Open in app

Sign in

Write

Sign in

TryHackMe MITRE Room-Task 3 ATT&CK® Framework

Haircutfish
9 min readNov 26, 2022

If you haven’t done task 1 & 2 yet, here is the link to my write-up it: Task 1 Introduction to MITRE & Task 2 Basic Terminology.

Task 3 ATT&CK® Framework

What is the ATT&CK® framework? According to the website, “MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks. This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK® framework.

The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for red teamers.

If you haven’t done so, navigate to the ATT&CK® website.

Direct your attention to the bottom of the page to view the ATT&CK® Matrix for Enterprise. Across the top of the matrix, there are 14 categories. Each category contains the techniques an adversary could use to perform the tactic. The categories cover the seven-stage Cyber Attack Lifecycle (credit Lockheed Martin for the Cyber Kill Chain).

(ATT&CK Matrix v11.2)

Under Initial Access, there are 9 techniques. Some of the techniques have sub-techniques, such as Phishing.

If we click on the gray bar to the right, a new layer appears listing the sub-techniques.

To get a better understanding of this technique and it’s associated sub-techniques, click on Phishing.

We have been directed to a page dedicated to the technique known as Phishing and all related information regarding the technique, such as a brief description, Procedure Examples, and Mitigations.

You can alternatively resort to using the Search feature to retrieve all associated information regarding a given technique, sub-technique, and/or group.

Lastly, the same data can be viewed via the MITRE ATT&CK® Navigator: “The ATT&CK® Navigator is designed to provide basic navigation and annotation of ATT&CK® matrices, something that people are already doing today in tools like Excel. We’ve designed it to be simple and generic — you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques, or anything else you want to do.”

You can access the Navigator view when visiting a group or tool page. The ATT&CK® Navigator Layers button will be available.

In the sub-menu select view.

Let’s get acquainted with this tool. Click here to view the ATT&CK® Navigator for Carbanak.

At the top left, there are 3 sets of controls: selection controls, layer controls, and technique controls. I encourage you to inspect each of the options under each control to get familiar with them. The question mark at the far right will provide additional information regarding the navigator.

To summarize, we can use the ATT&CK Matrix to map a threat group to their tactics and techniques. There are various methods the search can be initiated.

The questions below will help you become more familiar with the ATT&CK®. It is recommended to start answering the questions from the Phishing page. Note, that this link is for version 8 of the ATT&CK Matrix.

Answer the questions below

Besides blue teamers, who else will use the ATT&CK Matrix?

Since the answer can be found above, I won’t be posting it. You can follow along to learn and discover where they are located.

The answer can be found in the second paragraph of this task, in the last sentence. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

What is the ID for this technique?

The Technique the question is talking about is the one mentioned above, Phishing. So you can find the answers above but that isn’t fun or help you learn to navigate the MITRE ATT&CK site. Let us use the MITRE ATT&CK site to find Phishing and get the answer to this question. I’ve given the link twice above, if you hold the ctrl key on the keyboard and click the link, it will open a new tab to the link you clicked on. So doing holding ctrl click the MITRE ATT&CK link. A new tab will open with the page, click on the tab.

Once on the page, scroll down till you see the ATT&CK Matrix for Enterprise. There is a lot here, but go to the Initial Access Column. Look down through it till you see Phishing, once you see it, click on it.

You will be brought to the Phishing Techniques page. On the right side of the page is a small box, within it is useful information. One piece of that useful information is the answer to this question. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Answer: T1566

Based on this technique, what mitigation covers identifying social engineering techniques?

Go back to the MITRE ATT&CK Phishing Technique page, now scroll down till you find the Mitigation table.

Once at the Mitigations table, read through the different mitigation tactics till you find the right one. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Answer: User Training

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

Go back to the MITRE ATT&CK Phishing Technique page, now scroll down to the next table, Detection.

Once you get to the Detection table, look to the column labeled Data Source. The labels for each of these rows are the answers. Make sure as you put them into the answer field on TryHackMe you do not put any spaces between the Data Sources, just a comma. So that it looks like this data source1,data source2,data source3.

Answer: Application Log,File,Nework Traffic

What groups have used spear-phishing in their campaigns? (format: group1,group2)

Go back to the MITRE ATT&CK Phishing Technique page, scroll up till you reach the Procedure Examples table. In the Name column are the answers the to question. To figure out which are groups, you can look at the ID and if it starts with a G then it is a group and if it starts with an S it is Software. You are going to type the answer the same way as the previous question into the TryHackMe answer Field. No spaces between groups, with a comma separating them group1,group2.

Answer: Axiom,Gold SOUTHFIELD

Based on the information for the first group, what are their associated groups?

Going back to the MITRE ATT&CK site, look at the Procedure Examples table again. Click on the first name link in the table, this will take you to the group page.

When the page loads, look to the small box on the right of the page with information in it. The key piece of information that is also the answer is located in this box. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Answer: Group 72

What software is associated with this group that lists phishing as a technique?

Going back to the Group page, this time we are going to use the find feature of the browser. On your keyboard, press ctrl + f , at the top a search bar should pop down. In that search bar, type Phishing.

As we can see, we have three hits on this page. Now you can press the right arrow to scroll through the different times that Phishing appears on this page. The first two times it happens in the Techniques table, the last time it is in the Software table, which is where we want to be looking. Once you get to the Software table, you will see why we used the find feature, I doubt you want to search through all of that text for Phishing. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Answer: Hikit

What is the description for this software?

Going back to where you got the answer for the previous question, you want to click on the name of the Software, this will take you to the Software’s MITRE ATT&CK page.

Now that you are on the page Hikit page, there is a description underneath the name. You will need to highlight & copy (ctrl+c) the whole thing, then paste it over into the TryHackMe answer field, then click submit.

Answer: Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.

This group overlaps (slightly) with which other group?

Time to back track a bit, going back to the Hikit page, press the back button in the top left corner of your browser. This will take you back to the Axiom Group page. Read through the description of this group, the answer can be found in the final sentence of the paragraph. Once you find it, highlight & copy (ctrl +c ) or type the answer into the TryHackMe answer field, then click submit.

Answer: Winnti Group

How many techniques are attributed to this group?

At first you may think they are talking about the group you just discovered, but they are talking about Axiom. So scroll down to the Techniques table, count the number of times you see Enterprise in the Domain column, this will be your answer. Type it into the answer field on TryHackMe, and click submit.

You have finished up this task, you can now move onto Task 4 CAR Knowledge Base & Task 5 MITRE Engage.

Tryhackme
Tryhackme Walkthrough
Tryhackme Writeup
Mitre
Soc 1

--

--

Haircutfish

Written by Haircutfish

3.4K Followers

Cyber Security Manager/IT Tech | Google IT Support Professional Certificate | Top 1% on TryHackMe | Aspiring SOC Analyst

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams