We demonstrated the cybersecurity framework ATT&CK and shield for security strategies and active defense. We also covered the answers for TryHackMe MITRE room.

OSCP Study Notes

The Complete Practical Web Application Penetration Testing Course

Highlights

From Mitre.org: “At MITRE, we solve problems for a safer world. Through our federally funded R&D centers and public-private partnerships, we work across government to tackle challenges to the safety, stability, and well-being of our nation.

“MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks. This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK® framework.

The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for red teamers.

If you haven’t done so, navigate to the ATT&CK® website.

TTP is an acronym for Tactics, Techniques, and Procedures:

  • The Tactic is the adversary’s goal or objective.
  • The Technique is how the adversary achieves the goal or objective.
  • The Procedure is how the technique is executed.

Room Answers

Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?)

Nay

What is the ID for this technique?

T1566

Based on this technique, what mitigation covers identifying social engineering techniques?

User Training

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

User Execution

What groups have used spear-phishing in their campaigns? (format: group1,group2)

Dragonfly

Based on the information for the first group, what are their associated groups?

TTG-4192,Crouching Yeti,IRON LIBERTY,Energetic Bear

What software is associated with this group that lists phishing as a technique?

PsExec

What is the description for this software?

FIN5

This group overlaps (slightly) with which other group?

2008

How many techniques are attributed to this group?

Windows Credential Editor

What tactic has an ID of TA0003?

splunk search.

What is the name of the library that is a collection of Zeek (BRO) scripts?

Persistence

What is the name of the technique for running executables with the same hash and different names?

BZAR

Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?

Masquerading

Under Prepare, what is ID SAC0002?

Detect

What is the name of the resource to aid you with the engagement activity from the previous question?

PERSONA PROFILE WORKSHEET

Which engagement activity baits a specific response from the adversary?

Lures

What is the definition of Threat Model?

A risk assessment that models organizational strengths and weaknesses

What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

Data Obfuscation

In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?

Outbound Internet Network Traffic

In Phase 1 for the APT3 Emulation Plan, what is listed first?

3

Under Persistence, what binary was replaced with cmd.exe?

sethc.exe

Examining APT29, what  C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

Pupy and Meterpreter

What C2 framework is listed in Scenario 2 Infrastructure?

PoshC2

Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)

P.A.S.,S0598

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles