[
  {
    "instruction": "What is a method to mitigate T1547.003 (Time Providers)?\nA.  Employing a pattern matching rule language to analyze the content of files.\nB.  Restoring an object for an entity to access. This is the broadest class for object restoral.\nC.  The file removal technique deletes malicious artifacts or programs from a computer system.\nD.  Restricting access to a local file by configuring operating system functionality.\n\nPlease select the correct answer.",
    "context": "",
    "output": "B",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "T1547.003 (Time Providers)",
      "ddmc_optionA": "Employing a pattern matching rule language to analyze the content of files.",
      "ddmc_optionB": "Restoring an object for an entity to access. This is the broadest class for object restoral.",
      "ddmc_optionC": "The file removal technique deletes malicious artifacts or programs from a computer system.",
      "ddmc_optionD": "Restricting access to a local file by configuring operating system functionality.",
      "ddmc_answer": "B",
      "ddmc_detection/mitigation": "Restoring an object for an entity to access. This is the broadest class for object restoral.",
      "prompts": [],
      "instruction": "What is a method to mitigate T1547.003 (Time Providers)?\nA.  Employing a pattern matching rule language to analyze the content of files.\nB.  Restoring an object for an entity to access. This is the broadest class for object restoral.\nC.  The file removal technique deletes malicious artifacts or programs from a computer system.\nD.  Restricting access to a local file by configuring operating system functionality.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "What is a method to detect T1574.006 (Dynamic Linker Hijacking)?\nA.  Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines. Network adapter information may also be helpful in detecting the use of virtual instances. Consider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. <code>-silent</code>, <code>-ignore-reboot</code>), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. <code>VBoxManage startvm $VM --type headless</code>). Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. <code>VBoxManage.exe setextradata global GUI/SuppressMessages \"all\"</code>). Monitor for commands which enable hypervisors such as Hyper-V. If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for Windows Service, with respect to virtualization software. Benign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.(Citations: Shadowbunny VM Defense Evasion, Shadowbunny VM Defense Evasion)\nB.  This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for Process Injection against browser applications.\nC.  Deleting Windows event logs (via native binaries , API functions , or PowerShell ) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").(Citations: Microsoft wevtutil Oct 2017, Microsoft EventLog.Clear, Microsoft Clear-EventLog)\nD.  Monitor for changes to environment variables and files associated with loading shared libraries such as <code>LD_PRELOAD</code> and <code>DYLD_INSERT_LIBRARIES</code>, as well as the commands to implement these changes. Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\n\nPlease select the correct answer.",
    "context": "",
    "output": "D",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "detect",
      "ddmc_node_name": "T1574.006 (Dynamic Linker Hijacking)",
      "ddmc_optionA": "Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines. Network adapter information may also be helpful in detecting the use of virtual instances. Consider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. <code>-silent</code>, <code>-ignore-reboot</code>), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. <code>VBoxManage startvm $VM --type headless</code>). Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. <code>VBoxManage.exe setextradata global GUI/SuppressMessages \"all\"</code>). Monitor for commands which enable hypervisors such as Hyper-V. If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for Windows Service, with respect to virtualization software. Benign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.(Citations: Shadowbunny VM Defense Evasion, Shadowbunny VM Defense Evasion)",
      "ddmc_optionB": "This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for Process Injection against browser applications.",
      "ddmc_optionC": "Deleting Windows event logs (via native binaries , API functions , or PowerShell ) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").(Citations: Microsoft wevtutil Oct 2017, Microsoft EventLog.Clear, Microsoft Clear-EventLog)",
      "ddmc_optionD": "Monitor for changes to environment variables and files associated with loading shared libraries such as <code>LD_PRELOAD</code> and <code>DYLD_INSERT_LIBRARIES</code>, as well as the commands to implement these changes. Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
      "ddmc_answer": "D",
      "ddmc_detection/mitigation": "Monitor for changes to environment variables and files associated with loading shared libraries such as <code>LD_PRELOAD</code> and <code>DYLD_INSERT_LIBRARIES</code>, as well as the commands to implement these changes. Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.",
