[
  {
    "instruction": "List the prerequisites related to attack pattern: TCP (ISN) Sequence Predictability Probe (CAPEC ID: 324)",
    "context": "",
    "output": "required prerequisites:\n1) The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "1) The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card.\n",
      "@Name": "TCP (ISN) Sequence Predictability Probe (CAPEC ID: 324)",
      "attack_ptrn": {
        "@ID": "324",
        "@Name": "TCP (ISN) Sequence Predictability Probe",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": "This type of operating system probe attempts to determine an estimate for how predictable the sequence number generation algorithm is for a remote host. Statistical techniques, such as standard deviation, can be used to determine how predictable the sequence number generation is for a system. This result can then be compared to a database of operating system behaviors to determine a likely match for operating system and version.",
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Low",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "312"
          }
        },
        "Prerequisites": {
          "Prerequisite": "The ability to monitor and interact with network communications.Access to at least one host, and the privileges to interface with the network interface card."
        },
        "Resources_Required": {
          "Resource": "A tool capable of sending and receiving packets from a remote system."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": [
                "Bypass Protection Mechanism",
                "Hide Activities"
              ]
            }
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "200"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-33",
              "@Section": "Chapter 2: Scanning, pg. 56"
            },
            {
              "@External_Reference_ID": "REF-128"
            },
            {
              "@External_Reference_ID": "REF-212",
              "@Section": "Chapter 8. Remote OS Detection"
            },
            {
              "@External_Reference_ID": "REF-130"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Attack_Patterns, Resources_Required, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References, Related_Weaknesses"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Given attack pattern Use of Known Kerberos Credentials (CAPEC ID: 652).\nWhat must happen for the attack pattern to work",
    "context": "",
    "output": "To implement Use of Known Kerberos Credentials (CAPEC ID: 652), there following conditions must appear: 1) The system/application leverages Kerberos authentication.\n2) The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.\n3) The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.\n4) The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.\n5) The targeted network allows for network sniffing attacks to succeed.\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "1) The system/application leverages Kerberos authentication.\n2) The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.\n3) The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.\n4) The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.\n5) The targeted network allows for network sniffing attacks to succeed.\n",
      "@Name": "Use of Known Kerberos Credentials (CAPEC ID: 652)",
      "attack_ptrn": {
        "@ID": "652",
        "@Name": "Use of Known Kerberos Credentials",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.",
        "Extended_Description": {
          "xhtml:p": "Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application."
        },
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": [
            {
              "@Nature": "ChildOf",
              "@CAPEC_ID": "560",
              "Exclude_Related": {
                "@Exclude_ID": "515"
              }
            },
            {
              "@Nature": "CanPrecede",
              "@CAPEC_ID": "151"
            }
          ]
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.",
              "Technique": [
                "An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.",
                "An adversary guesses the credentials to a weak Kerberos service account.",
                "An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.",
                "An adversary conducts a Kerberoasting attack."
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access.",
              "Technique": [
                "Manually or automatically enter each Kerberos service account credential through the target's interface.",
                "Attempt a Pass the Ticket attack."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain"
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks."
            },
            {
              "Step": "5",
              "Phase": "Exploit",
              "Description": "[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The system/application leverages Kerberos authentication.",
            "The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.",
            "The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.",
            "The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.",
            "The targeted network allows for network sniffing attacks to succeed."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "Once an adversary obtains a known Kerberos credential, leveraging it is trivial."
          }
        },
        "Resources_Required": {
          "Resource": "A valid Kerberos ticket or a known Kerberos service account credential."
        },
        "Indicators": {
          "Indicator": [
            "Authentication attempts use expired or invalid credentials.",
            "Authentication attempts are originating from IP addresses or locations that are inconsistent with an account's normal IP addresses or locations.",
            "Data is being transferred and/or removed from systems/applications within the network.",
            "Suspicious or Malicious software is downloaded/installed on systems within the domain.",
            "Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authentication"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Confidentiality",
                "Authorization"
              ],
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.",
            "Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.",
            "Do not reuse Kerberos service account credentials across systems.",
            "Deny remote use of Kerberos service account credentials to log into domain systems.",
            "Do not allow Kerberos service accounts to be a local administrator on more than one system.",
            "Enable at least AES Kerberos encryption for tickets.",
            "Monitor system and domain logs for abnormal credential access."
