MITRE | TryHackMe Walkthrough
Lab Access: https://tryhackme.com/room/mitre
One of the most common reasons why people in cyber security look into MITRE is to find an exploit for a specific vulnerability (CVE — Common Vulnerabilities and Exposures), as it is a reliable way for vendors, companies, educators, and all other interested parties to exchange information about cybersecurity issues.
https://cve.mitre.org/Areas will be covering:• ATT&CK® - (Adversarial Tactics, Techniques, and Common Knowledge) Framework• CAR - (Cyber Analytics Repository) Knowledge Base• SHIELD - Active Defense• AEP - (ATT&CK Emulation Plans)[Question 1.1] Read the above
Answer: No answer needed.
APT (Advanced Persistent Threat) — conducts out long-term attacks on organizations and/or countries.
- Either team/group (threat group) or country (nation-state group)
- It is quite common and can be recognized if the proper implementations are in place.
Each APT group possesses a super-weapon, such as a zero-day exploit.TTP (Tactics, Techniques, and Procedures)
Tactic - the opponent's goal or objectiveTechnique - how the opponent achieves the goal or objectiveProcedure - how the technique is executed[Question 2.1] Read the above
Answer: No answer needed.
ATT&CK® framework — They have compiled and documented a knowledge base of adversary tactics and techniques based on real-world observations with frequent TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) organizations utilized against enterprise Windows networks since 2013.
https://attack.mitre.org/- Initially focused only on the Windows platform, it has since grown to include other platforms such as macOS and Linux
- Useful for Blue (Defend) and Red (Attack) Teams
Total of 14 Categories1) Reconnaissance
2) Resource Development
3) Initial Access
4) Execution
5) Persistence
6) Privilege Escalation
7) Defense Evasion
8) Credential Access
9) Discovery
10) Lateral Movement
11) Collection
12) Command and Control
13) Exfiltration
14) Impact• Each category comprises the techniques that an opponent could employ to carry out the tactic.• The categories cover the seven stages of the Cyber Attack LifecycleMITRE ATT&CK® Navigator — It provides fundamental navigation and labelling of ATT&CK® matrices in a manner comparable to Excel, and use this navigator to illustrate defensive coverage such as “detected tactics,” and so on
https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fgroups%2FG0008%2FG0008-enterprise-layer.jsonNote: • The ATT&CK Matrix is used to map a threat group’s tactics and techiniques.[Question 3.1] Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)
Answer: Nay
[Question 3.2] What is the ID for this technique?
Answer: T1566
[Question 3.3] Based on this technique, what mitigation covers identifying social engineering techniques?
Answer: User Training
[Question 3.4] There are other possible areas for detection for this technique, which occurs after what other technique?
Answer: User Execution
[Question 3.5] What group has used spear phishing in their campaigns?
Answer: Dragonfly
[Question 3.6] Based on the information for this group, what are their associated groups?
Answer: TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear
[Question 3.7] What tool is attributed to this group to transfer tools or files from one host to another within a compromised environment?
Answer: PsExec
[Question 3.8] Based on the information about this tool, what group used a customized version of it?
Answer: FIN5
[Question 3.9] This group has been active since what year?
Answer: 2008
[Question 3.10] Instead of Mimikatz, what OS Credential Dumping tool does this group use?
Answer: Windows Credential Editor
CAR (Cyber Analytics Repository) — Concentrated on delivering a set of confirmed and well-explained analytics.
[Question 4.1] For the above analytic, what is the pseudocode a representation of?
Answer: Splunk Search
[Question 4.2] What tactic has an ID of TA0003?
Answer: Persistence
[Question 4.3] What is the name of the library that is a collection of Zeek (BRO) scripts?
Answer: BZAR
[Question 4.4] What is the name of the technique for running executables with the same hash and different names?
Answer: Masquerading
[Question 4.5] Examine CAR-2013–05–004, what additional information is provided to analysts to ensure coverage for this technique?
Answer: Unit Tests
Shield Active Defense — It has a knowledge base of common tactics and techniques that could help professionals take proactive steps to defend their networks and assets, and it has the potential to construct active defensive game plans to handle unique attackers.
- MITRE ENGAGE has replaced MITRE SHIELD
- Despite the fact that it has been archived, it is useful to grasp the concept behind it.
MITRE SHIELD — It is mostly intended for practitioner-friendly discussions of the TTPs available to defenders. Regardless of the fact that it is quite similar to the ATT&CK Matrix, the tactics and techniques presented allow us to trap and/or interact with an adversary active within the network.
[Question 5.1] Which Shield tactic has the most techniques?
Answer: Detect
[Question 5.2] Is the technique ‘Decoy Credentials’ listed under the tactic from question #1? (Yay/Nay)
Answer: Yay
[Question 5.3] Explore DTE0011, what is the ID where a defender can plant artifacts on a system to make it look like a virtual machine to the adversary?
Answer: DUC0234
[Question 5.4] Based on the above use case, what is its ATT&CK Technique mapping?
Answer: T1497
[Question 5.5] Continuing from the previous question, look at the information for the ATT&CK Technique, what 2 programs are listed that adversaries will check for? (answer format: PROGRAM_1 and PROGRAM_2)
Answer: Sysinternals and Wireshark
Tool — MITRE Engenuity
https://mitre-engenuity.org/It will assess cybersecurity solutions by utilizing an open methodology based on the ATT&CK® knowledge base.
MITRE established a new organization called The Center for Threat-Informed Defense (CTID). This association is made up of diverse companies and providers from all over the world. Their goal is to do research on cyber threats and their TTPs (Tactics, Techniques, Procedures) and to disseminate this data in order to better cyber protection for everyone.
- It enhances our collective ability to prevent, detect, and respond to cyber threats.
[Question 6.1] How many phases does APT3 Emulation Plan consists of?
Answer: 3
[Question 6.2] Under Persistence, what binary was replaced with cmd.exe?
Answer: sethc.exe
[Question 6.3] Examining APT29, what 2 tools were used to execute the first scenario?
Answer: Pupy and Metasploit
[Question 6.4] What tool was used to execute the second scenario?
Answer: PoshC2
Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) — Information, or TTPs, attributed to the adversary.
Open Source Method: https://www.crowdstrike.com/[Question 7.1] What is a group that targets your sector who has been in operation since at least 2013?
Answer: APT33
[Question 7.2] Does this group use Stuxnet? (Yay/Nay)
Answer: Nay
[Question 7.3] As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?
Answer: Cloud Accouts
[Question 7.4] What tool is associated with this technique?
Answer: Ruler
[Question 7.5] Per the detection tip, what should you be detecting?
Answer: Abnormal or malicious Behavior
[Question 7.6] What platforms does this affect?
Answer: Azure AD, Google Workspace, IaaS, Office 365, SaaS
CONCLUSION
Even though this room focuses on foundational knowledge altogether, it is very practical and applicable in a professional context because most organizations have implemented MITRE ATT&CK within their workplace. It is also crucial to have this knowledge, whether you are on the Blue or Red team, because it helps you comprehend the adversary’s perspective on how things function to bypass the controls.
Cheers! :)
