MITRE Tryhackme Writeup
This room will discuss the various resources MITRE has made available for the cybersecurity community.
Lab link: https://tryhackme.com/room/mitre
Task 1 Introduction to MITRE
#1.1 Read above.
Answer: No answer is needed.
Task 2 Basic Terminology
#2.1 Read above.
Answer: No answer is needed.
Task 3 ATT&CK® Framework
#3.1 Besides blue teamers, who else will use the ATT&CK Matrix?
To respond to this question, we should read this part of the text:
Answer: Red Teamers
#3.2 What is the ID for this technique?
To respond to this question, we should go to this website:
Then we should scroll down and search “Initial Access”. In this column, we can find the Phishing technique and we select it. It will pop out a text with the response.
Answer: T1566
#3.3 Based on this technique, what mitigation covers identifying social engineering techniques?
We should click on “Phishing” technique, and we can see the following page:
Then, we scroll down, and we can find the mitigation table. Next, we should read different mitigation tactics and select the right one.
For this case, we select “User training”.
Answer: User Training
#3.4 What are the data sources for Detection? (Format: source1, source2, source3 with no spaces after commas)
Go back to the MITRE ATT&CK Phishing Technique page. Then, we need to scroll down and find the Detection table.
We should see the next table:
We can find our response in the column called “Data Source”. We write our response according to the format mentioned in the question.
Answer: Application Log,File,Nework Traffic
#3.5 What groups have used spear-phishing in their campaigns? (Format: group1, group2)
Go back to the MITRE ATT&CK Phishing Technique page and look at the procedures example table.
We should see the next table:
We can find our response in the column called “Name”. We write our response according to the format mentioned in the question.
Answer: Axiom,Gold SOUTHFIELD
#3.6 Based on the information for the first group, what are their associated groups?
Go back to the MITRE ATT&CK Phishing Technique page and look at the procedures example table. Then, click on the first name link in the table, this will take you to the group page:
As we can see in the image, we can find our response in the label “Associated Groups”.
Answer: Group 72
#3.7 What software is associated with this group that lists phishing as a technique?
Returning to the Group page, we are going to use the find feature of the browser. On your keyboard, press ctrl + f, at the top a search bar should pop down. In that search bar, type Phishing.
We will find our answer in the software table:
Answer: Hikit
#3.8 What is the description for this software?
Going back to where you got the answer to the previous question, you should click on the name of the software. This will take you to the software page:
Then, we should copy the description of the tool.
Answer: Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.
#3.9 This group overlaps (slightly) with which other group?
To respond to this question, we should go back to the Axiom group page. Read through the description, the answer can be found at the end of the paragraph.
Answer: Winnti Group
#3.10 How many techniques are attributed to this group?
Going back to where you got the answer to the previous question, we should scroll down to the techniques table, and count the number of times, you see Enterprise in the Domain column, this will be your answer.
Answer: 15
Task 4 CAR Knowledge Base
#4.1 For the above analytic, what is the pseudocode a representation of?
To respond to this question, we should visit the next website: https://car.mitre.org/analytics/CAR-2020-09-001/
Scroll down and you will find the answer:
Answer: Splunk search
#4.2 What tactic has an ID of TA0003?
To respond to this question, we should enter the ATT&CK Powered Suit.
First, we should download the extension in our browser.
Link: https://chrome.google.com/webstore/detail/attck-powered-suit/gfhomppaadldngjnmbefmmiokgefjddd
Second, open the extension.
Finally, write our id “TA0003” and search for it. As we can see in the next image, we can find our response.
Answer: Persistence
#4.3 What is the name of the library that is a collection of Zeek (BRO) scripts?
To respond to this question, we should go to the next website:
Next, we scroll down and search the Analytic Source Code Libraries section.
Read the whole paragraph and at the end sentence, we can find our response.
Answer: BZAR
#4.4 What is the name of the technique for running executables with the same hash and different names?
To respond to this question, we should click the Analytics link at the top of the page.
Next, press ctrl + f to open the find feature. Click in the search bar, then paste (ctrl + v) in the latter half of the question. You will only one result:
Answer: Masquerading
#4.5 Examine CAR-2013–05–004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?
To respond to this question, we should search our CARD id “CAR-2013–05–004” on the MITRE repository.
Then, click on “CAR-2013–05–004” and pop out the new page.
Scroll down and you will find the answer:
Answer: Unit Tests
Task 5 MITRE Engage
#5.1 Under Prepare, what is ID SAC0002?
To respond to this question, we should go to the next website:
When the page loads, go to the link at the top and click on Tools > Matrix.
The page will load, click on Prepare.
Click on different plans until you find the correct one and match with the id “SAC0002.”
In this case, we found that “PERSONA CREATION” has the correct ID.
Answer: Persona Creation
#5.2 What is the name of the resource to aid you with the engagement activity from the previous question?
Go back to the ENGAGE MITRE Matrix site. Go back to the top and over to the magnifying glass/search icon and click on it and write persona.
Once the page loads, we can find our response:
Answer: Persona Profile Worksheet
#5.3 Which engagement activity baits a specific response from the adversary?
Use the Back button to head back to the ENGAGE MITRE Matrix. Once the page loads, you can look through the different activities listed below in the Matrix.
We can find our response in the next image:
Answer: Lures
#5.4 What is the definition of Threat Model?
Last time, head back to the ENGAGE MITRE Matrix site, this time click on the PREPARE tab to open it.
Then click on Threat Model at the bottom of the list.
The page loads and we will have our response in the description:
Answer: A risk assessment that models organizational strengths and weaknesses
Task 6 MITRE D3FEND
#6.1 What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
To respond to this question, we should go to the next link:
Once the page loads, we should click on the next box:
As we can see in the preview image, we have our response.
Answer: Data Obfuscation
#6.2 In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?
Going back to the D3FEND site, click on the ATT&CK Lookup again, and this time click on Data Obfuscation.
We will see a pop-up with information:
Scroll down and you will see a diagram with our response:
Answer: Outbound Internet Network Traffic
Task 7 ATT&CK® Emulation Plans
#7.1 In Phase 1 for the APT3 Emulation Plan, what is listed first?
To respond to this question, we should go to the next link:
https://attack.mitre.org/resources/adversary-emulation-plans/
When the page loads, you might have to scroll down a bit, but you will see the APT 3 Emulation Plan. Under Phase 1 the first blue box, the answer is inside of this.
Answer: C2 Setup
#7.2 Under Persistence, what binary was replaced with cmd.exe?
Head back to the MITRE ATT&CK APT 3 Emulation Plan page, and scroll to the bottom of the page.
Click on the link APT3 Adversary Emulation Plan. This will open a PDF in a new tab.
When the PDF loads, scroll down to the table of content and search Persistence.
The answer can be found in the second paragraph of the Persistence section.
Answer: sethc.exe
#7.3 Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)
To respond to this question, we should go to the next link:
adversary_emulation_library/apt29 at master ·…
An open library of adversary emulation plans designed to empower organizations to test their defenses based on…
github.com
Then, open the file README.md.
Once the page loads, search the table of contents and click on “Scenario 1 — Infrastructure”.
Once the page loads, we can see our response in the following image:
Answer: Pupy,Metasploit Framework
#7.4 What C2 framework is listed in Scenario 2 Infrastructure?
Head back to GitHub for APT29 Adversary Emulation and click the back button on your browser. Then, back on the Table of Contents of the README click on Scenario 2 — Infrastructure.
Search the Emulation Team Infrastructure section.
As we can see, we have our response:
Answer: PoshC2
#7.5 Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)
To respond to this question, we should go to the next link:
https://github.com/center-for-threat-informed-defense/adversary_emulation_library
Once the page loads, search for the full emulation plans column and click on “Sandworm”:
Click on the Emulation_Plan Folder.
Click on the Scenario_1 folder.
So, the first part of the answer can be found under Scenario Overview, after number one.
Now, for the second part I am going to use the browser extension ATT&CK Powered Suit.
In the next image, we can see our response:
Answer: P.A.S.,S0598
Task 8 ATT&CK® and Threat Intelligence
#8.1 What is a group that targets your sector who has been in operation since at least 2013?
To respond to this question, we are going to use the following page: https://attack.mitre.org/groups/
Search on the search bar the word “Aviation”.
Then, we can see our response:
Answer: APT33
#8.2 As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?
Head back to the Groups site and click on the APT group link to be taken to the APT Group page.
Once the page loads use the find feature (ctrl + f).
Type “Cloud”
Then, we will see our response in the next picture:
Answer: Cloud Accounts
#8.3 What tool is associated with the technique from the previous question?
Head Back to the APT Group page, but look to the next column to the right and the answer can be found inside there.
Answer: Ruler
#8.4 Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation?
Head Back to the APT Group page, this time click on the link that was the answer to two questions ago.
Click on “Cloud Accounts”.
Then, search the Mitigation section. According to the question, the method suggests using SMS messages.
Read every description and select the correct one.
Answer: Multi-factor Authentication
#8.5 What platforms does the technique from question #2 affect?
To respond to this question on the same page of Valid Accounts: Cloud Accounts, search the label Platforms.
You can see your response.
Answer: Azure AD, Google Workspace, IaaS, Office 365, SaaS
Task 9 Conclusion
#9.1 Read above.
