Blue Team Labs Online — ATT&CK Write-Up [No Answers]

Stefan Bargan
Published in
2 min readFeb 3, 2024


ATT&CK Scenario — You are hired as a Blue Team member for a company. You are assigned to perform threat intelligence for the company. See how you can operationalize the MITRE ATT&CK framework to solve these scenario-based problems.


Your company heavily relies on cloud services like Azure AD, and Office 365 publicly. What technique should you focus on mitigating, to prevent an attacker performing Discovery activities if they have obtained valid credentials? (Hint: Not using an API to interact with the cloud environment!)

The answer will be one of the Techniques within Reconnaissance.

You were analyzing a log and found uncommon data flow on port 4050. What APT group might this be?

I am going to take the easy route here and just use the search function on the MITRE | ATT&CK website and searched for ‘4050’.

The framework has a list of 9 techniques that falls under the tactic to try to get into your network. What is the tactic ID?

The question is pretty simple and easy to spot on the website as there only 2 Tactics with 9 different Techniques.

A software prohibits users from accessing their account by deleting, locking the user account, changing password etc. What such software has been documented by the framework?

So this took a bit of searching, but it is clear that this might sound like a ransomware. Here’s a link to the Software list.

Using ‘Pass the Hash’ technique to enter and control remote systems on a network is common. How would you detect it in your company?

This one took a while to solve but I managed to find the correct answer under Pass the Hash.

Thank you for reading my story! If you enjoyed it, make sure to follow me for more content like this. Link to Blue Team Labs Online.

Buy Me A Coffee

My LinkTree



Stefan Bargan

Pursuing MSc in Cybercrime & Security | Cybersecurity Writer | Threat Intelligence Analyst