[
  {
    "instruction": "Can you please describe the MITRE ATT&CK technique: Process Injection: Proc Memory (T1055.009)",
    "context": "",
    "output": "Sure! Here is the description: Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (<code>/proc/pid</code>) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes\u2019 stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes\u2019 memory map within <code>/proc/pid/maps</code> can be overwritten using dd. \n\nOther techniques such as Dynamic Linker Hijacking may be used to populate a target process with more available gadgets. Similar to Process Hollowing, proc memory injection may target child processes (such as a backgrounded copy of sleep). \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Can you please describe the MITRE ATT&CK technique: Process Injection: Proc Memory (T1055.009)",
      "answer": "Sure! Here is the description: Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process. \n\nProc memory injection involves enumerating the memory of a process via the /proc filesystem (<code>/proc/pid</code>) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes\u2019 stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes\u2019 memory map within <code>/proc/pid/maps</code> can be overwritten using dd. \n\nOther techniques such as Dynamic Linker Hijacking may be used to populate a target process with more available gadgets. Similar to Process Hollowing, proc memory injection may target child processes (such as a backgrounded copy of sleep). \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "Can you please describe the MITRE ATT&CK technique: 'Valid Accounts (T1078)'?",
    "context": "",
    "output": "Indeed. Description for MITRE ATT&CK technique 'Valid Accounts (T1078)':\n\nAdversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Can you please describe the MITRE ATT&CK technique: 'Valid Accounts (T1078)'",
      "answer": "Indeed. Description for MITRE ATT&CK technique 'Valid Accounts (T1078)':\n\nAdversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.\n\nIn some cases, adversaries may abuse inactive accounts: for example, those belonging to individuals who are no longer part of an organization. Using these accounts may allow the adversary to evade detection, as the original account user will not be present to identify any anomalous activity taking place on their account.\n\nThe overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "Describe MITRE technique 'Process Discovery (T1057)'",
    "context": "",
    "output": "Here is the description for technique 'Process Discovery (T1057)':\nAdversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or <code>Get-Process</code> via PowerShell. Information about processes can also be extracted from the output of Native API calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, Network Device CLI commands such as `show processes` can be used to display current running processes.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Describe MITRE technique 'Process Discovery (T1057)'",
      "answer": "Here is the description for technique 'Process Discovery (T1057)':\nAdversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Administrator or otherwise elevated access may provide better process details. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\nIn Windows environments, adversaries could obtain details on running processes using the Tasklist utility via cmd or <code>Get-Process</code> via PowerShell. Information about processes can also be extracted from the output of Native API calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via `/proc`. \n\nOn network devices, Network Device CLI commands such as `show processes` can be used to display current running processes.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "Describe MITRE technique 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)'?",
    "context": "",
    "output": "Here is the description for technique 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)':\nBy responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. \n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords.\n\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\u00a0\n\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Describe MITRE technique 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)'",
      "answer": "Here is the description for technique 'Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)':\nBy responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials. \n\nLink-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. \n\nAdversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through Network Sniffing and crack the hashes offline through Brute Force to obtain the plaintext passwords.\n\nIn some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv1/v2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. Additionally, adversaries may encapsulate the NTLMv1/v2 hashes into various protocols, such as LDAP, SMB, MSSQL and HTTP, to expand and use multiple services with the valid NTLM response.\u00a0\n\nSeveral tools may be used to poison name services within local networks such as NBNSpoof, Metasploit, and Responder.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "Describe the following MITRE technique: OS Credential Dumping: DCSync - T1003.006?",
    "context": "",
    "output": "Description for the MITRE technique OS Credential Dumping: DCSync (T1003.006):\nAdversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)    to simulate the replication process from a remote domain controller using a technique called DCSync.\n\nMembers of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket or change an account's password as noted in Account Manipulation.\n\nDCSync functionality has been included in the \"lsadump\" module in Mimikatz. Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Describe the following MITRE technique: OS Credential Dumping: DCSync - T1003.006",
      "answer": "Description for the MITRE technique OS Credential Dumping: DCSync (T1003.006):\nAdversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller's application programming interface (API)    to simulate the replication process from a remote domain controller using a technique called DCSync.\n\nMembers of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket or change an account's password as noted in Account Manipulation.\n\nDCSync functionality has been included in the \"lsadump\" module in Mimikatz. Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "Describe the following technique - Command and Scripting Interpreter: Visual Basic (T1059.005)",
    "context": "",
    "output": "Description: Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications. VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Describe the following technique - Command and Scripting Interpreter: Visual Basic (T1059.005)",
      "answer": "Description: Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.\n\nDerivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications. VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).\n\nAdversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "Can you please describe the MITRE ATT&CK technique: Use Alternate Authentication Material (T1550)?",
    "context": "",
    "output": "Sure! Here is the description: Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system\u2014either in memory or on disk\u2014it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Can you please describe the MITRE ATT&CK technique: Use Alternate Authentication Material (T1550)",
      "answer": "Sure! Here is the description: Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. \n\nAuthentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.\n\nCaching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system\u2014either in memory or on disk\u2014it may be at risk of being stolen through Credential Access techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "Describe technique named Compromise Infrastructure: Virtual Private Server - T1584.003?",
    "context": "",
    "output": "Sure. The description for the MITRE technique named Compromise Infrastructure: Virtual Private Server (T1584.003) is:\nAdversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Describe technique named Compromise Infrastructure: Virtual Private Server - T1584.003",
      "answer": "Sure. The description for the MITRE technique named Compromise Infrastructure: Virtual Private Server (T1584.003) is:\nAdversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.\n\nCompromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "What is MITRE technique: Forge Web Credentials: Web Cookies - T1606.001",
    "context": "",
    "output": "MITRE technique 'Forge Web Credentials: Web Cookies - T1606.001' can be described as follows:\nAdversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.\n\nAdversaries may generate these cookies in order to gain access to web resources. This differs from Steal Web Session Cookie and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces. The generation of web cookies often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.\n\nOnce forged, adversaries may use these web cookies to access resources (Web Session Cookie), which may bypass multi-factor and other authentication protection mechanisms.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "What is MITRE technique: Forge Web Credentials: Web Cookies - T1606.001",
      "answer": "MITRE technique 'Forge Web Credentials: Web Cookies - T1606.001' can be described as follows:\nAdversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.\n\nAdversaries may generate these cookies in order to gain access to web resources. This differs from Steal Web Session Cookie and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces. The generation of web cookies often requires secret values, such as passwords, Private Keys, or other cryptographic seed values.\n\nOnce forged, adversaries may use these web cookies to access resources (Web Session Cookie), which may bypass multi-factor and other authentication protection mechanisms.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  },
  {
    "instruction": "Describe technique: Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001)?",
    "context": "",
    "output": "Ofcourse. Description for technique 'Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001)':\nAdversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory. \n\nUsing a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.\n\nThe KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets. The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.",
    "category": "MitreFlan",
    "instruction_type": "mitre_description_technique",
    "parsed_raw_data": {
      "question": "Describe technique: Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001)",
      "answer": "Ofcourse. Description for technique 'Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001)':\nAdversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory. \n\nUsing a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.\n\nThe KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets. The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "mitre_description_technique"
    }
  }
]