (Software-defined Radio) device and the correspondent software, that process and interpret the signal to show attackers what the monitor is displaying.",
            "From the victim\u2019s point of view, this specified attack might cause a high risk, and from the other hand, from the attacker\u2019s point of view, the attack is excellent, since the specified attack method can be used without investing too much effort or require too many skills, as long as the right attack tool is in right place, this allows attackers to completely compromise the confidentiality of the data; also giving the attacker the advantage of being undetectable by not only traditional security products but also from bug sweep because the SDR device is acting in passive mode."
          ]
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "651"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey Target] The adversary surveys the target location, looking for exposed display cables and locations to hide an SDR. This also includes looking for display cables or monitors placed close to a wall, where the SDR can be in range while behind the wall. The adversary also attempts to discover the resolution and refresh rate of the targeted display."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Find target using SDR] The adversary sets up an SDR near the target display cable or monitor. They use the SDR software to locate the corresponding frequency of the display cable. This is done by looking for interference peaks that change depending on what the screen is showing. The adversary notes down the possible frequencies of unintentional emission.",
              "Technique": "An adversary can make use of many different commercially available SDR devices which are easy to setup such as a HackRF, Ubertooth, RTL-SDR, and many others."
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Visualize Monitor Image] Once the SDR software has been used to identify the target, the adversary will record the transmissions and visualize the monitor image using these transmissions, which allows them to eavesdrop on the information visible on the monitor.",
              "Technique": "The TempestSDR software can be used in conjunction an SDR device to visualize the monitor image. The adversary will specify the known monitor resolution and refresh rate, or if those are not known they can use the provided auto-correlation graphs to help predict these values. The adversary will then try the different frequencies recorded from the experiment phase, looking for a viewing monitor display. Low pass filters and gain can be manipulated to make the display image clearer."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "Victim should use an external monitor device",
            "Physical access to the target location and devices"
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Medium",
              "#text": "Knowledge of how to use the SDR and related software: With this knowledge, the adversary will find the correct frequency where the signal is being leaked"
            },
            {
              "@Level": "Low",
              "#text": "Understanding of computing hardware, to identify the video cable and video ports"
            }
          ]
        },
        "Resources_Required": {
          "Resource": [
            "SDR device set with the correspondent antenna",
            "Computer with SDR Software"
          ]
        },
        "Indicators": {
          "Indicator": "The target will not observe any indicators of the attack from the computer user\u2019s perspective. The only indication of this attack would be a visible SDR with antenna that can be seen in close proximity to a display cable which is not normally present. This requires that the target is aware of what SDRs look like and can recognize that it may be out of place."
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Confidentiality",
            "Impact": "Read Data"
          }
        },
        "Mitigations": {
          "Mitigation": [
            "Enhance: Increase the number of electromagnetic shield layers in the display ports and cables to contain or reduce the intensity of the leaked signal.",
            "Implement: Use a protocol that encrypts the video signal; in case the signal is intercepted the signal is protected by the encryption.",
            "Design: Lock away the video cables, making it difficult for the attacker to access the cables and place the antenna near them (If the distance condition between the antenna and display port/cable is not satisfied, the attack will not be possible).",
            "Implement: Use wireless technologies to connect to external display devices."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "1300"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-744"
            },
            {
              "@External_Reference_ID": "REF-745"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "You Wu (\u5434\u5fe7), Miguel Ivan Fernandez (\u4f0a\u4e07), Qingzhe Jiang (\u848b\u9752\u5586)",
            "Submission_Organization": "Lenovo",
            "Submission_Date": "2023-01-24"
          }
        }
      }
    }
  },
  {
    "instruction": "How can I detect attack pattern: Windows Admin Shares with Stolen Credentials (CAPEC ID: 561)",
    "context": "",
    "output": "The indicators of Windows Admin Shares with Stolen Credentials (CAPEC ID: 561) are: Data is being transferred and/or removed from administrative network shares.\n* Suspicious or Malicious software is executed within administrative network shares.\n* Suspicious or Malicious software is downloaded/installed on systems within the domain.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": [
        "Data is being transferred and/or removed from administrative network shares.",
        "Suspicious or Malicious software is executed within administrative network shares.",
        "Suspicious or Malicious software is downloaded/installed on systems within the domain."
      ],
      "@Name": "Windows Admin Shares with Stolen Credentials (CAPEC ID: 561)",
      "attack_ptrn": {
        "@ID": "561",
        "@Name": "Windows Admin Shares with Stolen Credentials",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate Windows administrator credentials (e.g. userID/password) to access Windows Admin Shares on a local machine or within a Windows domain.",
        "Extended_Description": {
          "xhtml:p": "Windows systems within the Windows NT family contain hidden network shares that are only accessible to system administrators. These shares allow administrators to remotely access all disk volumes on a network-connected system and further allow for files to be copied, written, and executed, along with other administrative actions. Example network shares include: C$, ADMIN$ and IPC$. If an adversary is able to obtain legitimate Windows credentials, the hidden shares can be accessed remotely, via server message block (SMB) or the Net utility, to transfer files and execute code. It is also possible for adversaries to utilize NTLM hashes to access administrator shares on systems with certain configuration and patch levels."
