tryhackme.com
Open in
urlscan Pro
2606:4700:10::6816:37e4
Public Scan
URL:
https://tryhackme.com/room/mitre
Submission: On November 15 via manual from US — Scanned from DE
Submission: On November 15 via manual from US — Scanned from DE
Form analysis 1 forms found in the DOM
POST /feedback
<form method="post" action="/feedback" id="roomFeedbackForm" class="d-none mt-3">
<input type="hidden" name="_csrf" value="j9Y6VpPk-SMkfG8J-Kt87spRDsXHjW7L0Rd4">
<input type="hidden" name="roomCode" value="mitre">
<input type="hidden" name="type" value="rooms">
<input type="hidden" name="redirect" value="json">
<div class="form-group">
<label class="mb-0" for="like">What do you like about the room?</label>
<textarea type="text" name="like" id="like" class="form-control"></textarea>
</div>
<div class="form-group">
<label class="mb-0" for="dislike">What don't you like about the room?</label>
<textarea type="text" name="dislike" id="dislike" class="form-control"></textarea>
</div>
<div class="form-group">
<label class="mb-0" for="details">Please send your suggestions, ideas and comments!</label>
<textarea id="details" type="text" name="details" class="form-control" style="padding: 5px;"></textarea>
</div>
<button type="submit" id="submitBtn" class="btn btn-success">Send Feedback</button>
</form>Text Content
We use cookies to ensure you get the best user experience. For more information
contact us. Read more
Got it!
* Learn
Learn
Hands-on Hacking
Practice
Reinforce your learning
Search
Explore over 700 rooms
* Compete
King of the Hill
Attack & Defend
Leaderboards
Platform Rankings
* For Education
Teaching
Use our security labs
Create Labs
Upload & Deploy VMs
* For Business
* Pricing
*
* Login
* Join for FREE
* Learn
* Compete
King of the Hill
Attack & Defend
Leaderboards
Platform Rankings
* Networks
Throwback
Attacking Active Directory
Wreath
Network Pivoting
* For Education
Teaching
Use our security labs
Create Labs
Upload & Deploy VMs
* For Business
* Search
* Login
* Join for FREE
2827
MITRE
Start AttackBox
Use Kali Linux
Web-based Kali Machine
Use AttackBox
Recommended
Show Split View Cloud Details Awards Help
Clone Room Writeups Reset Progress Leave
This room will discuss the various resources MITRE has made available for the
cybersecurity community.
To access material, start machines and answer questions login.
* Chart
* Scoreboard
* Discuss
* Writeups
* More
Difficulty: Medium
Rank Username Total Score
DISCORD
Come join our Discord server for support or further discussions
There are no writeups submitted.
Add Writeup
Submit
Writeups should have a link to TryHackMe and not include any passwords/cracked
hashes/flags
This is a free room, which means anyone can deploy virtual machines in the room
(without being subscribed)! 86701 users are in here and this room is 1099 days
old.
Created by tryhackme and Dex01
Active Machine Information
Loading...
Loading...
Loading...
Loading...
0%
Task 1 Introduction to MITRE
For those that are new to the cybersecurity field, you probably never heard of
MITRE. Those of us that have been around might only associate MITRE with CVEs
(Common Vulnerabilities and Exposures) list, which is one resource you'll
probably check when searching for an exploit for a given vulnerability. But
MITRE researches in many areas, outside of cybersecurity, for the 'safety,
stability, and well-being of our nation.' These areas include artificial
intelligence, health informatics, space security, to name a few.
From Mitre.org: "At MITRE, we solve problems for a safer world. Through our
federally funded R&D centers and public-private partnerships, we work across
government to tackle challenges to the safety, stability, and well-being of our
nation."
In this room, we will focus on other projects/research that the US-based
non-profit MITRE Corporation has created for the cybersecurity community,
specifically:
* ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) Framework
* CAR (Cyber Analytics Repository) Knowledge Base
* ENGAGE (sorry, not a fancy acronym)
* D3FEND (Detection, Denial,
and Disruption Framework Empowering Network Defense)
* AEP (ATT&CK Emulation Plans)
Let's dive in, shall we...
Room updated: July 1st, 2022
Answer the questions below
Read the above
Login to answer..
