We demonstrated the cybersecurity framework ATT&CK and shield for security strategies and active defense. We also covered the answers for TryHackMe MITRE room.

OSCP Study Notes

The Complete Practical Web Application Penetration Testing Course


From Mitre.org: “At MITRE, we solve problems for a safer world. Through our federally funded R&D centers and public-private partnerships, we work across government to tackle challenges to the safety, stability, and well-being of our nation.

“MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks. This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK® framework.

The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for red teamers.

If you haven’t done so, navigate to the ATT&CK® website.

TTP is an acronym for Tactics, Techniques, and Procedures:

  • The Tactic is the adversary’s goal or objective.
  • The Technique is how the adversary achieves the goal or objective.
  • The Procedure is how the technique is executed.

Room Answers

Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?)


What is the ID for this technique?


Based on this technique, what mitigation covers identifying social engineering techniques?

User Training

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

User Execution

What groups have used spear-phishing in their campaigns? (format: group1,group2)


Based on the information for the first group, what are their associated groups?

TTG-4192,Crouching Yeti,IRON LIBERTY,Energetic Bear

What software is associated with this group that lists phishing as a technique?


What is the description for this software?


This group overlaps (slightly) with which other group?


How many techniques are attributed to this group?

Windows Credential Editor

What tactic has an ID of TA0003?

splunk search.

What is the name of the library that is a collection of Zeek (BRO) scripts?


What is the name of the technique for running executables with the same hash and different names?


Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?


Under Prepare, what is ID SAC0002?


What is the name of the resource to aid you with the engagement activity from the previous question?


Which engagement activity baits a specific response from the adversary?


What is the definition of Threat Model?

A risk assessment that models organizational strengths and weaknesses

What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

Data Obfuscation

In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?

Outbound Internet Network Traffic

In Phase 1 for the APT3 Emulation Plan, what is listed first?


Under Persistence, what binary was replaced with cmd.exe?


Examining APT29, what  C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

Pupy and Meterpreter

What C2 framework is listed in Scenario 2 Infrastructure?


Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)


Video Walkthrough

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles