MITRE TryHackme Write-Up
By Shamsher khna This is a Writeup of Tryhackme room “MITRE”
TASK 1 & 2 are simple click and complete tasks
Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)
Question 2: What is the ID for this technique?
Question 3: Based on this technique, what mitigation covers identifying social engineering techniques?
Question 4: There are other possible areas for detection for this technique, which occurs after what other technique?
Question 5: What group has used spear phishing in their campaigns?
Question 6: Based on the information for this group, what are their associated groups?
TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear
Question 7: What tool is attributed to this group to transfer tools or files from one host to another within a compromised environment?
Question 8: Based on the information about this tool, what group used a customized version of it?
Question 9: This group has been active since what year?
Question 10:Instead of Mimikatz, what OS Credential Dumping tool is does this group use?
Windows Credential Editor
Question 1: For the above analytic, what is the pseudocode a representation of?
Question 2: What tactic has an ID of TA0003?
Question 3: What is the name of the library that is a collection of Zeek (BRO) scripts?
Question 4: What is the name of the technique for running executables with the same hash and different names?
Question 5: Examine CAR-2013–05–004, what additional information is provided to analysts to ensure coverage for this technique?
Question 1:Which Shield tactic has the most techniques?
Question 2: Is the technique ‘Decoy Credentials’ listed under the tactic from question #1? (Yay/Nay)
Question 3: Explore DTE0011, what is the ID for the use case where a defender can plant artifacts on a system to make it look like a virtual machine to the adversary?
Question 4: Based on the above use case, what is its ATT&CK® Technique mapping?
Question 5:Continuing from the previous question, look at the information for this ATT&CK® Technique, what 2 programs are listed that adversary’s will check for?
Sysinternals and Wireshark
Question 1: How many phases does APT3 Emulation Plan consists of?
Question 2: Under Persistence, what binary was replaced with cmd.exe?
Question 3: Examining APT29, what 2 tools were used to execute the first scenario?
Pupy and Meterpreter
Question 4: What tool was used to execute the second scenario?
Question 5: Where can you find step-by-step instructions to execute both scenarios?
Question 1: What is a group that targets your sector who has been in operation since at least 2013?
Question 2: Does this group use Stuxnet? (Yay/Nay)
Question 3: As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?
Question 4: What tool is associated with this technique?
Question 5: Per the detection tip, what should you be detecting?
Abnormal or malicious behavior
Question 6: What platforms does this affect?
AWS, Azure, Azure AD, GCP, Office 365, SaaS
Written by Shamsher khan
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!