MITRE TryHackme Write-Up

3 min readMay 21, 2021

By Shamsher khna This is a Writeup of Tryhackme room “MITRE”

TASK 1 & 2 are simple click and complete tasks

TASK 3

Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)

Nay

Question 2: What is the ID for this technique?

T1566

Question 3: Based on this technique, what mitigation covers identifying social engineering techniques?

User Training

Question 4: There are other possible areas for detection for this technique, which occurs after what other technique?

User Execution

Question 5: What group has used spear phishing in their campaigns?

Dragonfly

Question 6: Based on the information for this group, what are their associated groups?

TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear

Question 7: What tool is attributed to this group to transfer tools or files from one host to another within a compromised environment?

PsExec

Question 8: Based on the information about this tool, what group used a customized version of it?

FIN5

Question 9: This group has been active since what year?

Question 10:Instead of Mimikatz, what OS Credential Dumping tool is does this group use?

Windows Credential Editor

Task 4

Question 1: For the above analytic, what is the pseudocode a representation of?

Splunk search

Question 2: What tactic has an ID of TA0003?

Persistence

Question 3: What is the name of the library that is a collection of Zeek (BRO) scripts?

BZAR

Question 4: What is the name of the technique for running executables with the same hash and different names?

Masquerading

Question 5: Examine CAR-2013–05–004, what additional information is provided to analysts to ensure coverage for this technique?

Unit Tests

Task 5

Question 1:Which Shield tactic has the most techniques?

Detect

Question 2: Is the technique ‘Decoy Credentials’ listed under the tactic from question #1? (Yay/Nay)

Yay

Question 3: Explore DTE0011, what is the ID for the use case where a defender can plant artifacts on a system to make it look like a virtual machine to the adversary?

DUC0234

Question 4: Based on the above use case, what is its ATT&CK® Technique mapping?

T1497

Question 5:Continuing from the previous question, look at the information for this ATT&CK® Technique, what 2 programs are listed that adversary’s will check for?

Sysinternals and Wireshark

Task 6

Question 1: How many phases does APT3 Emulation Plan consists of?

Question 2: Under Persistence, what binary was replaced with cmd.exe?

sethc.exe

Question 3: Examining APT29, what 2 tools were used to execute the first scenario?

Pupy and Meterpreter

Question 4: What tool was used to execute the second scenario?

PoshC2

Question 5: Where can you find step-by-step instructions to execute both scenarios?

ATT&CK Arsenal

Task 7

Question 1: What is a group that targets your sector who has been in operation since at least 2013?

APT33

Question 2: Does this group use Stuxnet? (Yay/Nay)

Nay

Question 3: As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?

Cloud Accounts

Question 4: What tool is associated with this technique?

Ruler

Question 5: Per the detection tip, what should you be detecting?

Abnormal or malicious behavior

Question 6: What platforms does this affect?

AWS, Azure, Azure AD, GCP, Office 365, SaaS

follow on LinkedIn Instagram Twitter

Written by Shamsher khan

https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!