          ]
        },
        "Example_Instances": {
          "Example": [
            "Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]",
            "PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]"
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "522"
            },
            {
              "@CWE_ID": "307"
            },
            {
              "@CWE_ID": "308"
            },
            {
              "@CWE_ID": "309"
            },
            {
              "@CWE_ID": "262"
            },
            {
              "@CWE_ID": "263"
            },
            {
              "@CWE_ID": "654"
            },
            {
              "@CWE_ID": "294"
            },
            {
              "@CWE_ID": "836"
            }
          ]
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1558",
            "Entry_Name": "Steal or Forge Kerberos Tickets"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-584"
            },
            {
              "@External_Reference_ID": "REF-585"
            },
            {
              "@External_Reference_ID": "REF-586"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "#text": "Kerberos centers around a ticketing system that is used to request/grant access to resources and to then access the requested resources. If one of these tickets is acquired, an adversary could gain access to a specific resource; access any resource a user has privileges to access; gain access to services that use Kerberos as an authentication mechanism and generate tickets to access a particular resource and the system that hosts the resource; or generate Ticket Granting Tickets (TGTs) for any domain account within Active Directory."
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2020-07-30"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Description, Notes, Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Extended_Description, Prerequisites"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "List the prerequisites related to attack pattern: Exploit Script-Based APIs (CAPEC ID: 160)",
    "context": "",
    "output": "required prerequisites:\n1. The target application must include the use of APIs that execute scripts.\n2. The target application must allow the attacker to provide some or all of the arguments to one of these script interpretation methods and must fail to adequately filter these arguments for dangerous or unwanted script commands.\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "1. The target application must include the use of APIs that execute scripts.\n2. The target application must allow the attacker to provide some or all of the arguments to one of these script interpretation methods and must fail to adequately filter these arguments for dangerous or unwanted script commands.\n",
      "@Name": "Exploit Script-Based APIs (CAPEC ID: 160)",
      "attack_ptrn": {
        "@ID": "160",
        "@Name": "Exploit Script-Based APIs",
        "@Abstraction": "Standard",
        "@Status": "Draft",
        "Description": "Some APIs support scripting instructions as arguments. Methods that take scripted instructions (or references to scripted instructions) can be very flexible and powerful. However, if an attacker can specify the script that serves as input to these methods they can gain access to a great deal of functionality. For example, HTML pages support <script> tags that allow scripting languages to be embedded in the page and then interpreted by the receiving web browser. If the content provider is malicious, these scripts can compromise the client application. Some applications may even execute the scripts under their own identity (rather than the identity of the user providing the script) which can allow attackers to perform activities that would otherwise be denied to them.",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "113",
            "Exclude_Related": {
              "@Exclude_ID": "515"
            }
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Identify API] Discover an API of interest by exploring application documentation or observing responses to API calls",
              "Technique": "Search via internet for known, published APIs that support scripting instructions as arguments"
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Test simple script] Adversaries will attempt to give a smaller script as input to the API, such as simply printing to the console, to see if the attack is viable.",
              "Technique": "Create a general script to be taken as input by the API"
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Give malicious scripting instructions to API] Adversaries will now craft custom scripts to do malicious behavior. Depending on the setup of the application this script could be run with user or admin level priveleges.",
              "Technique": "Crafting a malicious script to be run on a system based on priveleges and capabilities of the system"
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": [
            "The target application must include the use of APIs that execute scripts.",
            "The target application must allow the attacker to provide some or all of the arguments to one of these script interpretation methods and must fail to adequately filter these arguments for dangerous or unwanted script commands."
          ]
        },
        "Resources_Required": {
          "Resource": "None: No specialized resources are required to execute this type of attack."