      "prompts": [],
      "instruction": "What is a method to detect T1574.006 (Dynamic Linker Hijacking)?\nA.  Consider monitoring for files and processes associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines. Network adapter information may also be helpful in detecting the use of virtual instances. Consider monitoring for process command-line arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. <code>-silent</code>, <code>-ignore-reboot</code>), as well as those associated with running a headless (in the background with no UI) virtual instance (ex. <code>VBoxManage startvm $VM --type headless</code>). Similarly, monitoring command line arguments which suppress notifications may highlight potentially malicious activity (ex. <code>VBoxManage.exe setextradata global GUI/SuppressMessages \"all\"</code>). Monitor for commands which enable hypervisors such as Hyper-V. If virtualization software is installed by the adversary, the Registry may provide detection opportunities. Consider monitoring for Windows Service, with respect to virtualization software. Benign usage of virtualization technology is common in enterprise environments, data and events should not be viewed in isolation, but as part of a chain of behavior.(Citations: Shadowbunny VM Defense Evasion, Shadowbunny VM Defense Evasion)\nB.  This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. New processes may not be created and no additional software dropped to disk. Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior. Monitor for Process Injection against browser applications.\nC.  Deleting Windows event logs (via native binaries , API functions , or PowerShell ) may also generate an alterable event (Event ID 1102: \"The audit log was cleared\").(Citations: Microsoft wevtutil Oct 2017, Microsoft EventLog.Clear, Microsoft Clear-EventLog)\nD.  Monitor for changes to environment variables and files associated with loading shared libraries such as <code>LD_PRELOAD</code> and <code>DYLD_INSERT_LIBRARIES</code>, as well as the commands to implement these changes. Monitor processes for unusual activity (e.g., a process that does not use the network begins to do so). Track library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "How can you mitigate Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)?\nA.  Apply blinding [REF-1219] or masking techniques in strategic areas.\nB.  Use non-predictable inputs for seed generation.\nC.  Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\" Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\nD.  Always verify the length of the string unit character.\n\nPlease select the correct answer.",
    "context": "",
    "output": "C",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)",
      "ddmc_optionA": "Apply blinding [REF-1219] or masking techniques in strategic areas.",
      "ddmc_optionB": "Use non-predictable inputs for seed generation.",
      "ddmc_optionC": "Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\" Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.",
      "ddmc_optionD": "Always verify the length of the string unit character.",
      "ddmc_answer": "C",
      "ddmc_detection/mitigation": "Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\" Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.",
      "prompts": [],
      "instruction": "How can you mitigate Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)?\nA.  Apply blinding [REF-1219] or masking techniques in strategic areas.\nB.  Use non-predictable inputs for seed generation.\nC.  Assume all input is malicious. Use an \"accept known good\" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, \"boat\" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as \"red\" or \"blue.\" Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.\nD.  Always verify the length of the string unit character.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "How can you mitigate CWE-412 (Unrestricted Externally Accessible Lock)?\nA.  Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.\nB.  A true random number generator should be specified for cryptographic algorithms.\nC.  While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).\nD.  Consider modifying your code to use non-blocking synchronization methods.\n\nPlease select the correct answer.",
    "context": "",
    "output": "D",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "CWE-412 (Unrestricted Externally Accessible Lock)",
      "ddmc_optionA": "Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.",
      "ddmc_optionB": "A true random number generator should be specified for cryptographic algorithms.",
      "ddmc_optionC": "While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).",
      "ddmc_optionD": "Consider modifying your code to use non-blocking synchronization methods.",
      "ddmc_answer": "D",
      "ddmc_detection/mitigation": "Consider modifying your code to use non-blocking synchronization methods.",
      "prompts": [],
