TryHackMe: MITRE Walkthrough (SOC Level 1)

December 22, 2024
December 22, 2024 Jasper

Welcome to this walkthrough of the MITRE Room on TryHackMe. MITRE develops cybersecurity frameworks like ATT&CK, providing a shared knowledge base of adversary tactics and techniques to enhance threat detection, response, and defense strategies. They also run programs like CVE to track and manage vulnerabilities.

This room is part of the SOC Level 1 Path.

Mitre room description

Mitre room description

Room URL: https://tryhackme.com/r/room/mitre

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!


Task 1: Introduction to MITRE

MITRE is a non-proft corporation based in the US which provides projects/research on a variety of topics, including Cybersecurity.
You might know MITRE from the list of Common Vulnerabilities and Exposures (CVEs). However, MITRE Corporation has provided much more to the cybersecurity community, specifically:

  • ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) Framework
  • CAR (Cyber Analytics Repository) Knowledge Base
  • ENGAGE (sorry, not a fancy acronym)
  • D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense)
  • AEP (ATT&CK Emulation Plans)

Let’s learn more about them!

Questions

Read the above.

Answer: No answer needed


Task 2: Basic Terminology

Let’s get some terminology out of the way first, so we don’t get confused later on. The most important definitions used in this room are:

  • APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries. You can view FireEye’s current list of APT groups here.
  • TTP is an acronym for Tactics, Techniques, and Procedures:
    The Tactic is the adversary’s goal or objective.
    The Technique is how the adversary achieves the goal or objective.
    The Procedure is how the technique is executed.

Questions

Read the above.

Answer: No answer needed


Task 3: ATT&CK® Framework

The MITRE ATT&CK® framework is a globally accessible knowledge base documenting adversary tactics, techniques, and procedures (TTPs) observed in real-world scenarios. Initially focused solely on Windows, ATT&CK has since expanded to include platforms like macOS and Linux, supported by contributions from security researchers and threat intelligence reports.

ATT&CK is valuable for both blue teamers and red teamers. Blue teamers use it to enhance threat detection and defensive coverage, while red teamers use it to plan simulations. The framework includes the ATT&CK Matrix, organizing techniques into 14 categories aligned with the Cyber Attack Lifecycle (e.g., Initial Access, Execution, Persistence). Techniques like Phishing include sub-techniques, all detailed with descriptions, examples, and mitigations.

ATT&CK Matrix

ATT&CK Matrix

If you haven’t done so, navigate to the ATT&CK® website.

Additionally, the ATT&CK Navigator allows users to interactively explore the matrix, map threat groups to their tactics and techniques, and visualize defensive coverage or attack plans. This versatility makes ATT&CK an essential tool for understanding and addressing cyber threats.
An example can be found here:

https://mitre-attack.github.io/attack-navigator//#layerURL=https%3A%2F%2Fattack.mitre.org%2Fgroups%2FG0008%2FG0008-enterprise-layer.json

Questions

Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?)

Red teamers often use the Matrix to plan simulations.

Answer: Red Teamers

What is the ID for this technique?

It wasn’t really clear to me which technique they are referring to, but apparently it is the Phishing technique. Visit the page here:

You can find the ID in the URL or on the right of the page:

Phishing Technique

Phishing Technique

Answer: T1566

Based on this technique, what mitigation covers identifying social engineering techniques?

On the previously found page scroll down towards the mitigation section. Here you will find the following row with the mitigation method:

M1017 — User Training: Users can be trained to identify social engineering techniques and phishing emails.

Answer: User Training

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

Scroll down even more to the Detection section.

Data source detection

Data source detection

Here you will find the three data sources, one for each row.

Answer: Application Log, File, Network Traffic

Which are the first two groups to have used spear-phishing in their campaigns? (format: group1,group2)

If you scroll a bit up again, you will come to the Procedure Examples section. The group names are found in the Name column.

Spear Phishing Procedures

Spear Phishing Procedures

Answer: Axiom,Gold SOUTHFIELD

Based on the information for the first group, what are their associated groups?

