TryHackMe | MITRE Room Walkthrough 2022

You can find the room here.

Task 1: Introduction to MITRE

No answer needed

Task 2: Basic Terminology

No answer needed

Task 3: ATT&CK Framwork

Question 1: Besides blue teamers, who else will use the ATT&CK Matrix? 

Answer: Red Teamers

Question 2: What is the ID for this technique?

Answer: T1566

Question 3: Based on this technique, what mitigation covers identifying social engineering techniques?

Answer: User Training

Question 4: What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

Answer: Application Log,File,Network Traffic

Question 5: What groups have used spear-phishing in their campaigns? (format: group1,group2)


Question 6: Based on the information for the first group, what are their associated groups?

Answer: Group 72

Question 7: What software is associated with this group that lists phishing as a technique?

Answer: Hikit

Question 8: What is the description for this software?

Answer: Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.

Question 9: This group overlaps (slightly) with which other group?

Answer: Winnti Group

Question 10: How many techniques are attributed to this group?

Answer: 15

Task 4: CAR Knowledge Base

Question 1: For the above analytic, what is the pseudocode a representation of?

Answer: Splunk Search

Question 2: What tactic has an ID of TA0003?

Answer: Persistence

Question 3: What is the name of the library that is a collection of Zeek (BRO) scripts?

Answer: BZAR

Question 4: What is the name of the technique for running executables with the same hash and different names?

Answer: Masquerading

Question 5: Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?

Answer: Unit Tests

Task 5: MITRE Engage

Question 1: Under Prepare, what is ID SAC0002?

Answer: Persona Creation

Question 2: What is the name of the resource to aid you with the engagement activity from the previous question?


Question 3: Which engagement activity baits a specific response from the adversary?

Answer: Lures

Question 4: What is the definition of Threat Model?

Answer: A risk assessment that models organizational strengths and weaknesses


Question 1: What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

Answer: Data Obfuscation

Question 2: In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produces?

Answer: Outbound Internet Network Traffic

Task 7: ATT&CK Emulation Plans

Question 1: In Phase 1 for the APT3 Emulation Plan, what is listed first?

Answer: C2 Setup

Question 2: Under Persistence, what binary was replaced with cmd.exe?

Answer: sethc.exe

Question 3: Examining APT29, what  C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

Answer: Pupy,Metasploit Framework

Question 4: What C2 framework is listed in Scenario 2 Infrastructure?

Answer: PoshC2

Question 5: Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)

Answer: P.A.S.,S0598

Task 8: ATT&CK and Threat Intelligence

Question 1: What is a group that targets your sector who has been in operation since at least 2013?

Answer: APT33

Question 2: As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?

Answer: Cloud Accounts

Question 3: What tool is associated with the technique from the previous question?

Answer: Ruler

Question 4: Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)

Answer: abnormal or malicious behavior

Question 5: What platforms does the technique from question #2 affect?

Answer: Azure AD, Google Workspace, IaaS, Office 365, SaaS

Task 9: Conclusion

No answer needed

Pyae Heinn Kyaw

Featured Photo – YouTube (Sezcurity)