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "346"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-12-07",
              "Modification_Comment": "Updated Description Summary"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Resources_Required"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-04-04",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-10-21",
              "Modification_Comment": "Updated Execution_Flow"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2015-12-07",
            "#text": "Programming to included script-based APIs"
          }
        }
      }
    }
  },
  {
    "instruction": "List the prerequisites related to attack pattern: Resource Injection (CAPEC ID: 240)",
    "context": "",
    "output": "required prerequisites:\n1) The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "1) The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)\n",
      "@Name": "Resource Injection (CAPEC ID: 240)",
      "attack_ptrn": {
        "@ID": "240",
        "@Name": "Resource Injection",
        "@Abstraction": "Meta",
        "@Status": "Stable",
        "Description": "An adversary exploits weaknesses in input validation by manipulating resource identifiers enabling the unintended modification or specification of a resource.",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Prerequisites": {
          "Prerequisite": "The target application allows the user to both specify the identifier used to access a system resource. Through this permission, the user gains the capability to perform actions on that resource (e.g., overwrite the file)"
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Ensure all input content that is delivered to client is sanitized against an acceptable content specification.",
            "Perform input validation for all content.",
            "Enforce regular patching of software."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "99"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "OWASP Attacks",
            "Entry_Name": "Resource Injection"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2015-12-07",
              "Modification_Comment": "Updated Description, Description Summary"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Attack_Motivation-Consequences, Attack_Prerequisites, Related_Weaknesses, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Given attack pattern Root/Jailbreak Detection Evasion via Hooking (CAPEC ID: 660).\nWhat must happen for the attack pattern to work",
    "context": "",
    "output": "To implement Root/Jailbreak Detection Evasion via Hooking (CAPEC ID: 660), there following conditions must appear: * The targeted application must be non-restricted to allow code hooking.\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "* The targeted application must be non-restricted to allow code hooking.\n",
      "@Name": "Root/Jailbreak Detection Evasion via Hooking (CAPEC ID: 660)",
      "attack_ptrn": {
        "@ID": "660",
        "@Name": "Root/Jailbreak Detection Evasion via Hooking",
        "@Abstraction": "Detailed",
        "@Status": "Stable",
        "Description": "An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to \"hook\" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more.",
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "251"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Identify application with attack potential] The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications).",
              "Technique": "Search application stores for mobile applications worth exploiting"
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Develop code to be hooked into chosen target application] The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods.",
              "Technique": [
                "Develop code or leverage existing code to bypass Root/Jailbreak detection methods.",
                "Test the code to see if it works.",
                "Iteratively develop the code until Root/Jailbreak detection methods are evaded."
              ]
            },
            {
              "Step": "3",
              "Phase": "Exploit",
              "Description": "[Execute code hooking to evade Root/Jailbreak detection methods] Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.",
              "Technique": "Hook code into the target application."
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "The targeted application must be non-restricted to allow code hooking."
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "High",
              "#text": "Knowledge about Root/Jailbreak detection and evasion techniques."
            },
            {
              "@Level": "Medium",
              "#text": "Knowledge about code hooking."
            }
          ]
        },
        "Resources_Required": {
          "Resource": [
            "The adversary must have a Rooted/Jailbroken mobile device.",
            "The adversary needs to have enough access to the target application to control the included code or file."
          ]
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Integrity",
                "Authorization"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "Through Root/Jailbreak Detection Evasion via Hooking, the adversary compromises the integrity of the application."
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Gain Privileges"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control"
              ],
              "Impact": "Read Data",
              "Note": "An adversary may leverage Root/Jailbreak Detection Evasion via Hooking in order to obtain sensitive information."
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Ensure mobile applications are signed appropriately to avoid code inclusion via hooking.",
            "Inspect the application's memory for suspicious artifacts, such as shared objects/JARs or dylibs, after other Root/Jailbreak detection methods.",
            "Inspect the application's stack trace for suspicious method calls.",
            "Allow legitimate native methods, and check for non-allowed native methods during Root/Jailbreak detection methods.",
            "For iOS applications, ensure application methods do not originate from outside of Apple's SDK."