We can click on Axiom’s name to go to a page about the group:

Here we can quickly find their associated groups:

Axiom associated groups

Axiom associated groups

Answer: Group 72

What software is associated with this group that lists phishing as a technique?

Again, not a very clear question. They are refering to Axiom here, not Group 72. Anway, scroll down on Axioms page towards Software, and if you search for Phishing you will come across Hikit:

Hikit software

Hikit software

Answer: Hikit

What is the description for this software?

Press on Hikit in the previously found row, and you will go to the following page:

https://attack.mitre.org/software/S0009/

Answer: Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.

This group overlaps (slightly) with which other group?

Back to the Axiom page.

Here we can read that:

Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]

Answer: Winnti Group

How many techniques are attributed to this group?

Once more take a look at the page on Axiom. Here we can find the answer in the Techniques Used section. Count the entries and you will find the answer.

Answer: 15


Task 4: CAR Knowledge Base

The MITRE Cyber Analytics Repository (CAR) is a knowledge base of validated and well-explained analytics built on the ATT&CK® adversary model. It includes pseudocode and implementations for specific tools like Splunk and EQL, offering detailed operating theories and rationales for each analytic. CAR provides insights into detecting adversary behaviors by leveraging a defined data model and references ATT&CK tactics, techniques, and sub-techniques.

Key features of CAR include pseudocode for human-readable instructions and platform-specific implementations, such as Sysmon and EQL queries. Users can explore analytics through the Full Analytic List, which displays available implementations and applicable OS platforms, or via the CAR ATT&CK® Navigator, which highlights covered techniques. For example, CAR-2020–09–001 (Scheduled Task — File Access) and CAR-2014–11–004 (Remote PowerShell Sessions) demonstrate how to detect specific adversary activities using pseudocode and tool-specific queries.

CAR complements the ATT&CK® framework by providing actionable analytics that go beyond mitigation and detection summaries, making it a valuable resource for enhancing cybersecurity strategies.

Useful links:

https://car.mitre.org/analytics/

https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/car_analytic_coverage_04_05_2022.json

Questions

What tactic has an ID of TA0003?

I ended up searching on ATT&CKs homepage, and found knowledge about the Persistance tactic on this page:

https://attack.mitre.org/tactics/TA0003/

Answer: Persistance

What is the name of the library that is a collection of Zeek (BRO) scripts?

The hint says that we should have a look at the main page:

https://car.mitre.org/

Some analytics are built as source code for specific products. In these cases, code might support a broad set of detections in a way that makes it hard to describe a set of distinct analytics. For these types of analytics, rather than integrating them into the main CAR site, we’ve collected them under a library of implementations. Currently, the only library is BZAR, a collection of Zeek (Bro) scripts looking primarily at SMB and RPC traffic.

Answer: BZAR

What is the name of the technique for running executables with the same hash and different names?

Go to the main analytics page:

Search for “same and different names” and you will find the following page:

https://car.mitre.org/analytics/CAR-2013-05-009/

Here you will find that the technique is called masquerading.

Answer: Masquerading

Examine CAR-2013–05–004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?

Go to the following page:

https://car.mitre.org/analytics/CAR-2013-05-004/

Besides implementations, there are unit tests to ensure coverage for this technique.

Answer: Unit tests


Task 5: MITRE Engage

MITRE Engage is a framework designed to plan and discuss adversary engagement operations, using Cyber Denial to disrupt adversaries’ activities and Cyber Deception to mislead them. The framework helps organizations proactively engage adversaries to achieve cybersecurity objectives by employing intentional deception activities and operational strategies.

The Engage framework includes a matrix with five categories:

  • Prepare: Plan actions to achieve desired outcomes.
  • Expose: Detect adversaries triggering deception activities.
  • Affect: Take actions that negatively impact adversaries’ operations.
  • Elicit: Gather intelligence by observing adversary behaviors and TTPs.
  • Understand: Analyze the outcomes of engagement actions.