Task 2 Basic Terminology
Before diving in, let's briefly discuss a few terms that you will often hear
when dealing with the framework, threat intelligence, etc.
APT is an acronym for Advanced Persistent Threat. This can be considered a
team/group (threat group), or even country (nation-state group), that engages in
long-term attacks against organizations and/or countries. The term 'advanced'
can be misleading as it will tend to cause us to believe that each APT group all
have some super-weapon, e.i. a zero-day exploit, that they use. That is not the
case. As we will see a bit later, the techniques these APT groups use are quite
common and can be detected with the right implementations in place. You can view
FireEye's current list of APT groups here.
TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of
these terms mean?
* The Tactic is the adversary's goal or objective.
* The Technique is how the adversary achieves the goal or objective.
* The Procedure is how the technique is executed.
If that is not that clear now, don't worry. Hopefully, as you progress through
each section, TTPs will make more sense.
Answer the questions below
Read the above
Login to answer..
Task 3 ATT&CK® Framework
What is the ATT&CK® framework? According to the website, "MITRE ATT&CK® is a
globally-accessible knowledge base of adversary tactics and techniques based on
real-world observations." In 2013, MITRE began to address the need to record and
document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced
Persistent Threat) groups used against enterprise Windows networks. This started
with an internal project known as FMX (Fort Meade Experiment). Within this
project, selected security professionals were tasked to emulated adversarial
TTPs against a network, and data was collected from the attacks on this network.
The gathered data helped construct the beginning pieces of what we know today as
the ATT&CK® framework.
The ATT&CK® framework has grown and expanded throughout the years. One notable
expansion was that the framework focused solely on the Windows platform but has
expanded to cover other platforms, such as macOS and Linux. The framework is
heavily contributed to by many sources, such as security researchers and threat
intelligence reports. Note this is not only a tool for blue teamers. The tool is
also useful for red teamers.
If you haven't done so, navigate to the ATT&CK® website.
Direct your attention to the bottom of the page to view the ATT&CK® Matrix for
Enterprise. Across the top of the matrix, there are 14 categories. Each category
contains the techniques an adversary could use to perform the tactic. The
categories cover the seven-stage Cyber Attack Lifecycle (credit Lockheed Martin
for the Cyber Kill Chain).
(ATT&CK Matrix v11.2)
Under Initial Access, there are 9 techniques. Some of the techniques have
sub-techniques, such as Phishing.
If we click on the gray bar to the right, a new layer appears listing the
sub-techniques.
To get a better understanding of this technique and it's associated
sub-techniques, click on Phishing.
We have been directed to a page dedicated to the technique known as Phishing and
all related information regarding the technique, such as a brief
description, Procedure Examples, and Mitigations.
You can alternatively resort to using the Search feature to retrieve all
associated information regarding a given technique, sub-technique, and/or
group.
Lastly, the same data can be viewed via the MITRE ATT&CK® Navigator: "The
ATT&CK® Navigator is designed to provide basic navigation and annotation of
ATT&CK® matrices, something that people are already doing today in tools like
Excel. We've designed it to be simple and generic - you can use the Navigator to
visualize your defensive coverage, your red/blue team planning, the frequency of
detected techniques, or anything else you want to do."
You can access the Navigator view when visiting a group or tool page. The
ATT&CK® Navigator Layers button will be available.
In the sub-menu select view.
Let's get acquainted with this tool. Click here to view the ATT&CK® Navigator
for Carbanak.
At the top left, there are 3 sets of controls: selection controls, layer
controls, and technique controls. I encourage you to inspect each of the options
under each control to get familiar with them. The question mark at the far right
will provide additional information regarding the navigator.
To summarize, we can use the ATT&CK Matrix to map a threat group to their
tactics and techniques. There are various methods the search can be initiated.
The questions below will help you become more familiar with the ATT&CK®. It is
recommended to start answering the questions from the Phishing page. Note, that
this link is for version 8 of the ATT&CK Matrix.
Answer the questions below
Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe
Teamers, SOC Managers?)
Login to answer..
What is the ID for this technique?
Login to answer..
Hint
Based on this technique, what mitigation covers identifying social engineering
techniques?
Login to answer..
What are the data sources for Detection? (format: source1,source2,source3 with
no spaces after commas)
Login to answer..