        },
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "653"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "151"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "165"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "549"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "545"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Acquire known Windows administrator credentials] The adversary must obtain known Windows administrator credentials in order to access the administrative network shares.",
              "Technique": [
                "An adversary purchases breached Windows administrator credentials from the dark web.",
                "An adversary leverages a key logger or phishing attack to steal administrator credentials as they are provided.",
                "An adversary conducts a sniffing attack to steal Windows administrator credentials as they are transmitted.",
                "An adversary gains access to a Windows domain system/files and exfiltrates Windows administrator password hashes.",
                "An adversary examines outward-facing configuration and properties files to discover hardcoded Windows administrator credentials."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Attempt domain authentication] Try each Windows administrator credential against the hidden network shares until the target grants access.",
              "Technique": "Manually or automatically enter each administrator credential through the target's interface."
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Malware Execution] An adversary can remotely execute malware within the administrative network shares to infect other systems within the domain."
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Data Exfiltration] The adversary can remotely obtain sensitive data contained within the administrative network shares."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The system/application is connected to the Windows domain.",
            "The target administrative share allows remote use of local admin credentials to log into domain systems.",
            "The adversary possesses a list of known Windows administrator credentials that exist on the target domain."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "Once an adversary obtains a known Windows credential, leveraging it is trivial."
          }
        },
        "Resources_Required": {
          "Resource": "A list of known Windows administrator credentials for the targeted domain."
        },
        "Indicators": {
          "Indicator": [
            "Data is being transferred and/or removed from administrative network shares.",
            "Suspicious or Malicious software is executed within administrative network shares.",
            "Suspicious or Malicious software is downloaded/installed on systems within the domain."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authentication"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Confidentiality",
                "Authorization"
              ],
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Do not reuse local administrator account credentials across systems.",
            "Deny remote use of local admin credentials to log into domain systems.",
            "Do not allow accounts to be a local administrator on more than one system."
          ]
        },
        "Example_Instances": {
          "Example": [
            "APT32 has leveraged Windows' built-in Net utility to use Windows Administrative Shares to copy and execute remote malware. [REF-579]",
            "In May 2017, APT15 laterally moved within a Windows domain via Windows Administrative Shares to copy files to and from compromised host systems. This further allowed for the remote execution of malware. [REF-578]"
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "522"
            },
            {
              "@CWE_ID": "308"
            },
            {
              "@CWE_ID": "309"
            },
            {
              "@CWE_ID": "294"
            },
            {
              "@CWE_ID": "263"
            },
            {
              "@CWE_ID": "262"
            },
            {
              "@CWE_ID": "521"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1021.002",
            "Entry_Name": "Remote Services:SMB/Windows Admin Shares"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-577"
            },
            {
              "@External_Reference_ID": "REF-578"
            },
            {
              "@External_Reference_ID": "REF-579"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2015-11-09"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Consequences, Description, Example_Instances, Execution_Flow, Indicators, Mitigations, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Are there any indicators for attack: HTTP Response Splitting (CAPEC ID: 34)",
    "context": "",
    "output": "Yes. to detect the attack pattern HTTP Response Splitting (CAPEC ID: 34), you can look at the following indicator: Differences in responses processed by the two agents with multiple responses to a single request in the web logs. This requires careful monitoring or a capable log analysis tool.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": "Differences in responses processed by the two agents with multiple responses to a single request in the web logs. This requires careful monitoring or a capable log analysis tool.",
      "@Name": "HTTP Response Splitting (CAPEC ID: 34)",
      "attack_ptrn": {
        "@ID": "34",
        "@Name": "HTTP Response Splitting",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": {
          "xhtml:p": [
            "An adversary manipulates and injects malicious content, in the form of secret unauthorized HTTP responses, into a single HTTP response from a vulnerable or compromised back-end HTTP agent (e.g., web server) or into an already spoofed HTTP response from an adversary controlled domain/site.",
            "See CanPrecede relationships for possible consequences."
          ]
        },
        "Extended_Description": {
          "xhtml:p": [
            "Malicious user input is injected into various standard and/or user defined HTTP headers within a HTTP Response through use of Carriage Return (CR), Line Feed (LF), Horizontal Tab (HT), Space (SP) characters as well as other valid/RFC compliant special characters, and unique character encoding.",
            "A single HTTP response ends up being split as two or more HTTP responses by the targeted client HTTP agent parsing the original maliciously manipulated HTTP response. This allows malicious HTTP responses to bypass security controls in order to implement malicious actions and provide malicious content that allows access to sensitive data and to compromise applications and users. This is performed by the abuse of interpretation and parsing discrepancies in different intermediary HTTP agents (load balancer, reverse proxy, web caching proxies, application firewalls, etc.) or client HTTP agents (e.g., web browser) in the path of the malicious HTTP responses.",
            "This attack is usually the result of the usage of outdated or incompatible HTTP protocol versions as well as lack of syntax checking and filtering of user input in the HTTP agents receiving HTTP messages in the path.",
            {
              "xhtml:i": "client agent (e.g., web browser)",
              "#text": "This differs from CAPEC-105 HTTP Request Splitting, which is usually an attempt to compromise a back-end HTTP agent via HTTP Request messages. HTTP Response Splitting is an attempt to compromise aby sending malicious content in HTTP responses from back-end HTTP infrastructure."
            },
            "HTTP Smuggling (CAPEC-33 and CAPEC-273) is different from HTTP Splitting due to the fact it relies upon discrepancies in the interpretation of various HTTP Headers and message sizes and not solely user input of special characters and character encoding. HTTP Smuggling was established to circumvent mitigations against HTTP Request Splitting techniques."
          ]
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "220"
            },
            {
              "@Nature": "PeerOf",
              "@CAPEC_ID": "105"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "115"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "141"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "63"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "593"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "148"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "154"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey network to identify target] The adversary performs network reconnaissance by monitoring relevant traffic to identify the network path and parsing of the HTTP messages with the goal of identifying potential targets",
              "Technique": "Scan networks to fingerprint HTTP infrastructure and monitor HTTP traffic to identify HTTP network path with a tool such as a Network Protocol Analyzer."
            },
            {
              "Step": "1",
              "Phase": "Experiment",
              "Description": "[Identify vulnerabilities in targeted HTTP infrastructure and technologies] The adversary sends a variety of benign/ambiguous HTTP requests to observe responses from HTTP infrastructure in order to identify differences/discrepancies in the interpretation and parsing of HTTP requests by examining supported HTTP protocol versions, HTTP headers, syntax checking and input filtering."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Cause differential HTTP responses by experimenting with identified HTTP Request vulnerabilities] The adversary sends maliciously crafted HTTP request to back-end HTTP infrastructure to inject adversary data (in the form of HTTP headers with custom strings and embedded web scripts and objects) into HTTP responses (intended for intermediary and/or front-end client/victim HTTP agents communicating with back-end HTTP infrastructure) for the purpose of interfering with the parsing of HTTP responses by intermediary and front-end client/victim HTTP agents. The intended consequences of the malicious HTTP request and the subsequent adversary injection and manipulation of HTTP responses to intermediary and front-end client/victim HTTP agents, will be observed to confirm applicability of identified vulnerabilities in the adversary's plan of attack.",
              "Technique": [
                "Continue the monitoring of HTTP traffic.",
                {
                  "xhtml:p": [
                    "Utilize different sequences of special characters (CR - Carriage Return, LF - Line Feed, HT - Horizontal Tab, SP - Space and etc.) to bypass filtering and back-end encoding and to embed:",
                    "to utilize additional special characters (e.g., > and <) filtered by the target HTTP agent.",
                    "Note that certain special characters and character encoding may be applicable only to intermediary and front-end agents with rare configurations or that are not RFC compliant."
                  ],
                  "xhtml:ul": {
                    "xhtml:li": [
                      "additional HTTP Requests with their own headers",
                      "malicious web scripts into parameters of HTTP Request headers (e.g., browser cookies like Set-Cookie or Ajax web/browser object parameters like XMLHttpRequest)",
                      "adversary chosen encoding (e.g., UTF-7)"
                    ]
                  }
                },
                "Follow an unrecognized (sometimes a RFC compliant) HTTP header with a subsequent HTTP request to potentially cause the HTTP request to be ignored and interpreted as part of the preceding HTTP request."
              ]
            },
            {
              "Step": "1",
              "Phase": "Exploit",
              "Description": "[Perform HTTP Response Splitting attack] Using knowledge discovered in the experiment section above, smuggle a message to cause one of the consequences.",
              "Technique": "Leverage techniques identified in the Experiment Phase."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "A vulnerable or compromised server or domain/site capable of allowing adversary to insert/inject malicious content that will appear in the server's response to target HTTP agents (e.g., proxies and users' web browsers).",
            "Differences in the way the two HTTP agents parse and interpret HTTP requests and its headers.",
            "HTTP headers capable of being user-manipulated.",
            "HTTP agents running on HTTP/1.0 or HTTP/1.1 that allow for Keep Alive mode, Pipelined queries, and Chunked queries and responses."