As with MITRE ATT&CK, Engage has its own matrix, which can be found here:

A starter kit, including whitepapers and checklists, is available to guide organizations in implementing adversary engagement approaches. The matrix integrates with MITRE ATT&CK to enhance operational focus, enabling organizations to interactively explore deception strategies and outcomes.

Starter kit:

Engage Handbook:

https://engage.mitre.org/wp-content/uploads/2022/04/EngageHandbook-v1.0.pdf

Questions

Under Prepare, what is ID SAC0002?

If you go to the Engage Matrix, and lookup Prepare, you will find the Persona Creation element:

Persona Creation

Persona Creation

This has the ID SAC00002.

Answer: Persona Creation

What is the name of the resource to aid you with the engagement activity from the previous question?

At https://engage.mitre.org/tools/ you can see a list of supporting tools. One of them is the Persona Profile Worksheet, which sure sounds correct!

Answer: Persona Profile Worksheet

Which engagement activity baits a specific response from the adversary?

On the matrix, we find the Disrupt category. One of the activities in this category is lures. (which is actually also under Expose).

Lures

Lures

This is described as:

Lures
ID: EAC0005
Deceptive systems and artifacts intended to serve as decoys, breadcrumbs, or bait to elicit a specific response from the adversary.

Sure sounds right!

Answer: Lures

What is the definition of Threat Model?

Look at the category Understand > Analyze > Threat Model. Here you will find the definition: A risk assessment that models organizational strengths and weaknesses

Answer: A risk assessment that models organizational strengths and weaknesses


Task 6: MITRE D3FEND

MITRE D3FEND is a knowledge graph of cybersecurity countermeasures funded by the NSA’s Cybersecurity Directorate. Its purpose is to document defensive techniques and strategies for protecting networks, complementing the adversary-focused MITRE ATT&CK framework.

Key highlights of D3FEND:

  • The framework, still in beta, is titled “Detection, Denial, and Disruption Framework Empowering Network Defense.”
  • It currently features 408 artifacts detailing specific defensive techniques.
  • Each artifact provides a definition, functionality, considerations for implementation, and practical examples (e.g., the “Decoy File” artifact outlines its purpose, setup, and use cases).

D3FEND integrates with the ATT&CK matrix to align defensive techniques with known adversary tactics. As it evolves, D3FEND aims to be a valuable resource for enhancing cybersecurity defenses by offering actionable, structured knowledge on countermeasures.

Questions

What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

Take a look at the Matrix. In the top you can see the dropdown:

ATT&CK Lookup

ATT&CK Lookup

Answer: Data Obfuscation

In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce?

Click on the technique found in the last question, and you will see a page with details. Scroll down a bit and you will find the inferred relationships. Outbound Internet Network Traffic is the product of the earlier technique.

D3FEND Inferred Relationships

D3FEND Inferred Relationships

Answer: Outbound Internet Network Traffic


Task 7: ATT&CK® Emulation Plans

MITRE Engenuity provides additional tools and resources to complement the existing MITRE frameworks. These include the Center for Threat-Informed Defense (CTID), the Adversary Emulation Library, and ATT&CK® Emulation Plans.

CTID

The Center for Threat-Informed Defense (CTID) is a collaborative initiative involving global companies and vendors (e.g., Microsoft, Splunk, AttackIQ). Its goal is to research adversarial TTPs (Tactics, Techniques, and Procedures) and share findings to improve collective cybersecurity. By building on MITRE ATT&CK, CTID contributes to the public release of data sets, open-source software, and methodologies that enhance the understanding of cyber threats.

Adversary Emulation Library & ATT&CK® Emulation Plans

  • Adversary Emulation Library: A public repository of adversary emulation plans, designed for blue and red teams.
  • ATT&CK® Emulation Plans: Step-by-step guides to emulate specific threat groups (e.g., APT3, APT29, FIN6). These plans allow organizations to test their defenses by mimicking real-world adversaries. For example, running an APT29 plan answers questions about how an organization might withstand such an attack.

Together, these tools provide actionable frameworks for understanding, testing, and strengthening defenses against cyber threats.

Questions

In Phase 1 for the APT3 Emulation Plan, what is listed first?

