[
  {
    "instruction": "Tell me the mapping of the following attack pattern: 'Counterfeit Websites (CAPEC ID: 543)' to other frameworks such as MITRE ATT&CK, WASC, and OWASP.",
    "context": "",
    "output": "The given CAPEC attack pattern can be mapped to the MITRE ATT&CK framework framework, and specifically to: 'Masquerading: Match Legitimate Name or Location (MITRE ATT&CK ID: 1036.005) in MITRE ATT&CK'",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Counterfeit Websites (CAPEC ID: 543)",
      "taxonomy": "Masquerading: Match Legitimate Name or Location (MITRE ATT&CK ID: 1036.005) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "attack_ptrn": {
        "@ID": "543",
        "@Name": "Counterfeit Websites",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "Adversary creates duplicates of legitimate websites. When users visit a counterfeit site, the site can gather information or upload malware.",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "194",
              "Exclude_Related": [
                {
                  "@Exclude_ID": "513"
                },
                {
                  "@Exclude_ID": "515"
                }
              ]
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "89"
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "None"
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1036.005",
            "Entry_Name": "Masquerading: Match Legitimate Name or Location"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Related_Attack_Patterns, Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Consider the following CAPEC attack pattern: Lifting Sensitive Data Embedded in Cache (CAPEC ID: 204). Provide an equivalent/related item in other frameworks, specifically in the MITRE ATT&CK framework framework.",
    "context": "",
    "output": "An equivalent/related item to the specficied attack pattern in the MITRE ATT&CK framework framework can be: Data from Local System (MITRE ATT&CK ID: 1005) in MITRE ATT&CK",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Lifting Sensitive Data Embedded in Cache (CAPEC ID: 204)",
      "taxonomy": "Data from Local System (MITRE ATT&CK ID: 1005) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "attack_ptrn": {
        "@ID": "204",
        "@Name": "Lifting Sensitive Data Embedded in Cache",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "167"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "560"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Identify Application Cache] An adversary first identifies an application that utilizes a cache. This could either be a web application storing data in a browser cache, or an application running on a separate machine. The adversary examines the cache to determine file permissions and possible encryption.",
              "Technique": [
                "Use probing tools to look for application cache files on a machine.",
                "Use a web application and determine if any sensitive information is stored in browser cache."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Attempt to Access Cache] Once the cache has been discovered, the adversary attempts to access the cached data. This often requires previous access to a machine hosting the target application.",
              "Technique": [
                "Use priviledge escalation to access cache files that might have strict privileges.",
                "If the application cache is encrypted with weak encryption, attempt to understand the encryption technique and break the encryption."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Lift Sensitive Data from Cache] After gaining access to cached data, an adversary looks for potentially sensitive information and stores it for malicious use. This sensitive data could possibly be used in follow-up attacks related to authentication or authorization.",
              "Technique": "Using a public computer, or gaining access to a victim's computer, examine browser cache to look for sensitive data left over from previous sessions."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The target application must store sensitive information in a cache.",
            "The cache must be inadequately protected against attacker access."
          ]
        },
        "Resources_Required": {
          "Resource": "The attacker must be able to reach the target application's cache. This may require prior access to the machine on which the target application runs. If the cache is encrypted, the attacker would need sufficient computational resources to crack the encryption. With strong encryption schemes, doing this could be intractable, but weaker encryption schemes could allow an attacker with sufficient resources to read the file."
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "524"
            },
            {
              "@CWE_ID": "311"
            },
            {
              "@CWE_ID": "1239"
            },
            {
              "@CWE_ID": "1258"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1005",
            "Entry_Name": "Data from Local System"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Related_Attack_Patterns, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2015-11-09",
            "#text": "Lifting cached, sensitive data embedded in client distributions (thick or thin)"
          }
        }
      }
    }
  },
  {
    "instruction": "Tell me the mapping of the following attack pattern: 'Security Software Footprinting (CAPEC ID: 581)' to other frameworks such as MITRE ATT&CK, WASC, and OWASP.",
    "context": "",
    "output": "The given CAPEC attack pattern can be mapped to the MITRE ATT&CK framework framework, and specifically to: 'Software Discovery:Security Software Discovery (MITRE ATT&CK ID: 1518.001) in MITRE ATT&CK'",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Security Software Footprinting (CAPEC ID: 581)",
      "taxonomy": "Software Discovery:Security Software Discovery (MITRE ATT&CK ID: 1518.001) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "attack_ptrn": {
        "@ID": "581",
        "@Name": "Security Software Footprinting",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "Adversaries may attempt to get a listing of security tools that are installed on the system and their configurations. This may include security related system features (such as a built-in firewall or anti-spyware) as well as third-party security software.",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "580"
          }
        },
        "Mitigations": {
          "Mitigation": "Identify programs that may be used to acquire security tool information and block them by using a software restriction policy or tools that restrict program execution by using a process allowlist."