          ]
        },
        "Example_Instances": {
          "Example": [
            "An adversary targets a non-restricted iOS banking application in an attempt to compromise sensitive user data. The adversary creates Objective-C runtime code that always returns \"false\" when checking for the existence of the Cydia application. The malicious code is then dynamically loaded into the application via the DYLD_INSERT_LIBRARIES environment variable. When the banking applications checks for Cydia, the hooked code returns \"false\", so the application assumes the device is stock (i.e. not Jailbroken) and allows it to access the application. However, the adversary has just evaded Jailbreak detection and is now able to glean user credentials and/or transaction details.",
            "An adversary targets a mobile voting application on an Android device with the goal of committing voter fraud. Leveraging the Xposed framework, the adversary is able to create and hook Java code into the application that bypasses Root detection methods. When the voting application attempts to detect a Rooted device by checking for commonly known installed packages associated with Rooting, the hooked code removes the suspicious packages before returning to the application. As a result, the application believes the device is stock (i.e. not Rooted) when in actuality this is not the case. Having evading Root detection, the adversary is now able to cast votes for the candidate of their choosing as a variety of different users."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "829"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": {
            "@Taxonomy_Name": "ATTACK",
            "Entry_ID": "1055",
            "Entry_Name": "Process Injection"
          }
        },
        "References": {
          "Reference": [
            {
              "@External_Reference_ID": "REF-624"
            },
            {
              "@External_Reference_ID": "REF-625"
            },
            {
              "@External_Reference_ID": "REF-626"
            },
            {
              "@External_Reference_ID": "REF-627"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2020-12-17"
          }
        }
      }
    }
  },
  {
    "instruction": "Provide the list of conditions needed for attack pattern: Poison Web Service Registry (CAPEC ID: 51)",
    "context": "",
    "output": "Here is the list of conditions required to implement attack pattern Poison Web Service Registry (CAPEC ID: 51):\n1. The attacker must be able to write to resources or redirect access to the service registry.\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "1. The attacker must be able to write to resources or redirect access to the service registry.\n",
      "@Name": "Poison Web Service Registry (CAPEC ID: 51)",
      "attack_ptrn": {
        "@ID": "51",
        "@Name": "Poison Web Service Registry",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.",
        "Extended_Description": {
          "xhtml:p": "WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol."
        },
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "Very High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "203"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Find a target SOA or Web Service] The adversary must first indentify a target SOA or Web Service."
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Determine desired outcome] Because poisoning a web service registry can have different outcomes, the adversary must decide how they wish to effect the webservice.",
              "Technique": [
                "An adversary can perform a denial of service attack on a web service.",
                "An adversary can redirect requests or responses to a malicious service."
              ]
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Determine if a malicious service needs to be created] If the adversary wishes to redirect requests or responses, they will need to create a malicious service to redirect to.",
              "Technique": [
                "Create a service to that requests are sent to in addition to the legitimate service and simply record the requests.",
                "Create a service that will give malicious responses to a service provider.",
                "Act as a malicious service provider and respond to requests in an arbitrary way."
              ]
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Poison Web Service Registry] Based on the desired outcome, poison the web service registry. This is done by altering the data at rest in the registry or uploading malicious content by spoofing a service provider.",
              "Technique": [
                "Intercept and change WS-Adressing headers to route to a malicious service or service provider.",
                "Provide incorrect information in schema or metadata to cause a denial of service.",
                "Delete information about service procider interfaces to cause a denial of service."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "The attacker must be able to write to resources or redirect access to the service registry."
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "Low",
            "#text": "To identify and execute against an over-privileged system interface"
          }
        },
        "Resources_Required": {
          "Resource": "Capability to directly or indirectly modify registry resources"
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "Run Arbitrary Code"
            },
            {
              "Scope": "Confidentiality",
              "Impact": "Read Data"
            },
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Design: Enforce principle of least privilege",
            "Design: Harden registry server and file access permissions",
            "Implementation: Implement communications to and from the registry using secure protocols"
          ]
        },
        "Example_Instances": {
          "Example": {
            "xhtml:p": [
              "WS-Addressing provides location and metadata about the service endpoints. An extremely hard to detect attack is an attacker who updates the WS-Addressing header, leaves the standard service request and service provider addressing and header information intact, but adds an additional WS-Addressing Replyto header. In this case the attacker is able to send a copy (like a cc in mail) of every result the service provider generates. So every query to the bank account service, would generate a reply message of the transaction status to both the authorized service requester and an attacker service. This would be extremely hard to detect at runtime.",
              "In this example \"evilsite\" is an additional reply to address with full access to all the messages that the authorized (validClient) has access to. Since this is registered with ReplyTo header it will not generate a Soap fault."
            ],
            "xhtml:div": {
              "@style": "margin-left:1em;",
              "@class": "informative",
              "xhtml:div": {
                "@style": "margin-left:1em;",
                "xhtml:div": [
                  {
                    "@style": "margin-left:1em;",
                    "#text": "http://example.com/Message"
                  },
                  {
                    "@style": "margin-left:1em;",
                    "#text": "<wsa:Address>http://valid.example/validClient</wsa:Address>"
                  },
                  {
                    "@style": "margin-left:1em;",
                    "#text": "<wsa:Address>http://evilsite/evilClient</wsa:Address>"
                  },
                  {
                    "@style": "margin-left:1em;",
                    "#text": "<wsa:Address>http://validfaults.example/ErrorHandler</wsa:Address>"
                  }
                ],
                "xhtml:br": [
                  null,
                  null,
                  null,
                  null,
                  null,
                  null,
                  null
                ],
                "#text": "<wsa:MessageID>\n                     </wsa:MessageID><wsa:ReplyTo>\n                     </wsa:ReplyTo><wsa:ReplyTo>\n                     </wsa:ReplyTo><wsa:FaultTo>\n                     </wsa:FaultTo>"
              },
              "xhtml:br": null,
              "#text": "<S:Header>\n                  </S:Header>"
            }
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "285"
            },
            {
              "@CWE_ID": "74"
            },
            {
              "@CWE_ID": "693"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-10-21",
              "Modification_Comment": "Updated Description, Execution_Flow"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-02-22",
              "Modification_Comment": "Updated Description, Extended_Description"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Example_Instances"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Given attack pattern Filter Failure through Buffer Overflow (CAPEC ID: 24).\nWhat must happen for the attack pattern to work",
    "context": "",
    "output": "To implement Filter Failure through Buffer Overflow (CAPEC ID: 24), there following conditions must appear: * Ability to control the length of data passed to an active filter.\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "* Ability to control the length of data passed to an active filter.\n",
      "@Name": "Filter Failure through Buffer Overflow (CAPEC ID: 24)",
      "attack_ptrn": {
        "@ID": "24",
        "@Name": "Filter Failure through Buffer Overflow",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).",
        "Likelihood_Of_Attack": "High",
        "Typical_Severity": "High",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "100"
          }
        },
        "Execution_Flow": {
          "Attack_Step": [
            {
              "Step": "1",
              "Phase": "Explore",
              "Description": "[Survey] The attacker surveys the target application, possibly as a valid and authenticated user",
              "Technique": [
                "Spidering web sites for inputs that involve potential filtering",
                "Brute force guessing of filtered inputs"
              ]
            },
            {
              "Step": "2",
              "Phase": "Experiment",
              "Description": "[Attempt injections] Try to feed overly long data to the system. This can be done manually or a dynamic tool (black box) can be used to automate this. An attacker can also use a custom script for that purpose.",
              "Technique": [
                "Brute force attack through black box penetration test tool.",
                "Fuzzing of communications protocols",
                "Manual testing of possible inputs with attack data."
              ]
            },
            {
              "Step": "3",
              "Phase": "Experiment",
              "Description": "[Monitor responses] Watch for any indication of failure occurring. Carefully watch to see what happened when filter failure occurred. Did the data get in?",
              "Technique": [
                "Boron tagging. Choose clear attack inputs that are easy to notice in output. In binary this is often 0xa5a5a5a5 (alternating 1s and 0s). Another obvious tag value is all zeroes, but it is not always obvious what goes wrong if the null values get into the data.",
                "Check Log files. An attacker with access to log files can look at the outcome of bad input."
              ]
            },
            {
              "Step": "4",
              "Phase": "Exploit",
              "Description": "[Abuse the system through filter failure] An attacker writes a script to consistently induce the filter failure.",
              "Technique": [
                "DoS through filter failure. The attacker causes the system to crash or stay down because of its failure to filter properly.",
                "Malicious code execution. An attacker introduces a malicious payload and executes arbitrary code on the target system.",
                "An attacker can use the filter failure to introduce malicious data into the system and leverage a subsequent SQL injection, Cross Site Scripting, Command Injection or similar weakness if it exists."
              ]
            }
          ]
        },
        "Prerequisites": {
          "Prerequisite": "Ability to control the length of data passed to an active filter."
        },
        "Skills_Required": {
          "Skill": [
            {
              "@Level": "Low",
              "#text": "An attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. The result can be a DoS."
            },
            {
              "@Level": "High",
              "#text": "Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap can require a higher skill level."
            }
          ]
        },
        "Indicators": {
          "Indicator": "Many exceptions are thrown by the application's filter modules in a short period of time. Check the logs. See if the probes are coming from the same IP address."
