Tryhackme - MITRE

Tryhackme – MITRE

In this walk through, we will be going through the MITRE room from Tryhackme. This room will cover the MITRE framework and its available modules and resources for the cybersecurity community. So, let’s get started without any delay.

MITRE

Task 1 – Introduction to MITRE

Task 1 - Introduction to MITRE

Task 2 – Basic Terminology

Task 2 - Basic Terminology

Task 3 – ATT&CK® Framework

Question 1 – Besides blue teamers, who else will use the ATT&CK Matrix?

Red Teamers

Question 2 – What is the ID for this technique?

ID:T1566
T1566

Question 3 – Based on this technique, what mitigation covers identifying social engineering techniques?

M1017
User Training 

Question 4 – What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

Detection
Application Log,File, Network Traffic 

Question 5 – What groups have used spear-phishing in their campaigns? (format: group1,group2)

Procedure Examples
Axiom, GOLD SOUTHFIELD 

Question 6 – Based on the information for the first group, what are their associated groups?

Group 72
Group 72 

Question 7 – What software is associated with this group that lists phishing as a technique?

Hikit Malware
Hikit

Question 8 – What is the description for this software?

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise

Question 9 – This group overlaps (slightly) with which other group?

Axiom and Winnti

Winnti Group

Winnti Group 

Question 10 – How many techniques are attributed to this group?

Techniques used

15
Task 3 - ATT&CK® Framework

Task 3 - ATT&CK® Framework

Task 4 – CAR Knowledge Base

Question 1 – For the above analytic, what is the pseudocode a representation of?

Implementations

splunk search

Question 2 – What tactic has an ID of TA0003?

TA0003

Persistence

Question 3 – What is the name of the library that is a collection of Zeek (BRO) scripts?

Analytic Source Code Libraries
BZAR

Question 4 – What is the name of the technique for running executables with the same hash and different names?

CAR-2013005-009
Masquerading

Question 5 – Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?

Unit Tests
Unit Tests

Task 4 - CAR Knowledge Base

Task 5 – MITRE Engage

Question 1 – Under Prepare, what is ID SAC0002?

ID SAC0002

Persona Creation

Question 2 – What is the name of the resource to aid you with the engagement activity from the previous question?

Persona

Persona Profile Worksheet

Persona Profile Worksheet

Question 3 – Which engagement activity baits a specific response from the adversary?

Lures

Lures

Question 4 – What is the definition of Threat Model?

Definition of Threat Model

A risk assessment that models organizational strengths and weaknesses

Task 5 - MITRE Engage

Task 6 – MITRE D3FEND

Question 1 – What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

ATT&CK Lookup

Data obfuscation

Question 2 – In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?

D3FEND Inferred Relationships

Outbound Internet Network Traffic

Outbound Internet Network Traffic
Task 6 - MITRE D3FEND

Task 7 – ATT&CK® Emulation Plans

Question 1 – In Phase 1 for the APT3 Emulation Plan, what is listed first?

APT3 Emulation Plan

C2 Setup

Question 2 – Under Persistence, what binary was replaced with cmd.exe?

Persistence

sethc.exe

Question 3 – Examining APT29, what  C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

Link: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Emulation_Plan/Scenario_1/Infrastructure.md

Emulation Team Infrastructure

PupY, Metasploit Framework

Question 4 – What C2 framework is listed in Scenario 2 Infrastructure?

Link: https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Emulation_Plan/Scenario_2/Infrastructure.md

Emulation Team Infrastructure

PoshC2

Question 5 – Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)

PAS Webshell

P.A.S., S0598

Task 7 - ATT&CK® Emulation Plans

Task 8 – ATT&CK® and Threat Intelligence

Question 1 – What is a group that targets your sector who has been in operation since at least 2013?

APT33

APT33

Question 2 – As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?

Cloud Accounts

Cloud Accounts

Question 3 – What tool is associated with the technique from the previous question?

Ruler

Ruler

Question 4 – Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)

abnormal or malicious behavior

Question 5 – What platforms does the technique from question #2 affect?

Affected platforms

Azure AD, Google Workspace, IaaS, Office 365, SaaS 

Task 8 - ATT&CK® and Threat Intelligence

Task 9 – Conclusion

Task 9 - Conclusion

Also Read: Tryhackme – Linux Privilege Escalation

So that was “MITRE” for you. In this room, we have covered about the MITRE framework and its available resources from the famous ATTACK framework to some resources on the defensive side. MITRE is a go to resource for any information on TTPs of major Advanced Persistent Threat (APT) groups and more. If you haven’t checked it out thoroughly, a little of tinkering with all the modules won’t hurt. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top