[
  {
    "instruction": "Q: is tactic Defense Evasion related to the following description:\nAdversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "The given description is related to sub technique Environmental Keying (T1480.001);\nSub technique Environmental Keying (T1480.001) is a type of technique Execution Guardrails (T1480);\nTechnique Execution Guardrails (T1480) is a type of tactic Defense Evasion (TA0005);\nTherefore, the correct answer is yes, the given description is related to tactic Defense Evasion.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Defense Evasion related to the following description:\nAdversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of Execution Guardrails that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.\n\nValues can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses. By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult. These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).\n\nSimilar to Obfuscated Files or Information, adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution. By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult. This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.\n\nLike other Execution Guardrails, environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical Virtualization/Sandbox Evasion. While use of Virtualization/Sandbox Evasion may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.",
      "yes/no": "The given description is related to sub technique Environmental Keying (T1480.001);\nSub technique Environmental Keying (T1480.001) is a type of technique Execution Guardrails (T1480);\nTechnique Execution Guardrails (T1480) is a type of tactic Defense Evasion (TA0005);\nTherefore, the correct answer is yes, the given description is related to tactic Defense Evasion.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: is tactic Defense Evasion related to the following description:\nAdversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples of built-in Command and Scripting Interpreter functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.",
    "context": "",
    "output": "The given description is related to sub technique File Deletion (T1070.004);\nSub technique File Deletion (T1070.004) is a type of technique Indicator Removal (T1070);\nTechnique Indicator Removal (T1070) is a type of tactic Defense Evasion (TA0005);\nTherefore, the correct answer is yes, the given description is related to tactic Defense Evasion.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Defense Evasion related to the following description:\nAdversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.\n\nThere are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples of built-in Command and Scripting Interpreter functions include <code>del</code> on Windows and <code>rm</code> or <code>unlink</code> on Linux and macOS.",
      "yes/no": "The given description is related to sub technique File Deletion (T1070.004);\nSub technique File Deletion (T1070.004) is a type of technique Indicator Removal (T1070);\nTechnique Indicator Removal (T1070) is a type of tactic Defense Evasion (TA0005);\nTherefore, the correct answer is yes, the given description is related to tactic Defense Evasion.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: is tactic Lateral Movement related to the following description:\nAdversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\n\nFor example, adversaries may construct or use onion routing networks \u2013 such as the publicly available Tor network \u2013 to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.\n\nIn the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., Network Devices). By leveraging Patch System Image on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the Network Boundary Bridging method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization\u2019s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.\n\nSimilarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.",
    "context": "",
    "output": "The given description is related to sub technique Multi-hop Proxy (T1090.003);\nSub technique Multi-hop Proxy (T1090.003) is a type of technique Proxy (T1090);\nTechnique Proxy (T1090) is a type of tactic Command and Control (TA0011);\nTherefore, the correct answer is no, the given description is not related to tactic Lateral Movement.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Lateral Movement related to the following description:\nAdversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.\n\nFor example, adversaries may construct or use onion routing networks \u2013 such as the publicly available Tor network \u2013 to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.\n\nIn the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., Network Devices). By leveraging Patch System Image on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the Network Boundary Bridging method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization\u2019s Wide-Area Network (WAN).  Protocols such as ICMP may be used as a transport.\n\nSimilarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.",
      "yes/no": "The given description is related to sub technique Multi-hop Proxy (T1090.003);\nSub technique Multi-hop Proxy (T1090.003) is a type of technique Proxy (T1090);\nTechnique Proxy (T1090) is a type of tactic Command and Control (TA0011);\nTherefore, the correct answer is no, the given description is not related to tactic Lateral Movement.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: is tactic Reconnaissance related to the following description:\nAdversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: WHOIS). Where third-party cloud providers are in use, this information may also be exposed through publicly available API endpoints, such as GetUserRealm and autodiscover in Office 365 environments. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Phishing for Information), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Phishing).",
    "context": "",
    "output": "The given description is related to sub technique Domain Properties (T1590.001);\nSub technique Domain Properties (T1590.001) is a type of technique Gather Victim Network Information (T1590);\nTechnique Gather Victim Network Information (T1590) is a type of tactic Reconnaissance (TA0043);\nTherefore, the correct answer is yes, the given description is related to tactic Reconnaissance.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Reconnaissance related to the following description:\nAdversaries may gather information about the victim's network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.\n\nAdversaries may gather this information in various ways, such as direct collection actions via Active Scanning or Phishing for Information. Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: WHOIS). Where third-party cloud providers are in use, this information may also be exposed through publicly available API endpoints, such as GetUserRealm and autodiscover in Office 365 environments. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Phishing for Information), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: Phishing).",