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Integrity",
              "Impact": "Modify Data"
            },
            {
              "Scope": [
                "Confidentiality",
                "Integrity",
                "Availability"
              ],
              "Impact": "Execute Unauthorized Commands",
              "Note": "Run Arbitrary Code"
            },
            {
              "Scope": [
                "Confidentiality",
                "Access Control",
                "Authorization"
              ],
              "Impact": "Bypass Protection Mechanism"
            },
            {
              "Scope": "Availability",
              "Impact": "Unreliable Execution"
            }
          ]
        },
        "Mitigations": {
          "Mitigation": [
            "Make sure that ANY failure occurring in the filtering or input validation routine is properly handled and that offending input is NOT allowed to go through. Basically make sure that the vault is closed when failure occurs.",
            "Pre-design: Use a language or compiler that performs automatic bounds checking.",
            "Pre-design through Build: Compiler-based canary mechanisms such as StackGuard, ProPolice and the Microsoft Visual Studio /GS flag. Unless this provides automatic bounds checking, it is not a complete solution.",
            "Operational: Use OS-level preventative functionality. Not a complete solution.",
            "Design: Use an abstraction library to abstract away risky APIs. Not a complete solution."
          ]
        },
        "Example_Instances": {
          "Example": [
            {
              "xhtml:p": "Sending in arguments that are too long to cause the filter to fail open is one instantiation of the filter failure attack. The Taylor UUCP daemon is designed to remove hostile arguments before they can be executed. If the arguments are too long, however, the daemon fails to remove them. This leaves the door open for attack."
            },
            "A filter is used by a web application to filter out characters that may allow the input to jump from the data plane to the control plane when data is used in a SQL statement (chaining this attack with the SQL injection attack). Leveraging a buffer overflow the attacker makes the filter fail insecurely and the tainted data is permitted to enter unfiltered into the system, subsequently causing a SQL injection.",
            "Audit Truncation and Filters with Buffer Overflow. Sometimes very large transactions can be used to destroy a log file or cause partial logging failures. In this kind of attack, log processing code might be examining a transaction in real-time processing, but the oversized transaction causes a logic branch or an exception of some kind that is trapped. In other words, the transaction is still executed, but the logging or filtering mechanism still fails. This has two consequences, the first being that you can run transactions that are not logged in any way (or perhaps the log entry is completely corrupted). The second consequence is that you might slip through an active filter that otherwise would stop your attack."
          ]
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "120"
            },
            {
              "@CWE_ID": "119"
            },
            {
              "@CWE_ID": "118"
            },
            {
              "@CWE_ID": "74"
            },
            {
              "@CWE_ID": "20"
            },
            {
              "@CWE_ID": "680"
            },
            {
              "@CWE_ID": "733"
            },
            {
              "@CWE_ID": "697"
            }
          ]
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-1"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-01-09",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2018-07-31",
              "Modification_Comment": "Updated References"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Example_Instances"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Tell me prerequisites required to apply the attack pattern: Hardware Fault Injection (CAPEC ID: 624)",
    "context": "",
    "output": "Sure. Here are the prerequisites required to apply the attack pattern:\n1,  Physical access to the system\n2,  The adversary must be cognizant of where fault injection vulnerabilities exist in the system in order to leverage them for exploitation.\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "1,  Physical access to the system\n2,  The adversary must be cognizant of where fault injection vulnerabilities exist in the system in order to leverage them for exploitation.\n",
      "@Name": "Hardware Fault Injection (CAPEC ID: 624)",
      "attack_ptrn": {
        "@ID": "624",
        "@Name": "Hardware Fault Injection",
        "@Abstraction": "Meta",
        "@Status": "Stable",
        "Description": "The adversary uses disruptive signals or events, or alters the physical environment a device operates in, to cause faulty behavior in electronic devices. This can include electromagnetic pulses, laser pulses, clock glitches, ambient temperature extremes, and more. When performed in a controlled manner on devices performing cryptographic operations, this faulty behavior can be exploited to derive secret key information.",
        "Alternate_Terms": {
          "Alternate_Term": {
            "Term": "Side-Channel Attack"
          }
        },
        "Likelihood_Of_Attack": "Low",
        "Typical_Severity": "High",
        "Prerequisites": {
          "Prerequisite": [
            "Physical access to the system",
            "The adversary must be cognizant of where fault injection vulnerabilities exist in the system in order to leverage them for exploitation."
          ]
        },
        "Skills_Required": {
          "Skill": {
            "@Level": "High",
            "#text": "Adversaries require non-trivial technical skills to create and implement fault injection attacks. Although this style of attack has become easier (commercial equipment and training classes are available to perform these attacks), they usual require significant setup and experimentation time during which physical access to the device is required."