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1518.001",
            "Entry_Name": "Software Discovery:Security Software Discovery"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2015-11-09"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Mitigations, Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Consider the following CAPEC attack pattern: Remote Code Inclusion (CAPEC ID: 253). Provide an equivalent/related item in other frameworks, specifically in the WASC framework framework.",
    "context": "",
    "output": "An equivalent/related item to the specficied attack pattern in the WASC framework framework can be: Remote File Inclusion (WASC ID: 05) in WASC",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Remote Code Inclusion (CAPEC ID: 253)",
      "taxonomy": "Remote File Inclusion (WASC ID: 05) in WASC",
      "taxonomy_types": "WASC framework",
      "attack_ptrn": {
        "@ID": "253",
        "@Name": "Remote Code Inclusion",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "175"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "664"
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "Target application server must allow remote files to be included.The malicious file must be placed on the remote machine previously."
        },
        "Mitigations": {
          "Mitigation": "Minimize attacks by input validation and sanitization of any user data that will be used by the target application to locate a remote file to be included."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "829"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "WASC",
            "Entry_ID": "05",
            "Entry_Name": "Remote File Inclusion"
          }
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-614",
            "@Section": "Testing for Remote File Inclusion"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated Attack_Prerequisites, Description Summary, Related_Weaknesses, Solutions_and_Mitigations"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated References, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Consider the following CAPEC attack pattern: Modification During Manufacture (CAPEC ID: 438). Provide an equivalent/related item in other frameworks, specifically in the MITRE ATT&CK framework framework.",
    "context": "",
    "output": "An equivalent/related item to the specficied attack pattern in the MITRE ATT&CK framework framework can be: Supply Chain Compromise (MITRE ATT&CK ID: 1195) in MITRE ATT&CK",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Modification During Manufacture (CAPEC ID: 438)",
      "taxonomy": "Supply Chain Compromise (MITRE ATT&CK ID: 1195) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "attack_ptrn": {
        "@ID": "438",
        "@Name": "Modification During Manufacture",
        "@Abstraction": "Meta",
        "@Status": "Draft",
        "Description": "An attacker modifies a technology, product, or component during a stage in its manufacture for the purpose of carrying out an attack against some entity involved in the supply chain lifecycle. There are an almost limitless number of ways an attacker can modify a technology when they are involved in its manufacture, as the attacker has potential inroads to the software composition, hardware design and assembly, firmware, or basic design mechanics. Additionally, manufacturing of key components is often outsourced with the final product assembled by the primary manufacturer. The greatest risk, however, is deliberate manipulation of design specifications to produce malicious hardware or devices. There are billions of transistors in a single integrated circuit and studies have shown that fewer than 10 transistors are required to create malicious functionality.",
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1195",
            "Entry_Name": "Supply Chain Compromise"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-379"
            },
            {
              "@External_Reference_ID": "REF-380"
            },
            {
              "@External_Reference_ID": "REF-381"
            },
            {
              "@External_Reference_ID": "REF-382",
              "@Section": "Section 1. Introduction"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2015-11-09",
            "#text": "Integrity Modification During Manufacture"
          }
        }
      }
    }
  },
  {
    "instruction": "What is an equivalent/related item of the following attack pattern: Hardware Component Substitution During Baselining (CAPEC ID: 516) in other frameworks? Specifically in MITRE ATT&CK framework.",
    "context": "",
    "output": "The mentioned attack pattern in CAPEC has a related item in the MITRE ATT&CK framework framework. More specifically, the mentioned attack pattern is related to 'Supply Chain Compromise: Compromise Hardware Supply Chain (MITRE ATT&CK ID: 1195.003) in MITRE ATT&CK'",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Hardware Component Substitution During Baselining (CAPEC ID: 516)",
      "taxonomy": "Supply Chain Compromise: Compromise Hardware Supply Chain (MITRE ATT&CK ID: 1195.003) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "attack_ptrn": {
        "@ID": "516",
        "@Name": "Hardware Component Substitution During Baselining",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An adversary with access to system components during allocated baseline development can substitute a maliciously altered hardware component for a baseline component during the product development and research phases. This can lead to adjustments and calibrations being made in the product so that when the final product, now containing the modified component, is deployed it will not perform as designed and be advantageous to the adversary.",
        "Likelihood_Of_Attack": "Low",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "444",
            "Exclude_Related": [
              {
                "@Exclude_ID": "513"
              },
              {
                "@Exclude_ID": "688"
              }
            ]
          }
        },
        "Prerequisites": {
          "Prerequisite": "The adversary will need either physical access or be able to supply malicious hardware components to the product development facility."
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Medium",
              "#text": "Intelligence data on victim's purchasing habits."
            },
            {
              "@Level": "High",
              "#text": "Resources to maliciously construct/alter hardware components used for testing by the supplier."
            },
            {
              "@Level": "High",
              "#text": "Resources to physically infiltrate supplier."
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Hardware attacks are often difficult to detect, as inserted components can be difficult to identify or remain dormant for an extended period of time.",
            "Acquire hardware and hardware components from trusted vendors. Additionally, determine where vendors purchase components or if any components are created/acquired via subcontractors to determine where supply chain risks may exist."
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": "An adversary supplies the product development facility of a network security device with a hardware component that is used to simulate large volumes of network traffic. The device claims in logs, stats, and via the display panel to be pumping out very large quantities of network traffic, when it is in fact putting out very low volumes. The developed product is adjusted and configured to handle what it believes to be a heavy network load, but when deployed at the victim site the large volumes of network traffic are dropped instead of being processed by the network security device. This allows the adversary an advantage when attacking the victim in that the adversary's presence may not be detected by the device."
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1195.003",
            "Entry_Name": "Supply Chain Compromise: Compromise Hardware Supply Chain"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-439"
            },
            {
              "@External_Reference_ID": "REF-712"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Examples-Instances, Related_Attack_Patterns, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Example_Instances, Mitigations, Prerequisites, References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Related_Attack_Patterns, Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Tell me the mapping of the following attack pattern: 'Retrieve Embedded Sensitive Data (CAPEC ID: 37)' to other frameworks such as MITRE ATT&CK, WASC, and OWASP.",
    "context": "",
    "output": "The given CAPEC attack pattern can be mapped to the MITRE ATT&CK framework framework, and specifically to: 'Data from Local System (MITRE ATT&CK ID: 1005) in MITRE ATT&CK, Unsecured Credentials: Private Keys (MITRE ATT&CK ID: 1552.004) in MITRE ATT&CK'",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Retrieve Embedded Sensitive Data (CAPEC ID: 37)",
      "taxonomy": "Data from Local System (MITRE ATT&CK ID: 1005) in MITRE ATT&CK, Unsecured Credentials: Private Keys (MITRE ATT&CK ID: 1552.004) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "attack_ptrn": {
        "@ID": "37",
        "@Name": "Retrieve Embedded Sensitive Data",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "167"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Identify Target] Attacker identifies client components to extract information from. These may be binary executables, class files, shared libraries (e.g., DLLs), configuration files, or other system files.",
              "Technique": [
                "Binary file extraction. The attacker extracts binary files from zips, jars, wars, PDFs or other composite formats.",
                "Package listing. The attacker uses a package manifest provided with the software installer, or the filesystem itself, to identify component files suitable for attack."