      "yes/no": "The given description is related to sub technique Domain Properties (T1590.001);\nSub technique Domain Properties (T1590.001) is a type of technique Gather Victim Network Information (T1590);\nTechnique Gather Victim Network Information (T1590) is a type of tactic Reconnaissance (TA0043);\nTherefore, the correct answer is yes, the given description is related to tactic Reconnaissance.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: is tactic Credential Access related to the following description:\nAn adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).\n \n\nThis account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.\n\nIn some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.",
    "context": "",
    "output": "The given description is related to sub technique Additional Cloud Roles (T1098.003);\nSub technique Additional Cloud Roles (T1098.003) is a type of technique Account Manipulation (T1098);\nTechnique Account Manipulation (T1098) is a type of tactic Command and Control (TA0011);\nTherefore, the correct answer is no, the given description is not related to tactic Credential Access.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Credential Access related to the following description:\nAn adversary may add additional roles or permissions to an adversary-controlled cloud account to maintain persistent access to a tenant. For example, adversaries may update IAM policies in cloud-based environments or add a new global administrator in Office 365 environments. With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins).\n \n\nThis account modification may immediately follow Create Account or other malicious account activity. Adversaries may also modify existing Valid Accounts that they have compromised. This could lead to privilege escalation, particularly if the roles added allow for lateral movement to additional accounts.\n\nFor example, in AWS environments, an adversary with appropriate permissions may be able to use the <code>CreatePolicyVersion</code> API to define a new version of an IAM policy or the <code>AttachUserPolicy</code> API to attach an IAM policy with additional or distinct permissions to a compromised user account.\n\nIn some cases, adversaries may add roles to adversary-controlled accounts outside the victim cloud tenant. This allows these external accounts to perform actions inside the victim tenant without requiring the adversary to Create Account or modify a victim-owned account.",
      "yes/no": "The given description is related to sub technique Additional Cloud Roles (T1098.003);\nSub technique Additional Cloud Roles (T1098.003) is a type of technique Account Manipulation (T1098);\nTechnique Account Manipulation (T1098) is a type of tactic Command and Control (TA0011);\nTherefore, the correct answer is no, the given description is not related to tactic Credential Access.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Q: is tactic Credential Access related to the following description - Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple\u2019s iCloud service. \n\nKeychains can be viewed and edited through the Keychain Access application or using the command-line utility <code>security</code>. Keychain files are located in <code>~/Library/Keychains/</code>, <code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>.\n\nAdversaries may gather user credentials from Keychain storage/memory. For example, the command <code>security dump-keychain \u2013d</code> will dump all Login Keychain credentials from <code>~/Library/Keychains/login.keychain-db</code>. Adversaries may also directly read Login Keychain credentials from the <code>~/Library/Keychains/login.keychain</code> file. Both methods require a password, where the default password for the Login Keychain is the current user\u2019s password to login to the macOS host..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "The given description is related to sub technique Keychain (T1555.001);\nSub technique Keychain (T1555.001) is a type of technique Credentials from Password Stores (T1555);\nTechnique Credentials from Password Stores T1555  is a type of tactic Credential Access (TA0006);\nTherefore, the correct answer is yes, the given description is related to tactic Credential Access.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Credential Access related to the following description - Adversaries may acquire credentials from Keychain. Keychain (or Keychain Services) is the macOS credential management system that stores account names, passwords, private keys, certificates, sensitive application data, payment data, and secure notes. There are three types of Keychains: Login Keychain, System Keychain, and Local Items (iCloud) Keychain. The default Keychain is the Login Keychain, which stores user passwords and information. The System Keychain stores items accessed by the operating system, such as items shared among users on a host. The Local Items (iCloud) Keychain is used for items synced with Apple\u2019s iCloud service. \n\nKeychains can be viewed and edited through the Keychain Access application or using the command-line utility <code>security</code>. Keychain files are located in <code>~/Library/Keychains/</code>, <code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>.\n\nAdversaries may gather user credentials from Keychain storage/memory. For example, the command <code>security dump-keychain \u2013d</code> will dump all Login Keychain credentials from <code>~/Library/Keychains/login.keychain-db</code>. Adversaries may also directly read Login Keychain credentials from the <code>~/Library/Keychains/login.keychain</code> file. Both methods require a password, where the default password for the Login Keychain is the current user\u2019s password to login to the macOS host.",
      "yes/no": "The given description is related to sub technique Keychain (T1555.001);\nSub technique Keychain (T1555.001) is a type of technique Credentials from Password Stores (T1555);\nTechnique Credentials from Password Stores T1555  is a type of tactic Credential Access (TA0006);\nTherefore, the correct answer is yes, the given description is related to tactic Credential Access.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Q: is tactic Command and Control related to the following description:\nAdversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.\n\nThe simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.\n\nIn contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "The given description is related to sub technique Fast Flux DNS (T1568.001);\nSub technique Fast Flux DNS (T1568.001) is a type of technique Dynamic Resolution (T1568);\nTechnique Dynamic Resolution (T1568) is a type of tactic Command and Control (TA0011);\nTherefore, the correct answer is yes, the given description is related to tactic Command and Control.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Command and Control related to the following description:\nAdversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.\n\nThe simplest, \"single-flux\" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.\n\nIn contrast, the \"double-flux\" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.",
