In this walk through, we will be going through the MITRE room from Tryhackme. This room will cover the MITRE framework and its available modules and resources for the cybersecurity community. So, let’s get started without any delay.
Table of Contents
Task 1 – Introduction to MITRE
Task 2 – Basic Terminology
Task 3 – ATT&CK® Framework
Question 1 – Besides blue teamers, who else will use the ATT&CK Matrix?
Red TeamersQuestion 2 – What is the ID for this technique?
T1566Question 3 – Based on this technique, what mitigation covers identifying social engineering techniques?
User Training Question 4 – What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)
Application Log,File, Network Traffic Question 5 – What groups have used spear-phishing in their campaigns? (format: group1,group2)
Axiom, GOLD SOUTHFIELD Question 6 – Based on the information for the first group, what are their associated groups?
Group 72 Question 7 – What software is associated with this group that lists phishing as a technique?
HikitQuestion 8 – What is the description for this software?
Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromiseQuestion 9 – This group overlaps (slightly) with which other group?
Winnti Group Question 10 – How many techniques are attributed to this group?
15
Task 4 – CAR Knowledge Base
Question 1 – For the above analytic, what is the pseudocode a representation of?
splunk searchQuestion 2 – What tactic has an ID of TA0003?
PersistenceQuestion 3 – What is the name of the library that is a collection of Zeek (BRO) scripts?
BZARQuestion 4 – What is the name of the technique for running executables with the same hash and different names?
MasqueradingQuestion 5 – Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?
Unit Tests
Task 5 – MITRE Engage
Question 1 – Under Prepare, what is ID SAC0002?
Persona CreationQuestion 2 – What is the name of the resource to aid you with the engagement activity from the previous question?
Persona Profile WorksheetQuestion 3 – Which engagement activity baits a specific response from the adversary?
LuresQuestion 4 – What is the definition of Threat Model?
A risk assessment that models organizational strengths and weaknesses
Task 6 – MITRE D3FEND
Question 1 – What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
Data obfuscationQuestion 2 – In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?
Outbound Internet Network Traffic
Task 7 – ATT&CK® Emulation Plans
Question 1 – In Phase 1 for the APT3 Emulation Plan, what is listed first?
C2 SetupQuestion 2 – Under Persistence, what binary was replaced with cmd.exe?
sethc.exeQuestion 3 – Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)
PupY, Metasploit FrameworkQuestion 4 – What C2 framework is listed in Scenario 2 Infrastructure?
PoshC2Question 5 – Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)
P.A.S., S0598
Task 8 – ATT&CK® and Threat Intelligence
Question 1 – What is a group that targets your sector who has been in operation since at least 2013?
APT33Question 2 – As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?
Cloud AccountsQuestion 3 – What tool is associated with the technique from the previous question?
RulerQuestion 4 – Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)
abnormal or malicious behaviorQuestion 5 – What platforms does the technique from question #2 affect?
Azure AD, Google Workspace, IaaS, Office 365, SaaS 
Task 9 – Conclusion
Also Read: Tryhackme – Linux Privilege Escalation
So that was “MITRE” for you. In this room, we have covered about the MITRE framework and its available resources from the famous ATTACK framework to some resources on the defensive side. MITRE is a go to resource for any information on TTPs of major Advanced Persistent Threat (APT) groups and more. If you haven’t checked it out thoroughly, a little of tinkering with all the modules won’t hurt. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.