What groups have used spear-phishing in their campaigns? (format: group1,group2)
Login to answer..
Based on the information for the first group, what are their associated groups?
Login to answer..
What software is associated with this group that lists phishing as a technique?
Login to answer..
What is the description for this software?
Login to answer..
This group overlaps (slightly) with which other group?
Login to answer..
How many techniques are attributed to this group?
Login to answer..
Hint
Task 4 CAR Knowledge Base
Cyber Analytics Repository
The official definition of CAR is "The MITRE Cyber Analytics Repository (CAR) is
a knowledge base of analytics developed by MITRE based on the MITRE
ATT&CK® adversary model. CAR defines a data model that is leveraged in its
pseudocode representations but also includes implementations directly targeted
at specific tools (e.g., Splunk, EQL) in its analytics. With respect to
coverage, CAR is focused on providing a set of validated and well-explained
analytics, in particular with regards to their operating theory and rationale."
Instead of further attempting to explain what CAR is, let's dive in. With our
newly acquired knowledge from the previous section, we should feel comfortable
and understand the information that CAR is providing to us.
Let's begin our journey by reviewing CAR-2020-09-001: Scheduled Task - File
Access.
Upon visiting the page, we're given a brief description of the analytics and
references to ATT&CK (technique, sub-technique, and tactic).
We're also provided with Pseudocode and a query on how to search for this
specific analytic within Splunk. A pseudocode is a plain, human-readable way to
describe a set of instructions or algorithms that a program or system will
perform.
Note the reference to Sysmon. If you're not familiar with Sysmon, check out the
Sysmon room.
To take full advantage of CAR, we can view the Full Analytic List or the CAR
ATT&CK® Navigator layer to view all the analytics.
Full Analytic List
In the Full Analytic List view, we can see what implementations are available
for any given analytic at a single glance, along with what OS platform it
applies to.
CAR ATTACK Navigator
(The techniques highlighted in purple are the analytics currently in CAR)
Let's look at another analytic to see a different
implementation, CAR-2014-11-004: Remote PowerShell Sessions.
Under Implementations, a pseudocode is provided and an EQL version of the
pseudocode. EQL (pronounced as 'equal'), and it's an acronym for Event Query
Language. EQL can be utilized to query, parse, and organize Sysmon event data.
You can read more about this here.
To summarize, CAR is a great place for finding analytics that takes us further
than the Mitigation and Detection summaries in the ATT&CK® framework. This tool
is not a replacement for ATT&CK® but an added resource.
Answer the questions below
What tactic has an ID of TA0003?
Login to answer..
Hint
What is the name of the library that is a collection of Zeek (BRO) scripts?
Login to answer..
Hint
What is the name of the technique for running executables with the same hash and
different names?
Login to answer..
Hint
Examine CAR-2013-05-004, besides Implementations, what additional information is
provided to analysts to ensure coverage for this technique?
Login to answer..
Hint
Task 5 MITRE Engage
MITRE ENGAGE
Per the website, "MITRE Engage is a framework for planning and discussing
adversary engagement operations that empowers you to engage your adversaries and
achieve your cybersecurity goals."
MITRE Engage is considered an Adversary Engagement Approach. This is
accomplished by the implementation of Cyber Denial and Cyber Deception.
With Cyber Denial we prevent the adversary's ability to conduct their operations
and with Cyber Deception we intentionally plant artifacts to mislead the
adversary.
The Engage website provides a starter kit to get you 'started' with the
Adversary Engagement Approach. The starter kit is a collection of whitepapers
and PDFs explaining various checklists, methodologies, and processes to get you
started.
As with MITRE ATT&CK, Engage has its own matrix. Below is a visual of the Engage
Matrix.
(Source: https://engage.mitre.org)
Let's quickly explain each of these categories based on the information on the
Engage website.
* Prepare the set of operational actions that will lead to your desired outcome
(input)
* Expose adversaries when they trigger your deployed deception activities
* Affect adversaries by performing actions that will have a negative impact on
their operations
* Elicit information by observing the adversary and learn more about their
modus operandi (TTPs)
* Understand the outcomes of the operational actions (output)
Refer to the Engage Handbook to learn more.