      "yes/no": "The given description is related to sub technique Fast Flux DNS (T1568.001);\nSub technique Fast Flux DNS (T1568.001) is a type of technique Dynamic Resolution (T1568);\nTechnique Dynamic Resolution (T1568) is a type of tactic Command and Control (TA0011);\nTherefore, the correct answer is yes, the given description is related to tactic Command and Control.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: is tactic Impact related to the following description:\nAdversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table. The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using Network Device CLI commands such as `format`.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.",
    "context": "",
    "output": "The given description is related to sub technique Disk Structure Wipe (T1561.002);\nSub technique Disk Structure Wipe (T1561.002) is a type of technique Disk Wipe (T1561);\nTechnique Disk Wipe (T1561) is a type of tactic Impact (TA0040);\nTherefore, the correct answer is yes, the given description is related to tactic Impact.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Impact related to the following description:\nAdversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table. The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using Network Device CLI commands such as `format`.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.",
      "yes/no": "The given description is related to sub technique Disk Structure Wipe (T1561.002);\nSub technique Disk Structure Wipe (T1561.002) is a type of technique Disk Wipe (T1561);\nTechnique Disk Wipe (T1561) is a type of tactic Impact (TA0040);\nTherefore, the correct answer is yes, the given description is related to tactic Impact.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Answer in Yes or No.\n\nQuestion: is tactic Defense Evasion related to the following description - Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets. \n\nAdversaries may embed payloads in various file formats to hide payloads. This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats. \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary. Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format. \n\nEmbedded content may also be used as Process Injection payloads used to infect benign system processes. These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.",
    "context": "",
    "output": "The given description is related to sub technique Embedded Payloads (T1027.009);\nSub technique Embedded Payloads (T1027.009) is a type of technique Obfuscated Files or Information (T1027);\nTechnique Obfuscated Files or Information T1027  is a type of tactic Defense Evasion (TA0005);\nTherefore, the correct answer is yes, the given description is related to tactic Defense Evasion.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Defense Evasion related to the following description - Adversaries may embed payloads within other files to conceal malicious content from defenses. Otherwise seemingly benign files (such as scripts and executables) may be abused to carry and obfuscate malicious payloads and content. In some cases, embedded payloads may also enable adversaries to Subvert Trust Controls by not impacting execution controls such as digital signatures and notarization tickets. \n\nAdversaries may embed payloads in various file formats to hide payloads. This is similar to Steganography, though does not involve weaving malicious content into specific bytes and patterns related to legitimate digital media formats. \n\nFor example, adversaries have been observed embedding payloads within or as an overlay of an otherwise benign binary. Adversaries have also been observed nesting payloads (such as executables and run-only scripts) inside a file of the same format. \n\nEmbedded content may also be used as Process Injection payloads used to infect benign system processes. These embedded then injected payloads may be used as part of the modules of malware designed to provide specific features such as encrypting C2 communications in support of an orchestrator module. For example, an embedded module may be injected into default browsers, allowing adversaries to then communicate via the network.",
      "yes/no": "The given description is related to sub technique Embedded Payloads (T1027.009);\nSub technique Embedded Payloads (T1027.009) is a type of technique Obfuscated Files or Information (T1027);\nTechnique Obfuscated Files or Information T1027  is a type of tactic Defense Evasion (TA0005);\nTherefore, the correct answer is yes, the given description is related to tactic Defense Evasion.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Q: is tactic Execution related to the following description:\nAdversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile  (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.\n\nPowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer.  \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched.  \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator..\n\nProvide your answer in Yes or No.",
    "context": "",
    "output": "The given description is related to sub technique PowerShell Profile (T1546.013);\nSub technique PowerShell Profile (T1546.013) is a type of technique Event Triggered Execution (T1546);\nTechnique Event Triggered Execution (T1546) is a type of tactic Collection (TA0009);\nTherefore, the correct answer is no, the given description is not related to tactic Execution.",
    "category": "MitreFlan",
    "instruction_type": "cot_yes_no_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "is tactic Execution related to the following description:\nAdversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile  (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.\n\nPowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer.  \n\nAdversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched.  \n\nAn adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator.",
      "yes/no": "The given description is related to sub technique PowerShell Profile (T1546.013);\nSub technique PowerShell Profile (T1546.013) is a type of technique Event Triggered Execution (T1546);\nTechnique Event Triggered Execution (T1546) is a type of tactic Collection (TA0009);\nTherefore, the correct answer is no, the given description is not related to tactic Execution.",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_yes_no_tactic_mapping_CoT"
    }
  }
]