MITRE TryHackme Write-Up

By Shamsher khna This is a Writeup of Tryhackme room “MITRE”

TASK 1 & 2 are simple click and complete tasks

TASK 3

Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)

Nay

Question 2: What is the ID for this technique?

T1566

Question 3: Based on this technique, what mitigation covers identifying social engineering techniques?

User Training

Question 4: There are other possible areas for detection for this technique, which occurs after what other technique?

User Execution

Question 5: What group has used spear phishing in their campaigns?

Dragonfly

Question 6: Based on the information for this group, what are their associated groups?

TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear

Question 7: What tool is attributed to this group to transfer tools or files from one host to another within a compromised environment?

PsExec

Question 8: Based on the information about this tool, what group used a customized version of it?

FIN5

Question 9: This group has been active since what year?

2008

Question 10:Instead of Mimikatz, what OS Credential Dumping tool is does this group use?

Windows Credential Editor

Task 4

Question 1: For the above analytic, what is the pseudocode a representation of?

Splunk search

Question 2: What tactic has an ID of TA0003?

Persistence

Question 3: What is the name of the library that is a collection of Zeek (BRO) scripts?

BZAR

Question 4: What is the name of the technique for running executables with the same hash and different names?

Masquerading

Question 5: Examine CAR-2013–05–004, what additional information is provided to analysts to ensure coverage for this technique?

Unit Tests

Task 5

Question 1:Which Shield tactic has the most techniques?

Detect

Question 2: Is the technique ‘Decoy Credentials’ listed under the tactic from question #1? (Yay/Nay)

Yay

Question 3: Explore DTE0011, what is the ID for the use case where a defender can plant artifacts on a system to make it look like a virtual machine to the adversary?

DUC0234

Question 4: Based on the above use case, what is its ATT&CK® Technique mapping?

T1497

Question 5:Continuing from the previous question, look at the information for this ATT&CK® Technique, what 2 programs are listed that adversary’s will check for?

Sysinternals and Wireshark

Task 6

Question 1: How many phases does APT3 Emulation Plan consists of?

3

Question 2: Under Persistence, what binary was replaced with cmd.exe?

sethc.exe

Question 3: Examining APT29, what 2 tools were used to execute the first scenario?

Pupy and Meterpreter

Question 4: What tool was used to execute the second scenario?

PoshC2

Question 5: Where can you find step-by-step instructions to execute both scenarios?

ATT&CK Arsenal

Task 7

Question 1: What is a group that targets your sector who has been in operation since at least 2013?

APT33

Question 2: Does this group use Stuxnet? (Yay/Nay)

Nay

Question 3: As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?

Cloud Accounts

Question 4: What tool is associated with this technique?

Ruler

Question 5: Per the detection tip, what should you be detecting?

Abnormal or malicious behavior

Question 6: What platforms does this affect?

AWS, Azure, Azure AD, GCP, Office 365, SaaS

follow on LinkedIn Instagram Twitter

Written by Shamsher khan

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!