              ]
            },
            {
              "Step": "2",
              "Phase": "Exploit",
              "Description": "[Retrieve Embedded Data] The attacker then uses a variety of techniques, such as sniffing, reverse-engineering, and cryptanalysis to retrieve the information of interest.",
              "Technique": [
                "API Profiling. The attacker monitors the software's use of registry keys or other operating system-provided storage locations that can contain sensitive information.",
                "Execution in simulator. The attacker physically removes mass storage from the system and explores it using a simulator, external system, or other debugging harness.",
                "Common decoding methods. The attacker applies methods to decode such encodings and compressions as Base64, unzip, unrar, RLE decoding, gzip decompression and so on.",
                "Common data typing. The attacker looks for common file signatures for well-known file types (JPEG, TIFF, ASN.1, LDIF, etc.). If the signatures match, they attempt decoding in that format."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "In order to feasibly execute this type of attack, some valuable data must be present in client software.",
            "Additionally, this information must be unprotected, or protected in a flawed fashion, or through a mechanism that fails to resist reverse engineering, statistical, or other attack."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Medium",
            "#text": "The attacker must possess knowledge of client code structure as well as ability to reverse-engineer or decompile it or probe it in other ways. This knowledge is specific to the technology and language used for the client distribution"
          }
        },
        "Resources_Required": {
          "Resource": "The attacker must possess access to the system or code being exploited. Such access, for this set of attacks, will likely be physical. The attacker will make use of reverse engineering technologies, perhaps for data or to extract functionality from the binary. Such tool use may be as simple as \"Strings\" or a hex editor. Removing functionality may require the use of only a hex editor, or may require aspects of the toolchain used to construct the application: for instance the Adobe Flash development environment. Attacks of this nature do not require network access or undue CPU, memory, or other hardware-based resources."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            }
          ]
        },
        "Example_Instances": {
          "Example": [
            "Using a tool such as 'strings' or similar to pull out text data, perhaps part of a database table, that extends beyond what a particular user's purview should be.",
            "An attacker can also use a decompiler to decompile a downloaded Java applet in order to look for information such as hardcoded IP addresses, file paths, passwords or other such contents.",
            "Attacker uses a tool such as a browser plug-in to pull cookie or other token information that, from a previous user at the same machine (perhaps a kiosk), allows the attacker to log in as the previous user."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "226"
            },
            {
              "@CWE_ID": "311"
            },
            {
              "@CWE_ID": "525"
            },
            {
              "@CWE_ID": "312"
            },
            {
              "@CWE_ID": "314"
            },
            {
              "@CWE_ID": "315"
            },
            {
              "@CWE_ID": "318"
            },
            {
              "@CWE_ID": "1239"
            },
            {
              "@CWE_ID": "1258"
            },
            {
              "@CWE_ID": "1266"
            },
            {
              "@CWE_ID": "1272"
            },
            {
              "@CWE_ID": "1278"
            },
            {
              "@CWE_ID": "1301"
            },
            {
              "@CWE_ID": "1330"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1005",
              "Entry_Name": "Data from Local System"
            },
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1552.004",
              "Entry_Name": "Unsecured Credentials: Private Keys"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Activation_Zone, Attack_Phases, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Vulnerabilities, Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Execution_Flow, Related_Weaknesses, Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2015-11-09",
            "#text": "Lifting Data Embedded in Client Distributions"
          }
        }
      }
    }
  },
  {
    "instruction": "What is an equivalent/related item of the following attack pattern: Active OS Fingerprinting (CAPEC ID: 312) in other frameworks? Specifically in MITRE ATT&CK framework.",
    "context": "",
    "output": "The mentioned attack pattern in CAPEC has a related item in the MITRE ATT&CK framework framework. More specifically, the mentioned attack pattern is related to 'System Information Discovery (MITRE ATT&CK ID: 1082) in MITRE ATT&CK'",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Active OS Fingerprinting (CAPEC ID: 312)",
      "taxonomy": "System Information Discovery (MITRE ATT&CK ID: 1082) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "attack_ptrn": {
        "@ID": "312",
        "@Name": "Active OS Fingerprinting",
        "@Abstraction": "Standard",
        "@Status": "Stable",
        "Description": "An adversary engages in activity to detect the operating system or firmware version of a remote target by interrogating a device, server, or platform with a probe designed to solicit behavior that will reveal information about the operating systems or firmware in the environment. Operating System detection is possible because implementations of common protocols (Such as IP or TCP) differ in distinct ways. While the implementation differences are not sufficient to 'break' compatibility with the protocol the differences are detectable because the target will respond in unique ways to specific probing activity that breaks the semantic or logical rules of packet construction for a protocol. Different operating systems will have a unique response to the anomalous input, providing the basis to fingerprint the OS behavior. This type of OS fingerprinting can distinguish between operating system types and versions.",
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "224"
          }
        },
        "Prerequisites": {
          "Prerequisite": "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card."
        },
        "Resources_Required": {
          "Resource": {
            "xhtml:p": [
              "Any type of active probing that involves non-standard packet headers requires the use of raw sockets, which is not available on particular operating systems (Microsoft Windows XP SP 2, for example). Raw socket manipulation on Unix/Linux requires root privileges.",
              "A tool capable of sending and receiving packets from a remote system."