Have a look at the APT3 plan on: https://attack.mitre.org/resources/adversary-emulation-plans/

You can find the following image:

APT3 Emulation Plan

APT3 Emulation Plan

The answer is found on the left, under phase 1.

Answer: C2 Setup

Under Persistence, what binary was replaced with cmd.exe?

Take a look at the Emulation Plan report:

https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf

Under Persistance (on page 3–17) it says the following:

APT3 has replaced the Sticky Keys binary (C:\Windows\System32\sethc.exe) with cmd.exe

Answer: sethc.exe

Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

Time to look at APT29 now at:

Here the C2 frameworks are mentioned.

Answer: Pupy,Metasploit Framework

What C2 framework is listed in Scenario 2 Infrastructure?

Go to:

Here it mentions:

Server running an offensive framework (we tested and executed using PoshC2)

Answer: PoshC2

Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)

The sandworm emulation plan is found here:

We can see that the webshell is called P.A.S. Now we need the ID. The ID can be found on the MITRE ATT&CK site:

P.A.S. Webshell

P.A.S. Webshell

Answer: P.A.S.,S0598


Task 8: ATT&CK® and Threat Intelligence

Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) provides insights into adversary tactics, techniques, and procedures (TTPs), helping defenders improve their strategies. While larger organizations may have dedicated TI teams or use vendor-provided resources, smaller teams often multitask to incorporate threat intelligence. The focus is on making intelligence actionable.

Scenario: You are a security analyst who works in the aviation sector. Your organization is moving their infrastructure to the cloud. Your goal is to use the ATT&CK® Matrix to gather threat intelligence on APT groups who might target this particular sector and use techniques targeting your areas of concern. You are checking to see if there are any gaps in coverage. After selecting a group, look over the selected group’s information and their tactics, techniques, etc.

Questions

What is a group that targets your sector who has been in operation since at least 2013?

I ended up looking at the Cyber Threat Intelligence (CTI) section of the ATT&CK site. Here you can find a list of groups. I simply searched on the page for “aviation” and ended up finding 6 results. One of the is APT33, which is a suspected Iranian theat group that has been active since at least 2013.

APT33

APT33

Answer: APT33

As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?

Let’s have a look at the APT33 group page:

If you search for “cloud”, you will find the technique called “Cloud Accounts”, which refers to the fact that APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.

Cloud Accounts

Cloud Accounts

Answer: cloud accounts

What tool is associated with the technique from the previous question?

Click on the technique link to go to the following page:

https://attack.mitre.org/techniques/T1078/004/

Underneath Procedure Examples it actually mentions the same line again:

APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.[7]

Ruler is the answer!

Answer: Ruler

Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation?

Let’s go back to the technique page at:

https://attack.mitre.org/techniques/T1078/004/

Here we can find the following mitigation method:

M1032 — Multi-factor Authentication

Use multi-factor authentication for cloud accounts, especially privileged accounts. This can be implemented in a variety of forms (e.g. hardware, virtual, SMS), and can also be audited using administrative reporting features.[17]

Answer: Multi-factor Authentication

What platforms does the technique from question #2 affect?

On the same page, we can find the affected platforms on the right:

Cloud Accounts

Cloud Accounts

Affected Platforms

Affected Platforms

Answer: IaaS, Identity Provider, Office Suite, SaaS


Task 9: Conclusion

This room introduced MITRE’s tools and resources for the security community, highlighting their value in enhancing defense strategies. These resources are essential for defenders such as SOC analysts, detection engineers, and cyber threat analysts, providing critical insights to thwart adversarial actions.

They are equally valuable for red teamers, enabling them to mimic real adversaries effectively and test defenses. By using these tools, red teamers can communicate findings in a shared language understood by both defensive and offensive teams, fostering collaboration — a concept known as purple teaming.

Questions

Read the above

Answer: No answer needed


Congratulations on completing MITRE!!!

MITRE congratulations

It was amazing to learn about the different tools provided by MITRE. They really help us understand cyber threats and how to mitigate these. Great job on following along. Happy hacking!


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *