[
  {
    "instruction": "What technique can be detected with the following MITRE detections: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.",
    "context": "",
    "output": "A technique that can be detected with the MITRE detections listed above is: Permission Groups Discovery: Cloud Groups",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "What technique can be detected with the following MITRE detections: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Activity and account logs for the cloud services can also be monitored for suspicious commands that are anomalous compared to a baseline of normal activity.",
      "answer": "A technique that can be detected with the MITRE detections listed above is: Permission Groups Discovery: Cloud Groups",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "Give me possible detections for the given technique: Abuse Elevation Control Mechanism: Elevated Execution with Prompt?",
    "context": "",
    "output": "Here are some possible detections for 'Abuse Elevation Control Mechanism: Elevated Execution with Prompt':\n\nConsider monitoring for <code>/usr/libexec/security_authtrampoline</code> executions which may indicate that <code>AuthorizationExecuteWithPrivileges</code> is being executed. MacOS system logs may also indicate when <code>AuthorizationExecuteWithPrivileges</code> is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "Give me possible detections for the given technique: Abuse Elevation Control Mechanism: Elevated Execution with Prompt",
      "answer": "Here are some possible detections for 'Abuse Elevation Control Mechanism: Elevated Execution with Prompt':\n\nConsider monitoring for <code>/usr/libexec/security_authtrampoline</code> executions which may indicate that <code>AuthorizationExecuteWithPrivileges</code> is being executed. MacOS system logs may also indicate when <code>AuthorizationExecuteWithPrivileges</code> is being called. Monitoring OS API callbacks for the execution can also be a way to detect this behavior but requires specialized security tooling.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "Tell me how to detect the following: Obtain Capabilities: Vulnerabilities (T1588.006)",
    "context": "",
    "output": "Certainly. Here are some possible detection methods for Obtain Capabilities: Vulnerabilities:\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "Tell me how to detect the following: Obtain Capabilities: Vulnerabilities (T1588.006)",
      "answer": "Certainly. Here are some possible detection methods for Obtain Capabilities: Vulnerabilities:\n\nMuch of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on behaviors relating to the potential use of exploits for vulnerabilities (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Defense Evasion, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "What technique can be detected with the following MITRE detections: BITS runs as a service and its status can be checked with the Sc query utility (<code>sc query bits</code>). Active BITS tasks can be enumerated using the BITSAdmin tool (<code>bitsadmin /list /allusers /verbose</code>).\n\nMonitor usage of the BITSAdmin tool (especially the \u2018Transfer\u2019, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options) Admin logs, PowerShell logs, and the Windows Event log for BITS activity. Also consider investigating more detailed information about jobs by parsing the BITS job database.\n\nMonitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).",
    "context": "",
    "output": "A technique that can be detected with the MITRE detections listed above is: BITS Jobs",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "What technique can be detected with the following MITRE detections: BITS runs as a service and its status can be checked with the Sc query utility (<code>sc query bits</code>). Active BITS tasks can be enumerated using the BITSAdmin tool (<code>bitsadmin /list /allusers /verbose</code>).\n\nMonitor usage of the BITSAdmin tool (especially the \u2018Transfer\u2019, 'Create', 'AddFile', 'SetNotifyFlags', 'SetNotifyCmdLine', 'SetMinRetryDelay', 'SetCustomHeaders', and 'Resume' command options) Admin logs, PowerShell logs, and the Windows Event log for BITS activity. Also consider investigating more detailed information about jobs by parsing the BITS job database.\n\nMonitor and analyze network activity generated by BITS. BITS jobs use HTTP(S) and SMB for remote connections and are tethered to the creating user and will only function when that user is logged on (this rule applies even if a user attaches the job to a service account).",
      "answer": "A technique that can be detected with the MITRE detections listed above is: BITS Jobs",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "Tell me how to detect the following: Hardware Additions (T1200)?",
    "context": "",
    "output": "Certainly. Here are some possible detection methods for Hardware Additions:\n\nAsset management systems may help with the detection of computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "Tell me how to detect the following: Hardware Additions (T1200)",
      "answer": "Certainly. Here are some possible detection methods for Hardware Additions:\n\nAsset management systems may help with the detection of computer systems or network devices that should not exist on a network. \n\nEndpoint sensors may be able to detect the addition of hardware via USB, Thunderbolt, and other external device communication ports.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "How to detect Mitre technique: Modify Cloud Compute Infrastructure: Delete Cloud Instance - T1578.003?",
    "context": "",
    "output": "In order to detect Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003), you can apply the following detection options:\nThe deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "How to detect Mitre technique: Modify Cloud Compute Infrastructure: Delete Cloud Instance - T1578.003",
      "answer": "In order to detect Modify Cloud Compute Infrastructure: Delete Cloud Instance (T1578.003), you can apply the following detection options:\nThe deletion of a new instance or virtual machine is a common part of operations within many cloud environments. Events should then not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. For example, detecting a sequence of events such as the creation of an instance, mounting of a snapshot to that instance, and deletion of that instance by a new user account may indicate suspicious activity.\n\nIn AWS, CloudTrail logs capture the deletion of an instance in the <code>TerminateInstances</code> event, and in Azure the deletion of a VM may be captured in Azure activity logs. Google's Admin Activity audit logs within their Cloud Audit logs can be used to detect the usage of <code>gcloud compute instances delete</code> to delete a VM.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "Return the detections for the following MITRE ATT&CK technique: Event Triggered Execution: Component Object Model Hijacking (T1546.015)?",
    "context": "",
    "output": "Detections for the following MITRE attack technique:\n\nThere are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: Reg) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\. Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.  \n\nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed.",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "Return the detections for the following MITRE ATT&CK technique: Event Triggered Execution: Component Object Model Hijacking (T1546.015)",
      "answer": "Detections for the following MITRE attack technique:\n\nThere are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations (ex: Reg) replacing known binary paths with unknown paths or otherwise malicious content. Even though some third-party applications define user COM objects, the presence of objects within HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\ may be anomalous and should be investigated since user objects will be loaded prior to machine objects in HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\. Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated.  \n\nLikewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "Return the detections for the following MITRE ATT&CK technique: Financial Theft (T1657)",
    "context": "",
    "output": "Detections for the following MITRE attack technique:\n\n",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "Return the detections for the following MITRE ATT&CK technique: Financial Theft (T1657)",
      "answer": "Detections for the following MITRE attack technique:\n\n",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "Give me possible detections for the given technique: Hide Infrastructure?",
    "context": "",
    "output": "Here are some possible detections for 'Hide Infrastructure':\n\n",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "Give me possible detections for the given technique: Hide Infrastructure",
      "answer": "Here are some possible detections for 'Hide Infrastructure':\n\n",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  },
  {
    "instruction": "What technique can be detected with the following MITRE detections: ?",
    "context": "",
    "output": "A technique that can be detected with the MITRE detections listed above is: Modify Authentication Process: Network Provider DLL",
    "category": "MitreFlan",
    "instruction_type": "mitre_detection_detection",
    "parsed_raw_data": {
      "question": "What technique can be detected with the following MITRE detections: ",
      "answer": "A technique that can be detected with the MITRE detections listed above is: Modify Authentication Process: Network Provider DLL",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_detection_detection"
    }
  }
]