      "instruction": "How can you mitigate CWE-412 (Unrestricted Externally Accessible Lock)?\nA.  Pay close attention to complex conditionals that affect initialization, since some branches might not perform the initialization.\nB.  A true random number generator should be specified for cryptographic algorithms.\nC.  While it is risky to use dynamically-generated query strings, code, or commands that mix control and data together, sometimes it may be unavoidable. Properly quote arguments and escape any special characters within those arguments. The most conservative approach is to escape or filter all characters that do not pass an extremely strict allowlist (such as everything that is not alphanumeric or white space). If some special characters are still needed, such as white space, wrap each argument in quotes after the escaping/filtering step. Be careful of argument injection (CWE-88).\nD.  Consider modifying your code to use non-blocking synchronization methods.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "How can you mitigate T1055.005 (Thread Local Storage)?\nA.  Restoring an object for an entity to access. This is the broadest class for object restoral.\nB.  Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.\nC.  Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.\nD.  Restoring a file for an entity to access.\n\nPlease select the correct answer.",
    "context": "",
    "output": "C",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "T1055.005 (Thread Local Storage)",
      "ddmc_optionA": "Restoring an object for an entity to access. This is the broadest class for object restoral.",
      "ddmc_optionB": "Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.",
      "ddmc_optionC": "Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.",
      "ddmc_optionD": "Restoring a file for an entity to access.",
      "ddmc_answer": "C",
      "ddmc_detection/mitigation": "Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.",
      "prompts": [],
      "instruction": "How can you mitigate T1055.005 (Thread Local Storage)?\nA.  Restoring an object for an entity to access. This is the broadest class for object restoral.\nB.  Analyzing intercepted or summarized computer network traffic to detect unauthorized activity.\nC.  Process Analysis consists of observing a running application process and analyzing it to watch for certain behaviors or conditions which may indicate adversary activity. Analysis can occur inside of the process or through a third-party monitoring application. Examples include monitoring system and privileged calls, monitoring process initiation chains, and memory boundary allocations.\nD.  Restoring a file for an entity to access.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "How can you mitigate Multi-Stage Channels (T1104)?\nA.  Perform regular software updates to mitigate exploitation risk.\nB.  Perform regular software updates to mitigate exploitation risk.\nC.  Use intrusion detection signatures to block traffic at network boundaries.\nD.  Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.\n\nPlease select the correct answer.",
    "context": "",
    "output": "C",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "Multi-Stage Channels (T1104)",
      "ddmc_optionA": "Perform regular software updates to mitigate exploitation risk.",
      "ddmc_optionB": "Perform regular software updates to mitigate exploitation risk.",
      "ddmc_optionC": "Use intrusion detection signatures to block traffic at network boundaries.",
      "ddmc_optionD": "Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.",
      "ddmc_answer": "C",
      "ddmc_detection/mitigation": "Use intrusion detection signatures to block traffic at network boundaries.",
      "prompts": [],
      "instruction": "How can you mitigate Multi-Stage Channels (T1104)?\nA.  Perform regular software updates to mitigate exploitation risk.\nB.  Perform regular software updates to mitigate exploitation risk.\nC.  Use intrusion detection signatures to block traffic at network boundaries.\nD.  Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "Which one of the following is a way to mitigate Rootkit (T1014)?\nA.  Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.\nB.  Analyzing a call stack for return addresses which point to unexpected memory locations.\nC.  Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.\nD.  Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.\n\nPlease select the correct answer.",
    "context": "",
    "output": "A",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "Rootkit (T1014)",
      "ddmc_optionA": "Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.",
      "ddmc_optionB": "Analyzing a call stack for return addresses which point to unexpected memory locations.",
      "ddmc_optionC": "Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.",
      "ddmc_optionD": "Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.",
      "ddmc_answer": "A",
      "ddmc_detection/mitigation": "Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.",
      "prompts": [],
      "instruction": "Which one of the following is a way to mitigate Rootkit (T1014)?\nA.  Asset vulnerability enumeration enriches inventory items with knowledge identifying their vulnerabilities.\nB.  Analyzing a call stack for return addresses which point to unexpected memory locations.\nC.  Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.\nD.  Monitoring geolocation data of user logon attempts and comparing it to a baseline user behavior profile to identify anomalies in logon location.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "How can you mitigate Modify Registry (T1112)?\nA.  Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.\nB.  Restoring an object for an entity to access. This is the broadest class for object restoral.\nC.  Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.\nD.  Restoring an object for an entity to access. This is the broadest class for object restoral.\n\nPlease select the correct answer.",