          }
        },
        "Resources_Required": {
          "Resource": {
            "xhtml:p": [
              "The relevant sensors and tools to detect and analyze fault/side-channel data from a system.",
              "A tool capable of injecting fault/side-channel data into a system or application."
            ]
          }
        },
        "Consequences": {
          "Consequence": [
            {
              "Scope": "Confidentiality",
              "Impact": [
                "Read Data",
                "Bypass Protection Mechanism",
                "Hide Activities"
              ],
              "Note": "An adversary capable of successfully collecting and analyzing sensitive, fault/side-channel information, has compromised the confidentiality of that application or information system data."
            },
            {
              "Scope": "Integrity",
              "Impact": "Execute Unauthorized Commands",
              "Note": "If an adversary is able to inject data via a fault or side channel vulnerability towards malicious ends, the integrity of the application or information system will be compromised."
            }
          ]
        },
        "Mitigations": {
          "Mitigation": "Implement robust physical security countermeasures and monitoring."
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "1247"
            },
            {
              "@CWE_ID": "1248"
            },
            {
              "@CWE_ID": "1256"
            },
            {
              "@CWE_ID": "1319"
            },
            {
              "@CWE_ID": "1332"
            },
            {
              "@CWE_ID": "1334"
            },
            {
              "@CWE_ID": "1338"
            },
            {
              "@CWE_ID": "1351"
            }
          ]
        },
        "Notes": {
          "Note": {
            "@Type": "Other",
            "#text": "Considerable effort on the part of the adversary is often required in order to detect and analyze fault/side channel data."
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2015-11-09"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Alternate_Terms, Attack_Motivation-Consequences, Attack_Prerequisites, Attacker_Skills_or_Knowledge_Required, Description Summary, Other_Notes, Resources_Required, Solutions_and_Mitigations, Typical_Likelihood_of_Exploit, Typical_Severity"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Attack_Prerequisites"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated @Name, Consequences, Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Related_Weaknesses"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Description, Related_Weaknesses"
            }
          ],
          "Previous_Entry_Name": {
            "@Date": "2020-07-30",
            "#text": "Fault Injection"
          }
        }
      }
    }
  },
  {
    "instruction": "Given attack pattern Transaction or Event Tampering via Application API Manipulation (CAPEC ID: 385).\nWhat must happen for the attack pattern to work",
    "context": "",
    "output": "To implement Transaction or Event Tampering via Application API Manipulation (CAPEC ID: 385), there following conditions must appear: 1) Targeted software is utilizing application framework APIs\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "1) Targeted software is utilizing application framework APIs\n",
      "@Name": "Transaction or Event Tampering via Application API Manipulation (CAPEC ID: 385)",
      "attack_ptrn": {
        "@ID": "385",
        "@Name": "Transaction or Event Tampering via Application API Manipulation",
        "@Abstraction": "Detailed",
        "@Status": "Draft",
        "Description": "An attacker hosts or joins an event or transaction within an application framework in order to change the content of messages or items that are being exchanged. Performing this attack allows the attacker to manipulate content in such a way as to produce messages or content that look authentic but may contain deceptive links, substitute one item or another, spoof an existing item and conduct a false exchange, or otherwise change the amounts or identity of what is being exchanged. The techniques require use of specialized software that allow the attacker to man-in-the-middle communications between the web browser and the remote system in order to change the content of various application elements. Often, items exchanged in game can be monetized via sales for coin, virtual dollars, etc. The purpose of the attack is for the attack to scam the victim by trapping the data packets involved the exchange and altering the integrity of the transfer process.",
        "Typical_Severity": "Medium",
        "Related_Attack_Patterns": {
          "Related_Attack_Pattern": {
            "@Nature": "ChildOf",
            "@CAPEC_ID": "384"
          }
        },
        "Prerequisites": {
          "Prerequisite": "Targeted software is utilizing application framework APIs"
        },
        "Resources_Required": {
          "Resource": "A software program that allows the use of adversary-in-the-middle communications (CAPEC-94) between the client and server, such as a man-in-the-middle proxy."
