MITRE - TryHackMe Write-up
Info
- Name: MITRE
- Description: This room will discuss the various resources MITRE has made available for the cybersecurity community.
- Difficulty: Medium
- Room link: https://tryhackme.com/room/mitre
Write-up
Task 3
Q: Besides blue teamers, who else will use the ATT&CK Matrix?
A: Red Teamers
Q: What is the ID for this technique?
A: T1566
Q: Based on this technique, what mitigation covers identifying social engineering techniques?
A: User Training
Q: What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)
A: Application Log,File,Network Traffic
Q: What groups have used spear-phishing in their campaigns? (format: group1,group2)
A: Axiom,GOLD SOUTHFIELD
Q: Based on the information for the first group, what are their associated groups?
A: Group 72
Q: What software is associated with this group that lists phishing as a technique?
A: Hikit
Q: What is the description for this software?
A: Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.
Q: This group overlaps (slightly) with which other group?
A: Winnti Group
Q: How many techniques are attributed to this group?
A: 15 (Its referring to Axiom and not Winnti Group)
Task 4
Q: For the above analytic, what is the pseudocode a representation of?
A: splunk search
Q: What tactic has an ID of TA0003?
A: Persistenc
Q: What is the name of the library that is a collection of Zeek (BRO) scripts?
A: BZAR
Q: What is the name of the technique for running executables with the same hash and different names?
A: Masquerading
Q: Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?
A: Unit Tests
Task 5
Q: Under Prepare, what is ID SAC0002?
A: Persona Creation
Q: What is the name of the resource to aid you with the engagement activity from the previous question?
A: Persona Profile Worksheet
Q: Which engagement activity baits a specific response from the adversary?
A: Lures
Q: What is the definition of Threat Model?
A: A risk assessment that models organizational strengths and weaknesses
Task 6
Q: What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
A: Data Obfuscation
Q: In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produces?
A: Outbound Internet Network Traffic
Task 7
Q: In Phase 1 for the APT3 Emulation Plan, what is listed first?
A: C2 Setup
Q: Under Persistence, what binary was replaced with cmd.exe?
A: sethc.exe
Q: Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)
A: Pupy,Metasploit Framework
Q: What C2 framework is listed in Scenario 2 Infrastructure?
A: PoshC2
Q: Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)
A: P.A.S.,S0598
Task 8
Q: What is a group that targets your sector who has been in operation since at least 2013?
A: APT33
Q: As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?
A: Cloud AccountsCloud Accounts
Q: What tool is associated with the technique from the previous question?
A: Ruler
Q: Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)
A: Abnormal or malicious behavior
Q: What platforms does the technique from question #2 affect?
A: Azure AD, Google Workspace, IaaS, Office 365, SaaS