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Medium",
              "#text": "Detailed knowledge on HTTP protocol: request and response messages structure and usage of specific headers."
            },
            {
              "@Level": "Medium",
              "#text": "Detailed knowledge on how specific HTTP agents receive, send, process, interpret, and parse a variety of HTTP messages and headers."
            },
            {
              "@Level": "Medium",
              "#text": "Possess knowledge on the exact details in the discrepancies between several targeted HTTP agents in path of an HTTP message in parsing its message structure and individual headers."
            }
          ]
        },
        "Resources_Required": {
          "Resource": "Tools capable of monitoring HTTP messages, and crafting malicious HTTP messages and/or injecting malicious content into HTTP messages."
        },
        "Indicators": {
          "Indicator": "Differences in responses processed by the two agents with multiple responses to a single request in the web logs. This requires careful monitoring or a capable log analysis tool."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Design: evaluate HTTP agents prior to deployment for parsing/interpretation discrepancies.",
            "Configuration: front-end HTTP agents notice ambiguous requests.",
            "Configuration: back-end HTTP agents reject ambiguous requests and close the network connection.",
            "Configuration: Disable reuse of back-end connections.",
            "Configuration: Use HTTP/2 for back-end connections.",
            "Configuration: Use the same web server software for front-end and back-end server.",
            "Implementation: Utilize a Web Application Firewall (WAF) that has built-in mitigation to detect abnormal requests/responses.",
            "Configuration: Install latest vendor security patches available for both intermediary and back-end HTTP infrastructure (i.e. proxies and web servers)",
            "Configuration: Ensure that HTTP infrastructure in the chain or network path utilize a strict uniform parsing process.",
            "Implementation: Utilize intermediary HTTP infrastructure capable of filtering and/or sanitizing user-input."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": "In the PHP 5 session extension mechanism, a user-supplied session ID is sent back to the user within the Set-Cookie HTTP header. Since the contents of the user-supplied session ID are not validated, it is possible to inject arbitrary HTTP headers into the response body. This immediately enables HTTP Response Splitting by simply terminating the HTTP response header from within the session ID used in the Set-Cookie directive. See also: CVE-2006-0207"
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "74"
            },
            {
              "@CWE_ID": "113"
            },
            {
              "@CWE_ID": "138"
            },
            {
              "@CWE_ID": "436"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "WASC",
            "Entry_ID": "25",
            "Entry_Name": "HTTP Response Splitting"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-1"
            },
            {
              "@External_Reference_ID": "REF-117"
            },
            {
              "@External_Reference_ID": "REF-617"
            },
            {
              "@External_Reference_ID": "REF-680"
            }
          ]
        },
        "Notes": {
          "Note": [
            {
              "@Type": "Terminology",
              "#text": "HTTP Splitting \u2013 \"the act of forcing a sender of (HTTP) messages to emit data stream consisting of more messages than the sender\u2019s intension. The messages sent are 100% valid and RFC compliant\" [REF-117]."
            },
            {
              "@Type": "Terminology",
              "#text": "HTTP Smuggling \u2013 \"the act of forcing a sender of (HTTP) messages to emit data stream which may be parsed as a different set of messages (i.e. dislocated message boundaries) than the sender\u2019s intention. This is done by virtue of forcing the sender to emit non-standard messages which can be interpreted in more than one way\" [REF-117]."
            },
            {
              "@Type": "Relationship",
              "#text": "HTTP Smuggling is an evolution of previous HTTP Splitting techniques which are commonly remediated against."
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Phases, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Payload_Activation_Impact, Probing_Techniques, Related_Attack_Patterns, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Phases, References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-10-21",
              "Modification_Comment": "Updated @Status, Consequences, Description, Example_Instances, Execution_Flow, Extended_Description, Indicators, Mitigations, Notes, Prerequisites, References, Related_Attack_Patterns, Related_Weaknesses, Resources_Required, Skills_Required, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Given the attack pattern: Password Spraying (CAPEC ID: 565), give me an example of indicator for this pattern",
    "context": "",
    "output": "Sure. Indicators: Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.\nThe login attempts use passwords that have been used previously by the user account in question.\nLogin attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": [
        "Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.",
        "The login attempts use passwords that have been used previously by the user account in question.",
        "Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations."
      ],
      "@Name": "Password Spraying (CAPEC ID: 565)",
      "attack_ptrn": {
        "@ID": "565",
        "@Name": "Password Spraying",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": {
          "xhtml:p": "In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout."
        },
        "Extended_Description": {
          "xhtml:p": [
            "Password Spraying attacks often target management services over commonly used ports such as SSH, FTP, Telnet, LDAP, Kerberos, MySQL, and more. Additional targets include Single Sign-On (SSO) or cloud-based applications/services that utilize federated authentication protocols, and externally facing applications. Successful execution of Password Spraying attacks usually lead to lateral movement within the target, which allows the adversary to impersonate the victim or execute any action that the victim is authorized to perform. If the password chosen by the user is commonly used or easily guessed, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.",
            "Password Spraying Attacks are similar to Dictionary-based Password Attacks (CAPEC-16) in that they both leverage precompiled lists (i.e. dictionaries) of username/password combinations to try against a system/application. The primary difference is that Password Spraying Attacks leverage a known list of user accounts and only try one password for each account before moving onto the next password. In contrast, Dictionary-based Password Attacks leverage unknown username/password combinations and are often executed offline against files containing hashed credentials, where inducing an account lockout is not a concern.",
            "Password Spraying Attacks are also similar to Credential Stuffing attacks (CAPEC-600), since both utilize known user accounts and often attack the same targets. Credential Stuffing attacks, however, leverage known username/password combinations, whereas Password Spraying attacks have no insight into known username/password pairs. If a Password Spraying attack succeeds, it may additionally lead to Credential Stuffing attacks on different targets."
          ]
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "49"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "600"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "151"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "560"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "561"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "653"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Determine target's password policy] Determine the password policies of the target system/application.",
              "Technique": [
                "Determine minimum and maximum allowed password lengths.",
                "Determine format of allowed passwords (whether they are required or allowed to contain numbers, special characters, etc., or whether they are allowed to contain words from the dictionary).",
                "Determine account lockout policy (a strict account lockout policy will prevent brute force attacks)."
              ]
            },
            {
              "Step": "2",
              "Phase": "Explore",
              "Description": "[Select passwords] Pick the passwords to be used in the attack (e.g. commonly used passwords, passwords tailored to individual users, etc.)",
              "Technique": [
                "Select passwords based on common use or a particular user's additional details.",
                "Select passwords based on the target's password complexity policies."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Brute force password] Given the finite space of possible passwords dictated by information determined in the previous steps, try each password for all known user accounts until the target grants access.",
              "Technique": [
                "Manually or automatically enter the first password for each known user account through the target's interface. In most systems, start with the shortest and simplest possible passwords, because most users tend to select such passwords if allowed to do so.",
                "Iterate through the remaining passwords for each known user account."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The system/application uses one factor password based authentication.",
            "The system/application does not have a sound password policy that is being enforced.",
            "The system/application does not implement an effective password throttling mechanism.",
            "The adversary possesses a list of known user accounts on the target system/application."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "A Password Spraying attack is very straightforward. A variety of password cracking tools are widely available."
          }
        },
        "Resources_Required": {
          "Resource": [
            "A machine with sufficient resources for the job (e.g. CPU, RAM, HD).",
            "Applicable password lists.",
            "A password cracking tool or a custom script that leverages the password list to launch the attack."
          ]
        },
        "Indicators": {
          "Indicator": [
            "Many invalid login attempts are coming from the same machine (same IP address) or for multiple user accounts within short succession.",
            "The login attempts use passwords that have been used previously by the user account in question.",
            "Login attempts are originating from IP addresses or locations that are inconsistent with the user's normal IP addresses or locations."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authentication"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Confidentiality",
                "Authorization"
              ],
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Create a strong password policy and ensure that your system enforces this policy.",
            "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.",
            "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the domain network."
          ]
        },
        "Example_Instances": {
          "Example": [
            "A user selects the phrase \"Password123\" as their password, believing that it would be very difficult to guess. Password Spraying, leveraging a list of commonly used passwords, is used to crack this password and gain access to the account.",
            "The Iranian hacker group APT33 (AKA Holmium, Refined Kitten, or Elfin) carried out numerous Password Spraying attacks in 2019. On average, APT33 targeted 2,000 organizations per month, with upwards of 10 million authentication attempts each day. The majority of these attacks targeted manufacturers, suppliers, or maintainers of industrial control system equipment."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "521"
            },
            {
              "@CWE_ID": "262"
            },
            {
              "@CWE_ID": "263"
            },
            {
              "@CWE_ID": "654"
            },
            {
              "@CWE_ID": "307"
            },
            {
              "@CWE_ID": "308"
            },
            {
              "@CWE_ID": "309"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1110.003",
            "Entry_Name": "Brute Force:Password Spraying"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-565"
            },
            {
              "@External_Reference_ID": "REF-566"
            },
            {
              "@External_Reference_ID": "REF-567"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2020-07-30"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "What are the possible indicators of capec - Use of Known Operating System Credentials (CAPEC ID: 653)",
    "context": "",
    "output": "Possible indicators: Authentication attempts use credentials that have been used previously by the account in question.\n- Authentication attempts are originating from IP addresses or locations that are inconsistent with a user's normal IP addresses or locations.\n- Data is being transferred and/or removed from systems/applications within the network.\n- Suspicious or Malicious software is downloaded/installed on systems within the domain.\n- Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": [
        "Authentication attempts use credentials that have been used previously by the account in question.",
        "Authentication attempts are originating from IP addresses or locations that are inconsistent with a user's normal IP addresses or locations.",
        "Data is being transferred and/or removed from systems/applications within the network.",
        "Suspicious or Malicious software is downloaded/installed on systems within the domain.",
        "Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior."