        },
        "Related_Weaknesses": {
          "Related_Weakness": [
            {
              "@CWE_ID": "471"
            },
            {
              "@CWE_ID": "345"
            },
            {
              "@CWE_ID": "346"
            },
            {
              "@CWE_ID": "602"
            },
            {
              "@CWE_ID": "311"
            }
          ]
        },
        "References": {
          "Reference": {
            "@External_Reference_ID": "REF-327"
          }
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2019-09-30",
              "Modification_Comment": "Updated @Abstraction"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2021-06-24",
              "Modification_Comment": "Updated Resources_Required"
            }
          ]
        }
      }
    }
  },
  {
    "instruction": "Provide the list of conditions needed for attack pattern: Content Spoofing (CAPEC ID: 148)",
    "context": "",
    "output": "Here is the list of conditions required to implement attack pattern Content Spoofing (CAPEC ID: 148):\n1) The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages.\n",
    "category": "CAPECFlan",
    "instruction_type": "capec_prerequirements",
    "parsed_raw_data": {
      "Prerequisites": "1) The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages.\n",
      "@Name": "Content Spoofing (CAPEC ID: 148)",
      "attack_ptrn": {
        "@ID": "148",
        "@Name": "Content Spoofing",
        "@Abstraction": "Meta",
        "@Status": "Stable",
        "Description": "An adversary modifies content to make it contain something other than what the original content producer intended while keeping the apparent source of the content unchanged. The term content spoofing is most often used to describe modification of web pages hosted by a target to display the adversary's content instead of the owner's content. However, any content can be spoofed, including the content of email messages, file transfers, or the content of other network communication protocols. Content can be modified at the source (e.g. modifying the source file for a web page) or in transit (e.g. intercepting and modifying a message between the sender and recipient). Usually, the adversary will attempt to hide the fact that the content has been modified, but in some cases, such as with web site defacement, this is not necessary. Content Spoofing can lead to malware exposure, financial fraud (if the content governs financial transactions), privacy violations, and other unwanted outcomes.",
        "Likelihood_Of_Attack": "Medium",
        "Typical_Severity": "Medium",
        "Prerequisites": {
          "Prerequisite": "The target must provide content but fail to adequately protect it against modification.The adversary must have the means to alter data to which they are not authorized. If the content is to be modified in transit, the adversary must be able to intercept the targeted messages."
        },
        "Resources_Required": {
          "Resource": {
            "xhtml:p": [
              "If the content is to be modified in transit, the adversary requires a tool capable of intercepting the target's communication and generating/creating custom packets to impact the communications.",
              "In some variants, the targeted content is altered so that all or some of it is redirected towards content published by the attacker (for example, images and frames in the target's web site might be modified to be loaded from a source controlled by the attacker). In these cases, the attacker requires the necessary resources to host the replacement content."
            ]
          }
        },
        "Consequences": {
          "Consequence": {
            "Scope": "Integrity",
            "Impact": "Modify Data",
            "Note": "A successful content spoofing attack compromises the integrity of the application data."
          }
        },
        "Related_Weaknesses": {
          "Related_Weakness": {
            "@CWE_ID": "345"
          }
        },
        "Taxonomy_Mappings": {
          "Taxonomy_Mapping": [
            {
              "@Taxonomy_Name": "ATTACK",
              "Entry_ID": "1491",
              "Entry_Name": "Defacement"
            },
            {
              "@Taxonomy_Name": "WASC",
              "Entry_ID": "12",
              "Entry_Name": "Content Spoofing"
            },
            {
              "@Taxonomy_Name": "OWASP Attacks",
              "Entry_Name": "Content Spoofing"
            }
          ]
        },
        "Content_History": {
          "Submission": {
            "Submission_Name": "CAPEC Content Team",
            "Submission_Organization": "The MITRE Corporation",
            "Submission_Date": "2014-06-23"
          },
          "Modification": [
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-05-01",
              "Modification_Comment": "Updated Activation_Zone, Attack_Motivation-Consequences, Attack_Prerequisites, Description Summary, Injection_Vector, Payload, Payload_Activation_Impact, Related_Weaknesses, Resources_Required, Typical_Likelihood_of_Exploit"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2017-08-04",
              "Modification_Comment": "Updated Related_Attack_Patterns"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-07-30",
              "Modification_Comment": "Updated Prerequisites"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2020-12-17",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            },
            {
              "Modification_Name": "CAPEC Content Team",
              "Modification_Organization": "The MITRE Corporation",
              "Modification_Date": "2022-09-29",
              "Modification_Comment": "Updated Taxonomy_Mappings"
            }
          ]
        }
      }
    }
  }
]