    "context": "",
    "output": "C",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "Modify Registry (T1112)",
      "ddmc_optionA": "Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.",
      "ddmc_optionB": "Restoring an object for an entity to access. This is the broadest class for object restoral.",
      "ddmc_optionC": "Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.",
      "ddmc_optionD": "Restoring an object for an entity to access. This is the broadest class for object restoral.",
      "ddmc_answer": "C",
      "ddmc_detection/mitigation": "Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.",
      "prompts": [],
      "instruction": "How can you mitigate Modify Registry (T1112)?\nA.  Asset inventorying identifies and records the organization's assets and enriches each inventory item with knowledge about their vulnerabilities.\nB.  Restoring an object for an entity to access. This is the broadest class for object restoral.\nC.  Data inventorying identifies and records the schemas, formats, volumes, and locations of data stored and used on the organization's architecture.\nD.  Restoring an object for an entity to access. This is the broadest class for object restoral.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "Which one of the following is a way to mitigate Blind SQL Injection (CAPEC-7)?\nA.  Minimize error/response output to only what is necessary for functional use or corrective language.\nB.  Design: Enforce principle of least privilege\nC.  There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)\nD.  Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.\n\nPlease select the correct answer.",
    "context": "",
    "output": "D",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "Blind SQL Injection (CAPEC-7)",
      "ddmc_optionA": "Minimize error/response output to only what is necessary for functional use or corrective language.",
      "ddmc_optionB": "Design: Enforce principle of least privilege",
      "ddmc_optionC": "There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)",
      "ddmc_optionD": "Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.",
      "ddmc_answer": "D",
      "ddmc_detection/mitigation": "Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.",
      "prompts": [],
      "instruction": "Which one of the following is a way to mitigate Blind SQL Injection (CAPEC-7)?\nA.  Minimize error/response output to only what is necessary for functional use or corrective language.\nB.  Design: Enforce principle of least privilege\nC.  There are tools to scan HTTP requests to the server for valid URL such as URLScan from Microsoft (http://www.microsoft.com/technet/security/tools/urlscan.mspx)\nD.  Security by Obscurity is not a solution to preventing SQL Injection. Rather than suppress error messages and exceptions, the application must handle them gracefully, returning either a custom error page or redirecting the user to a default page, without revealing any information about the database or the application internals.\n\nPlease select the correct answer."
    }
  },
  {
    "instruction": "How can you mitigate Schema Poisoning (CAPEC-271)?\nA.  Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.\nB.  Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM.\nC.  Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.\nD.  In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.\n\nPlease select the correct answer.",
    "context": "",
    "output": "A",
    "category": "BronFlan",
    "instruction_type": "bron_direct_dm_multiple_choice",
    "parsed_raw_data": {
      "ddmc_mitigate_detect": "mitigate",
      "ddmc_node_name": "Schema Poisoning (CAPEC-271)",
      "ddmc_optionA": "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.",
      "ddmc_optionB": "Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM.",
      "ddmc_optionC": "Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.",
      "ddmc_optionD": "In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.",
      "ddmc_answer": "A",
      "ddmc_detection/mitigation": "Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.",
      "prompts": [],
      "instruction": "How can you mitigate Schema Poisoning (CAPEC-271)?\nA.  Implementation: For applications that leverage remote schemas, use the HTTPS protocol to prevent modification of traffic in transit and to avoid unauthorized modification.\nB.  Utilize proper character encoding for all output produced within client-site scripts manipulating the DOM.\nC.  Design proper access control policies for hardware register access from software and ensure these policies are implemented in accordance with the specified design.\nD.  In general, every request must be checked for the appropriate authentication token as well as authorization in the current session context.\n\nPlease select the correct answer."
    }
  }
]