      ],
      "@Name": "Use of Known Operating System Credentials (CAPEC ID: 653)",
      "attack_ptrn": {
        "@ID": "653",
        "@Name": "Use of Known Operating System Credentials",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.",
        "Extended_Description": {
          "xhtml:p": "This attack can be extremely harmful when the operating system credentials used are for a root or admin user. Once an adversary gains access using credentials with elevated privileges, they are free to alter important system files which can effect other users who may use the system or other users on the system's network."
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "560",
              "Exclude_Related": {
                "@Exclude_ID": "515"
              }
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "151"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Acquire known operating system credentials] The adversary must obtain known operating system credentials in order to access the target system, application, or service within the domain.",
              "Technique": [
                "An adversary purchases breached operating system username/password combinations or leaked hashed passwords from the dark web.",
                "An adversary leverages a key logger or phishing attack to steal user credentials as they are provided.",
                "An adversary conducts a sniffing attack to steal operating system credentials as they are transmitted.",
                "An adversary gains access to a system/files and exfiltrates password hashes.",
                "An adversary examines outward-facing configuration and properties files to discover hardcoded credentials."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Attempt authentication] Try each operating system credential against various systems, applications, and services within the domain until the target grants access.",
              "Technique": "Manually or automatically enter each credential through the target's interface."
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the network"
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Spoofing] Malicious data can be injected into the target system or into other systems on the network. The adversary can also pose as a legitimate user to perform social engineering attacks."
            },
            {
              "Step": "5",
              "Phase": "Exploit",
              "Description": "[Data Exfiltration] The adversary can obtain sensitive data contained within system files or application configuration."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication.",
            "The system/application does not have a sound password policy that is being enforced.",
            "The system/application does not implement an effective password throttling mechanism.",
            "The adversary possesses a list of known user accounts and corresponding passwords that may exist on the target."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "Once an adversary obtains a known credential, leveraging it is trivial."
          }
        },
        "Resources_Required": {
          "Resource": [
            "A list of known credentials for the targeted domain.",
            "A custom script that leverages a credential list to launch an attack."
          ]
        },
        "Indicators": {
          "Indicator": [
            "Authentication attempts use credentials that have been used previously by the account in question.",
            "Authentication attempts are originating from IP addresses or locations that are inconsistent with a user's normal IP addresses or locations.",
            "Data is being transferred and/or removed from systems/applications within the network.",
            "Suspicious or Malicious software is downloaded/installed on systems within the domain.",
            "Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authentication"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Confidentiality",
                "Authorization"
              ],
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Leverage multi-factor authentication for all authentication services and prior to granting an entity access to the network.",
            "Create a strong password policy and ensure that your system enforces this policy.",
            "Ensure users are not reusing username/password combinations for multiple systems, applications, or services.",
            "Do not reuse local administrator account credentials across systems.",
            "Deny remote use of local admin credentials to log into domain systems.",
            "Do not allow accounts to be a local administrator on more than one system.",
            "Implement an intelligent password throttling mechanism. Care must be taken to assure that these mechanisms do not excessively enable account lockout attacks such as CAPEC-2.",
            "Monitor system and domain logs for abnormal credential access."
          ]
        },
        "Example_Instances": {
          "Example": [
            "Adversaries exploited the Zoom video conferencing application during the 2020 COVID-19 pandemic to exfiltrate Windows domain credentials from a target system. The attack entailed sending Universal Naming Convention (UNC) paths within the Zoom chat window of an unprotected Zoom call. If the victim clicked on the link, their Windows usernames and the corresponding Net-NTLM-v2 hashes were sent to the address contained in the link. The adversary was then able to infiltrate and laterally move within the Windows domain by passing the acquired credentials to shared network resources. This further provided adversaries with access to Outlook servers and network storage devices. [REF-575]",
            "Mimikatz, a post-exploitation Windows credential harvester, can be used to gather and exploit Windows credentials. This malware has been used in several known cyberattacks, such as the Petya Ransomeware attacks. [REF-576]"
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "522"
            },
            {
              "@CWE_ID": "307"
            },
            {
              "@CWE_ID": "308"
            },
            {
              "@CWE_ID": "309"
            },
            {
              "@CWE_ID": "262"
            },
            {
              "@CWE_ID": "263"
            },
            {
              "@CWE_ID": "654"
            }
          ]
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-575"
            },
            {
              "@External_Reference_ID": "REF-576"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2020-07-30"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated @Name, Description, Execution_Flow, Extended_Description, Mitigations, Prerequisites, Resources_Required, Skills_Required"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2022-09-29",
            "#text": "Use of Known Windows Credentials"
          }
        }
      }
    }
  },
  {
    "instruction": "How can I detect attack pattern: Using Slashes in Alternate Encoding (CAPEC ID: 79)",
    "context": "",
    "output": "The indicators of Using Slashes in Alternate Encoding (CAPEC ID: 79) are: If the first path decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.\n* Traffic filtering with IDS (or proxy) can detect request with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.\n* An adversary can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": [
        "If the first path decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.",
        "Traffic filtering with IDS (or proxy) can detect request with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.",
        "An adversary can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity."
