[
  {
    "instruction": "Which tactic is related to the following description - Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams. Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS. The Chromium engine is used to display web content and Node.js runs the backend code.\n\nDue to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework. For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\Windows\\system32\\cmd.exe /c calc.exe`).\n\nAdversaries may also execute malicious content by planting malicious JavaScript within Electron applications.",
    "context": "",
    "output": "The given description is related to sub technique Electron Applications (T1218.015);\nSub technique Electron Applications (T1218.015) is a type of technique System Binary Proxy Execution (T1218);\nTechnique System Binary Proxy Execution (T1218) is a type of tactic Defense Evasion (TA0005);\nTherefore, the given description is related to tactic Defense Evasion (TA0005).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description - Adversaries may abuse components of the Electron framework to execute malicious code. The Electron framework hosts many common applications such as Signal, Slack, and Microsoft Teams. Originally developed by GitHub, Electron is a cross-platform desktop application development framework that employs web technologies like JavaScript, HTML, and CSS. The Chromium engine is used to display web content and Node.js runs the backend code.\n\nDue to the functional mechanics of Electron (such as allowing apps to run arbitrary commands), adversaries may also be able to perform malicious functions in the background potentially disguised as legitimate tools within the framework. For example, the abuse of `teams.exe` and `chrome.exe` may allow adversaries to execute malicious commands as child processes of the legitimate application (e.g., `chrome.exe --disable-gpu-sandbox --gpu-launcher=\"C:\\Windows\\system32\\cmd.exe /c calc.exe`).\n\nAdversaries may also execute malicious content by planting malicious JavaScript within Electron applications.",
      "answer": "The given description is related to sub technique Electron Applications (T1218.015);\nSub technique Electron Applications (T1218.015) is a type of technique System Binary Proxy Execution (T1218);\nTechnique System Binary Proxy Execution (T1218) is a type of tactic Defense Evasion (TA0005);\nTherefore, the given description is related to tactic Defense Evasion (TA0005).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description:\nAdversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
    "context": "",
    "output": "The given description is related to sub technique: Stored Data Manipulation (T1565.001);\nSub technique Stored Data Manipulation (T1565.001) is a type of technique Data Manipulation (T1565);\nTechnique Data Manipulation (T1565) is a type of tactic Impact (TA0040);\nTherefore, the given description is related to tactic Impact (TA0040).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description:\nAdversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data. By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.",
      "answer": "The given description is related to sub technique: Stored Data Manipulation (T1565.001);\nSub technique Stored Data Manipulation (T1565.001) is a type of technique Data Manipulation (T1565);\nTechnique Data Manipulation (T1565) is a type of tactic Impact (TA0040);\nTherefore, the given description is related to tactic Impact (TA0040).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description - Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process\u2019s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process\u2019s virtual address space.\n\nWhen executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E \"^0-9a-f-* r\" /proc/\"$pid\"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process\u2019s memory.\n\nIf running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.?",
    "context": "",
    "output": "The given description is related to sub technique Proc Filesystem (T1003.007);\nSub technique Proc Filesystem (T1003.007) is a type of technique OS Credential Dumping (T1003);\nTechnique OS Credential Dumping (T1003) is a type of tactic Persistence (TA0003);\nTherefore, the given description is related to tactic Persistence (TA0003).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description - Adversaries may gather credentials from the proc filesystem or `/proc`. The proc filesystem is a pseudo-filesystem used as an interface to kernel data structures for Linux based systems managing virtual memory. For each process, the `/proc/<PID>/maps` file shows how memory is mapped within the process\u2019s virtual address space. And `/proc/<PID>/mem`, exposed for debugging purposes, provides access to the process\u2019s virtual address space.\n\nWhen executing with root privileges, adversaries can search these memory locations for all processes on a system that contain patterns indicative of credentials. Adversaries may use regex patterns, such as <code>grep -E \"^0-9a-f-* r\" /proc/\"$pid\"/maps | cut -d' ' -f 1</code>, to look for fixed strings in memory structures or cached hashes. When running without privileged access, processes can still view their own virtual memory locations. Some services or programs may save credentials in clear text inside the process\u2019s memory.\n\nIf running as or with the permissions of a web browser, a process can search the `/maps` & `/mem` locations for common website credential patterns (that can also be used to find adjacent memory within the same structure) in which hashes or cleartext credentials may be located.",
      "answer": "The given description is related to sub technique Proc Filesystem (T1003.007);\nSub technique Proc Filesystem (T1003.007) is a type of technique OS Credential Dumping (T1003);\nTechnique OS Credential Dumping (T1003) is a type of tactic Persistence (TA0003);\nTherefore, the given description is related to tactic Persistence (TA0003).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description:\nAdversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin.com</code>, are commonly used by developers to share code and other information.  \n\nText storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.\n\n**Note:** This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.?",
    "context": "",
    "output": "The given description is related to sub technique: Exfiltration to Text Storage Sites (T1567.003);\nSub technique Exfiltration to Text Storage Sites (T1567.003) is a type of technique Exfiltration Over Web Service (T1567);\nTechnique Exfiltration Over Web Service (T1567) is a type of tactic Defense Evasion (TA0005);\nTherefore, the given description is related to tactic Defense Evasion (TA0005).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description:\nAdversaries may exfiltrate data to text storage sites instead of their primary command and control channel. Text storage sites, such as <code>pastebin.com</code>, are commonly used by developers to share code and other information.  \n\nText storage sites are often used to host malicious code for C2 communication (e.g., Stage Capabilities), but adversaries may also use these sites to exfiltrate collected data. Furthermore, paid features and encryption options may allow adversaries to conceal and store data more securely.\n\n**Note:** This is distinct from Exfiltration to Code Repository, which highlight access to code repositories via APIs.",
      "answer": "The given description is related to sub technique: Exfiltration to Text Storage Sites (T1567.003);\nSub technique Exfiltration to Text Storage Sites (T1567.003) is a type of technique Exfiltration Over Web Service (T1567);\nTechnique Exfiltration Over Web Service (T1567) is a type of tactic Defense Evasion (TA0005);\nTherefore, the given description is related to tactic Defense Evasion (TA0005).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description:\nAdversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.?",
    "context": "",
    "output": "The given description is related to sub technique: Standard Encoding (T1132.001);\nSub technique Standard Encoding (T1132.001) is a type of technique Data Encoding (T1132);\nTechnique Data Encoding (T1132) is a type of tactic Command and Control (TA0011);\nTherefore, the given description is related to tactic Command and Control (TA0011).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description:\nAdversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME. Some data encoding systems may also result in data compression, such as gzip.",
      "answer": "The given description is related to sub technique: Standard Encoding (T1132.001);\nSub technique Standard Encoding (T1132.001) is a type of technique Data Encoding (T1132);\nTechnique Data Encoding (T1132) is a type of tactic Command and Control (TA0011);\nTherefore, the given description is related to tactic Command and Control (TA0011).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description:\nAdversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table. The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using Network Device CLI commands such as `format`.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.?",
    "context": "",
    "output": "The given description is related to sub technique: Disk Structure Wipe (T1561.002);\nSub technique Disk Structure Wipe (T1561.002) is a type of technique Disk Wipe (T1561);\nTechnique Disk Wipe (T1561) is a type of tactic Impact (TA0040);\nTherefore, the given description is related to tactic Impact (TA0040).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description:\nAdversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources. \n\nAdversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table. The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. Disk Structure Wipe may be performed in isolation, or along with Disk Content Wipe if all sectors of a disk are wiped.\n\nOn a network devices, adversaries may reformat the file system using Network Device CLI commands such as `format`.\n\nTo maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like Valid Accounts, OS Credential Dumping, and SMB/Windows Admin Shares.",
      "answer": "The given description is related to sub technique: Disk Structure Wipe (T1561.002);\nSub technique Disk Structure Wipe (T1561.002) is a type of technique Disk Wipe (T1561);\nTechnique Disk Wipe (T1561) is a type of tactic Impact (TA0040);\nTherefore, the given description is related to tactic Impact (TA0040).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description:\nAdversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites or Social Media). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Phishing or Hardware Additions).?",
    "context": "",
    "output": "The given description is related to sub technique: Determine Physical Locations (T1591.001);\nSub technique Determine Physical Locations (T1591.001) is a type of technique Gather Victim Org Information (T1591);\nTechnique Gather Victim Org Information (T1591) is a type of tactic Reconnaissance (TA0043);\nTherefore, the given description is related to tactic Reconnaissance (TA0043).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description:\nAdversaries may gather the victim's physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.\n\nAdversaries may gather this information in various ways, such as direct elicitation via Phishing for Information. Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: Search Victim-Owned Websites or Social Media). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Phishing for Information or Search Open Websites/Domains), establishing operational resources (ex: Develop Capabilities or Obtain Capabilities), and/or initial access (ex: Phishing or Hardware Additions).",
      "answer": "The given description is related to sub technique: Determine Physical Locations (T1591.001);\nSub technique Determine Physical Locations (T1591.001) is a type of technique Gather Victim Org Information (T1591);\nTechnique Gather Victim Org Information (T1591) is a type of tactic Reconnaissance (TA0043);\nTherefore, the given description is related to tactic Reconnaissance (TA0043).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description - An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>. Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.\n\nAn adversary may utilize Private Keys to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate. This differs from Steal Application Access Token and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nAn adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to Use Alternate Authentication Material, which may bypass multi-factor and other authentication protection mechanisms.",
    "context": "",
    "output": "The given description is related to sub technique SAML Tokens (T1606.002);\nSub technique SAML Tokens (T1606.002) is a type of technique Forge Web Credentials (T1606);\nTechnique Forge Web Credentials (T1606) is a type of tactic Credential Access (TA0006);\nTherefore, the given description is related to tactic Credential Access (TA0006).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description - An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate. The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions ...</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>. Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.\n\nAn adversary may utilize Private Keys to compromise an organization's token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate. This differs from Steal Application Access Token and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.\n\nAn adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to Use Alternate Authentication Material, which may bypass multi-factor and other authentication protection mechanisms.",
      "answer": "The given description is related to sub technique SAML Tokens (T1606.002);\nSub technique SAML Tokens (T1606.002) is a type of technique Forge Web Credentials (T1606);\nTechnique Forge Web Credentials (T1606) is a type of tactic Credential Access (TA0006);\nTherefore, the given description is related to tactic Credential Access (TA0006).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description - Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address. Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.\n\nAdversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.?",
    "context": "",
    "output": "The given description is related to sub technique ARP Cache Poisoning (T1557.002);\nSub technique ARP Cache Poisoning (T1557.002) is a type of technique Adversary-in-the-Middle (T1557);\nTechnique Adversary-in-the-Middle (T1557) is a type of tactic Execution (TA0002);\nTherefore, the given description is related to tactic Execution (TA0002).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description - Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as Network Sniffing or Transmitted Data Manipulation.\n\nThe ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address. Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.\n\nAn adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.\n\nThe ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.\n\nAdversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.",
      "answer": "The given description is related to sub technique ARP Cache Poisoning (T1557.002);\nSub technique ARP Cache Poisoning (T1557.002) is a type of technique Adversary-in-the-Middle (T1557);\nTechnique Adversary-in-the-Middle (T1557) is a type of tactic Execution (TA0002);\nTherefore, the given description is related to tactic Execution (TA0002).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  },
  {
    "instruction": "Which tactic is related to the following description:\nAdversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.",
    "context": "",
    "output": "The given description is related to sub technique: DNS (T1071.004);\nSub technique DNS (T1071.004) is a type of technique Application Layer Protocol (T1071);\nTechnique Application Layer Protocol (T1071) is a type of tactic Command and Control (TA0011);\nTherefore, the given description is related to tactic Command and Control (TA0011).",
    "category": "MitreFlan",
    "instruction_type": "cot_tactic_mapping_CoT",
    "parsed_raw_data": {
      "question": "Which tactic is related to the following description:\nAdversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. \n\nThe DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.",
      "answer": "The given description is related to sub technique: DNS (T1071.004);\nSub technique DNS (T1071.004) is a type of technique Application Layer Protocol (T1071);\nTechnique Application Layer Protocol (T1071) is a type of tactic Command and Control (TA0011);\nTherefore, the given description is related to tactic Command and Control (TA0011).",
      "category": [
        "MITREFlan"
      ],
      "instruction_type": "cot_tactic_mapping_CoT"
    }
  }
]