In this walk through, we will be going through the MITRE room from Tryhackme. This room will cover the MITRE framework and its available modules and resources for the cybersecurity community. So, let’s get started without any delay.
Table of Contents
Task 1 – Introduction to MITRE
Task 2 – Basic Terminology
Task 3 – ATT&CK® Framework
Question 1 – Besides blue teamers, who else will use the ATT&CK Matrix?
Red Teamers
Question 2 – What is the ID for this technique?
T1566
Question 3 – Based on this technique, what mitigation covers identifying social engineering techniques?
User Training
Question 4 – What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)
Application Log,File, Network Traffic
Question 5 – What groups have used spear-phishing in their campaigns? (format: group1,group2)
Axiom, GOLD SOUTHFIELD
Question 6 – Based on the information for the first group, what are their associated groups?
Group 72
Question 7 – What software is associated with this group that lists phishing as a technique?
Hikit
Question 8 – What is the description for this software?
Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise
Question 9 – This group overlaps (slightly) with which other group?
Winnti Group
Question 10 – How many techniques are attributed to this group?
15
Task 4 – CAR Knowledge Base
Question 1 – For the above analytic, what is the pseudocode a representation of?
splunk search
Question 2 – What tactic has an ID of TA0003?
Persistence
Question 3 – What is the name of the library that is a collection of Zeek (BRO) scripts?
BZAR
Question 4 – What is the name of the technique for running executables with the same hash and different names?
Masquerading
Question 5 – Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?
Unit Tests
Task 5 – MITRE Engage
Question 1 – Under Prepare, what is ID SAC0002?
Persona Creation
Question 2 – What is the name of the resource to aid you with the engagement activity from the previous question?
Persona Profile Worksheet
Question 3 – Which engagement activity baits a specific response from the adversary?
Lures
Question 4 – What is the definition of Threat Model?
A risk assessment that models organizational strengths and weaknesses
Task 6 – MITRE D3FEND
Question 1 – What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
Data obfuscation
Question 2 – In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?
Outbound Internet Network Traffic
Task 7 – ATT&CK® Emulation Plans
Question 1 – In Phase 1 for the APT3 Emulation Plan, what is listed first?
C2 Setup
Question 2 – Under Persistence, what binary was replaced with cmd.exe?
sethc.exe
Question 3 – Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)
PupY, Metasploit Framework
Question 4 – What C2 framework is listed in Scenario 2 Infrastructure?
PoshC2
Question 5 – Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)
P.A.S., S0598
Task 8 – ATT&CK® and Threat Intelligence
Question 1 – What is a group that targets your sector who has been in operation since at least 2013?
APT33
Question 2 – As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?
Cloud Accounts
Question 3 – What tool is associated with the technique from the previous question?
Ruler
Question 4 – Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)
abnormal or malicious behavior
Question 5 – What platforms does the technique from question #2 affect?
Azure AD, Google Workspace, IaaS, Office 365, SaaS
Task 9 – Conclusion
Also Read: Tryhackme – Linux Privilege Escalation
So that was “MITRE” for you. In this room, we have covered about the MITRE framework and its available resources from the famous ATTACK framework to some resources on the defensive side. MITRE is a go to resource for any information on TTPs of major Advanced Persistent Threat (APT) groups and more. If you haven’t checked it out thoroughly, a little of tinkering with all the modules won’t hurt. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.