      ],
      "@Name": "Using Slashes in Alternate Encoding (CAPEC ID: 79)",
      "attack_ptrn": {
        "@ID": "79",
        "@Name": "Using Slashes in Alternate Encoding",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "This attack targets the encoding of the Slash characters. An adversary would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the adversary many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "267"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey the application for user-controllable inputs] Using a browser, an automated tool or by inspecting the application, an adversary records all entry points to the application.",
              "Technique": [
                "Use a spidering tool to follow and record all links and analyze the web pages to find entry points. Make special note of any links that include parameters in the URL.",
                "Use a proxy tool to record all user input entry points visited during a manual traversal of the web application.",
                "Use a browser to manually explore the website and analyze how it is constructed. Many browsers' plugins are available to facilitate the analysis or automate the discovery.",
                "Manually inspect the application to find entry points."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Probe entry points to locate vulnerabilities] The adversary uses the entry points gathered in the \"Explore\" phase as a target list and looks for areas where user input is used to access resources on the target host. The adversary attempts different encodings of slash characters to bypass input filters.",
              "Technique": [
                "Try both backslash and forward slash characters",
                "Try different encodings for slash characters such as %5C"
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Traverse application directories] Once the adversary determines how to bypass filters that filter out slash characters, they will manipulate the user input to include slashes in order to traverse directories and access resources that are not intended for the user."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The application server accepts paths to locate resources.",
            "The application server does insufficient input data validation on the resource path requested by the user.",
            "The access right to resources are not set properly."
          ]
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Low",
              "#text": "An adversary can try variation of the slashes characters."
            },
            {
              "@Level": "Medium",
              "#text": "An adversary can use more sophisticated tool or script to scan a website and find a path filtering problem."
            }
          ]
        },
        "Indicators": {
          "Indicator": [
            "If the first path decoding process has left some invalid or denylisted characters, that may be a sign that the request is malicious.",
            "Traffic filtering with IDS (or proxy) can detect request with suspicious URLs. IDS may use signature based identification to reveal such URL based attacks.",
            "An adversary can use a fuzzer in order to probe for a UTF-8 encoding vulnerability. The fuzzer should generate suspicious network activity."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "Run Arbitrary Code"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Any security checks should occur after the data has been decoded and validated as correct data format. Do not repeat decoding process, if bad character are left after decoding process, treat the data as suspicious, and fail the validation process. Refer to the RFCs to safely decode URL.",
            "When client input is required from web-based forms, avoid using the \"GET\" method to submit data, as the method causes the form data to be appended to the URL and is easily manipulated. Instead, use the \"POST method whenever possible.",
            "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)",
            "Be aware of the threat of alternative method of data encoding and obfuscation technique such as IP address encoding. (See related guideline section)",
            "Test your path decoding process against malicious input.",
            "In the case of path traversals, use the principle of least privilege when determining access rights to file systems. Do not allow users to access directories/files that they should not access.",
            "Assume all input is malicious. Create an allowlist that defines all valid input to the application based on the requirements specifications. Input that does not match against the allowlist should not be permitted to enter into the system."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:b": "Attack Example: Slashes in Alternate Encodings",
            "xhtml:p": [
              "The two following requests are equivalent on most Web servers:",
              "is equivalent to",
              "Multiple encoding conversion problems can also be leveraged as various slashes are instantiated in URL-encoded, UTF-8, or Unicode. Consider the strings",
              "where %5C is equivalent to the \\ character."