            ]
          }
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Hide Activities"
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "200"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1082",
            "Entry_Name": "System Information Discovery"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-33",
              "@Section": "Chapter 2: Scanning, pg. 56"
            },
            {
              "@External_Reference_ID": "REF-128"
            },
            {
              "@External_Reference_ID": "REF-212",
              "@Section": "Chapter 8. Remote OS Detection"
            },
            {
              "@External_Reference_ID": "REF-130"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References, Related_Weaknesses"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "What is an equivalent/related item of the following attack pattern: Content Spoofing (CAPEC ID: 148) in other frameworks? Specifically in MITRE ATT&CK/WASC/OWASP Attacks frameworks.",
    "context": "",
    "output": "The mentioned attack pattern in CAPEC has a related item in the MITRE ATT&CK/WASC/OWASP Attacks frameworks framework. More specifically, the mentioned attack pattern is related to 'Defacement (MITRE ATT&CK ID: 1491) in MITRE ATT&CK, Content Spoofing (WASC ID: 12) in WASC, Content Spoofing in OWASP Attacks'",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Content Spoofing (CAPEC ID: 148)",
      "taxonomy": "Defacement (MITRE ATT&CK ID: 1491) in MITRE ATT&CK, Content Spoofing (WASC ID: 12) in WASC, Content Spoofing in OWASP Attacks",
      "taxonomy_types": "MITRE ATT&CK/WASC/OWASP Attacks frameworks",
      "attack_ptrn": {
        "@ID": "148",
        "@Name": "Content Spoofing",
        "@Abstraction": "Meta",
        "@Status": "Stable",
        "Description": "An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.",
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Medium",
        "Prerequisites": {
          "Prerequisite": "The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages."
        },
        "Resources_Required": {
          "Resource": {
            "xhtml:p": [
              "If the content is to be modified in transit, the adversary requires a tool capable of intercepting the target's communication and generating/creating custom packets to impact the communications.",
              "In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker requires the necessary resources to host the replacement content."
            ]
          }
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Integrity",
            "Impact": "Modify Data",
            "Note": "A successful content spoofing attack compromises the integrity of the application data."
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "345"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1491",
              "Entry_Name": "Defacement"
            },
            {
              "@Taxonomy_Name": "WASC",
              "Entry_ID": "12",
              "Entry_Name": "Content Spoofing"
            },
            {
              "@Taxonomy_Name": "OWASP Attacks",
              "Entry_Name": "Content Spoofing"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Resources_Required, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Prerequisites"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Consider the following CAPEC attack pattern: Targeted Malware (CAPEC ID: 542). Provide an equivalent/related item in other frameworks, specifically in the MITRE ATT&CK framework framework.",
    "context": "",
    "output": "An equivalent/related item to the specficied attack pattern in the MITRE ATT&CK framework framework can be: Develop Capabilities: Malware (MITRE ATT&CK ID: 1587.001) in MITRE ATT&CK, Obfuscated Files or Information (MITRE ATT&CK ID: 1027) in MITRE ATT&CK",
    "category": "CAPECFlan",
    "instruction_type": "capec_taxonomy_mapping",
    "parsed_raw_data": {
      "@Name": "Targeted Malware (CAPEC ID: 542)",
      "taxonomy": "Develop Capabilities: Malware (MITRE ATT&CK ID: 1587.001) in MITRE ATT&CK, Obfuscated Files or Information (MITRE ATT&CK ID: 1027) in MITRE ATT&CK",
      "taxonomy_types": "MITRE ATT&CK framework",
      "attack_ptrn": {
        "@ID": "542",
        "@Name": "Targeted Malware",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary develops targeted malware that takes advantage of a known vulnerability in an organizational information technology environment. The malware crafted for these attacks is based specifically on information gathered about the technology environment. Successfully executing the malware enables an adversary to achieve a wide variety of negative technical impacts.",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "549"
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "662"
            }
          ]
        },
        "Indicators": {
          "Indicator": [
            "Software being run on a system matches a file signature found in a malware database",
            "A suspicious module is loaded that is not regularly loaded by a system",
            "Software on a system is making calls to \"GetProcAddress()\" which is a commonly used function to implement dynamic API resolution"
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1587.001",
              "Entry_Name": "Develop Capabilities: Malware"
            },
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1027",
              "Entry_Name": "Obfuscated Files or Information"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "#text": "Adversaries often utilize obfuscation techniques when developing malware with the purpose of either avoiding detection or prevent the target from reverse engineering and understanding a captured malware sample. Some of these techniques include, but are not limited to, binary padding, software packing, stripping symbols and strings from a payload, and utilizing dynamic API resolution."
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-11-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2023-01-24",
              "Modification_Comment": "Updated Indicators, Notes, Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  }
]