            ],
            "xhtml:div": [
              {
                "@style": "margin-left:1em;",
                "@class": "informative",
                "#text": "http://target server/some_directory\\..\\..\\..\\winnt"
              },
              {
                "@style": "margin-left:1em;",
                "@class": "informative",
                "#text": "http://target server/some_directory/../../../winnt"
              },
              {
                "@style": "margin-left:1em;",
                "@class": "informative",
                "#text": "http://target server/some_directory\\..%5C..%5C..\\winnt"
              }
            ]
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "173"
            },
            {
              "@CWE_ID": "180"
            },
            {
              "@CWE_ID": "181"
            },
            {
              "@CWE_ID": "20"
            },
            {
              "@CWE_ID": "74"
            },
            {
              "@CWE_ID": "73"
            },
            {
              "@CWE_ID": "22"
            },
            {
              "@CWE_ID": "185"
            },
            {
              "@CWE_ID": "200"
            },
            {
              "@CWE_ID": "697"
            },
            {
              "@CWE_ID": "707"
            }
          ]
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-1"
            },
            {
              "@External_Reference_ID": "REF-525"
            },
            {
              "@External_Reference_ID": "REF-495"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Indicators, Mitigations"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Execution_Flow, Indicators, Skills_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Example_Instances"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Give me an indicator example for attack pattern - Fuzzing (CAPEC ID: 28)",
    "context": "",
    "output": "A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP.",
    "category": "CAPECFlan",
    "instruction_type": "capec_indicators",
    "parsed_raw_data": {
      "Indicators": "A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP.",
      "@Name": "Fuzzing (CAPEC ID: 28)",
      "attack_ptrn": {
        "@ID": "28",
        "@Name": "Fuzzing",
        "@Abstraction": "Meta",
        "@Status": "Draft",
        "Description": "In this attack pattern, the adversary leverages fuzzing to try to identify weaknesses in the system. Fuzzing is a software security and functionality testing method that feeds randomly constructed input to the system and looks for an indication that a failure in response to that input has occurred. Fuzzing treats the system as a black box and is totally free from any preconceptions or assumptions about the system. Fuzzing can help an attacker discover certain assumptions made about user input in the system. Fuzzing gives an attacker a quick way of potentially uncovering some of these assumptions despite not necessarily knowing anything about the internals of the system. These assumptions can then be turned against the system by specially crafting user input that may allow an attacker to achieve their goals.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Medium",
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Observe communication and inputs] The fuzzing attacker observes the target system looking for inputs and communications between modules, subsystems, or systems.",
              "Technique": [
                "Network sniffing. Using a network sniffer such as wireshark, the attacker observes communications into and out of the target system.",
                "Monitor API execution. Using a tool such as ktrace, strace, APISpy, or another debugging tool, the attacker observes the system calls and API calls that are made by the target system, and the nature of their parameters.",
                "Observe inputs using web inspection tools (OWASP's WebScarab, Paros, TamperData, TamperIE, etc.)"
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Generate fuzzed inputs] Given a fuzzing tool, a target input or protocol, and limits on time, complexity, and input variety, generate a list of inputs to try. Although fuzzing is random, it is not exhaustive. Parameters like length, composition, and how many variations to try are important to get the most cost-effective impact from the fuzzer.",
              "Technique": [
                "Boundary cases. Generate fuzz inputs that attack boundary cases of protocol fields, inputs, or other communications limits. Examples include 0xff and 0x00 for single-byte inputs. In binary situations, approach each bit of an individual field with on and off (e.g., 0x80).",
                "Attempt arguments to system calls or APIs. The variations include payloads that, if they were successful, could lead to a compromise on the system."
              ]
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Observe the outcome] Observe the outputs to the inputs fed into the system by fuzzers and see if anything interesting happens. If failure occurs, determine why that happened. Figure out the underlying assumption that was invalidated by the input."
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Craft exploit payloads] Put specially crafted input into the system that leverages the weakness identified through fuzzing and allows to achieve the goals of the attacker. Fuzzers often reveal ways to slip through the input validation filters and introduce unwanted data into the system.",
              "Technique": [
                "Identify and embed shell code for the target system.",
                "Embed higher level attack commands in the payload. (e.g., SQL, PHP, server-side includes, etc.)",
                "Induce denial of service by exploiting resource leaks or bad error handling."
              ]
            }
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "There is a wide variety of fuzzing tools available."
          }
        },
        "Resources_Required": {
          "Resource": "Fuzzing tools."
        },
        "Indicators": {
          "Indicator": "A lot of invalid data is fed to the system. Data that cannot have been generated through a legitimate transaction/request. Data is coming into the system within a short period of time and potentially from the same IP."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": "Availability",
              "Impact": "Unreliable Execution"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Alter Execution Logic"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Test to ensure that the software behaves as per specification and that there are no unintended side effects. Ensure that no assumptions about the validity of data are made.",
            "Use fuzz testing during the software QA process to uncover any surprises, uncover any assumptions or unexpected behavior."
          ]
        },
        "Example_Instances": {
          "Example": "A fuzz test reveals that when data length for a particular field exceeds certain length, the input validation filter fails and lets the user data in unfiltered. This provides an attacker with an injection vector to deliver the malicious payload into the system."
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "74"
            },
            {
              "@CWE_ID": "20"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Description Summary, Related_Attack_Patterns, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            }
          ]
        }
      }
    }
  }
]