You can interact with the Engage Matrix Explorer. We can filter by information
from MITRE ATT&CK.
Note that by default the matrix focuses on Operate, which
entails Expose, Affect, and Elicit.
You can click on Prepare or Understand if you wish to focus solely on that part
of the matrix.
That should be enough of an overview. We'll leave it to you to explore the
resources provided to you on this website.
Before moving on, let's practice using this resource by answering the questions
below.
Answer the questions below
Under Prepare, what is ID SAC0002?
Login to answer..
What is the name of the resource to aid you with the engagement activity from
the previous question?
Login to answer..
Hint
Which engagement activity baits a specific response from the adversary?
Login to answer..
What is the definition of Threat Model?
Login to answer..
Task 6 MITRE D3FEND
D3FEND
What is this MITRE resource? Per the D3FEND website, this resource is "A
knowledge graph of cybersecurity countermeasures."
D3FEND is still in beta and is funded by the Cybersecurity Directorate of the
NSA.
D3FEND stands for Detection, Denial,
and Disruption Framework Empowering Network Defense.
At the time of this writing, there are 408 artifacts in the D3FEND matrix. See
the below image.
Let's take a quick look at one of the D3FENDs artifacts, such as Decoy File.
As you can see, you're provided with information on what is the technique
(definition), how the technique works (how it works), things to think about when
implementing the technique (considerations), and how to utilize the technique
(example).
Note, as with other MITRE resources, you can filter based on the ATT&CK matrix.
Since this resource is in beta and will change significantly in future releases,
we won't spend that much time on D3FEND.
The objective of this task is to make you aware of this MITRE resource and
hopefully you'll keep an eye on it as it matures in the future.
We will still encourage you to navigate the website a bit by answering the
questions below.
Answer the questions below
What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?
Login to answer..
In D3FEND Inferred Relationships, what does the ATT&CK technique from the
previous question produce?
Login to answer..
Hint
Task 7 ATT&CK® Emulation Plans
If these tools provided to us by MITRE are not enough, under MITRE ENGENUITY, we
have CTID, the Adversary Emulation Library, and ATT&CK® Emulation Plans.
CTID
MITRE formed an organization named The Center of Threat-Informed Defense (CTID).
This organization consists of various companies and vendors from around the
globe. Their objective is to conduct research on cyber threats and their TTPs
and share this research to improve cyber defense for all.
Some of the companies and vendors who are participants of CTID:
* AttackIQ (founder)
* Verizon
* Microsoft (founder)
* Red Canary (founder)
* Splunk
Per the website, "Together with Participant organizations, we cultivate
solutions for a safer world and advance threat-informed defense with open-source
software, methodologies, and frameworks. By expanding upon the MITRE ATT&CK
knowledge base, our work expands the global understanding of cyber adversaries
and their tradecraft with the public release of data sets critical to better
understanding adversarial behavior and their movements."
Adversary Emulation Library & ATT&CK® Emulations Plans
The Adversary Emulation Library is a public library making adversary emulation
plans a free resource for blue/red teamers. The library and the emulations are a
contribution from CTID. There are several ATT&CK® Emulation Plans currently
available: APT3, APT29, and FIN6. The emulation plans are a step-by-step guide
on how to mimic the specific threat group. If any of the C-Suite were to ask,
"how would we fare if APT29 hits us?" This can easily be answered by referring
to the results of the execution of the emulation plan.
Review the emulation plans to answer the questions below.
Answer the questions below
In Phase 1 for the APT3 Emulation Plan, what is listed first?
Login to answer..
Under Persistence, what binary was replaced with cmd.exe?
Login to answer..
Hint
Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure?
(format: tool1,tool2)
Login to answer..
What C2 framework is listed in Scenario 2 Infrastructure?
Login to answer..
Examine the emulation plan for Sandworm. What webshell is used for Scenario 1?
Check MITRE ATT&CK for the Software ID for the webshell. What is the id?
(format: webshell,id)
Login to answer..
Task 8 ATT&CK® and Threat Intelligence
Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) is the information,
or TTPs, attributed to the adversary. By using threat intelligence, as
defenders, we can make better decisions regarding the defensive strategy. Large
corporations might have an in-house team whose primary objective is to gather
threat intelligence for other teams within the organization, aside from using
threat intel already readily available. Some of this threat intel can be open
source or through a subscription with a vendor, such as CrowdStrike. In
contrast, many defenders wear multiple hats (roles) within some organizations,
and they need to take time from their other tasks to focus on threat
intelligence. To cater to the latter, we'll work on a scenario of using ATT&CK®
for threat intelligence. The goal of threat intelligence is to make the
information actionable.
Scenario: You are a security analyst who works in the aviation sector. Your
organization is moving their infrastructure to the cloud. Your goal is to use
the ATT&CK® Matrix to gather threat intelligence on APT groups who might target
this particular sector and use techniques targeting your areas of concern. You
are checking to see if there are any gaps in coverage. After selecting a group,
look over the selected group's information and their tactics, techniques, etc.
Answer the questions below
What is a group that targets your sector who has been in operation since at
least 2013?
Login to answer..
As your organization is migrating to the cloud, is there anything attributed to
this APT group that you should focus on? If so, what is it?
Login to answer..
What tool is associated with the technique from the previous question?
Login to answer..
Referring to the technique from question 2, what mitigation method suggests
using SMS messages as an alternative for its implementation?
Login to answer..
What platforms does the technique from question #2 affect?
Login to answer..
Task 9 Conclusion
In this room, we explored tools/resources that MITRE has provided to the
security community. The room's goal was to expose you to these resources and
give you a foundational knowledge of their uses. Many vendors of security
products and security teams across the globe consider these contributions from
MITRE invaluable in the day-to-day efforts to thwart evil. The more information
we have as defenders, the better we are equipped to fight back. Some of you
might be looking to transition to become a SOC analyst, detection engineer,
cyber threat analyst, etc. these tools/resources are a must to know.
As mentioned before, though, this is not only for defenders. As red teamers,
these tools/resources are useful as well. Your objective is to mimic the
adversary and attempt to bypass all the controls in place within the
environment. With these resources, as the red teamer, you can effectively mimic
a true adversary and communicate your findings in a common language that both
sides can understand. In a nutshell, this is known as purple teaming.
Answer the questions below
Read the above
Login to answer..
Created by tryhackme and Dex01
This is a free room, which means anyone can deploy virtual machines in the room
(without being subscribed)! 86701 users are in here and this room is 1099 days
old.
--------------------------------------------------------------------------------
Copyright TryHackMe 2018-2023128 City Road, London, EC1V 2NX
LEARN
* Hacktivities
* Leaderboards
* Paths
DOCS
* Teaching
* About Us
* Blog
* Buy Vouchers
SOCIALS
* Twitter
* Email
* Discord
* Forum
WEB-BASED MACHINE INFORMATION
Use the web-based machine to attack other target machines you start on
TryHackMe.
* Public IP:
* Private IP: (Use this for your reverse shells)
* Username:
* Password:
* Protocol:
--------------------------------------------------------------------------------
* To copy to and from the browser-based machine, highlight the text and press
CTRL+SHIFT+C or use the clipboard
* When accessing target machines you start on TryHackMe tasks, make sure you're
using the correct IP (it should not be the IP of your AttackBox)
×
Complete the room to earn this badge
QUESTION HINT
×
...
×
CONGRATULATIONS
You've completed the room! Share this with your friends:
Leave feedback
What do you like about the room?
What don't you like about the room?
Please send your suggestions, ideas and comments!
Send Feedback
TO ACCESS THIS MACHINE, YOU NEED TO EITHER
×
Use a VPN
Connect to our network via a VPN
See Instructions
or
Use the AttackBox
Use a web-based attack machine (recommended)
Start AttackBox
EXPIRING SOON
Your machine is going to expire soon. Close this and add an hour to stop it from
terminating!
Close
EXPIRED MACHINE
Your machine has expired and terminated.
Close
HOW TO ACCESS MACHINES
×
Now you've started your machine, to access it you need to either
Download your VPN configuration file and import it into a OpenVPN client
Control a web-based machine with everything you need, all from inside your
browser
×
Close
RESET YOUR PROGRESS
×
Warning You will keep your points but all your answers in this room will be
erased.
Yes, please!
CLOUD INFORMATION
×
* Environment
* Credentials
GENERATING YOUR CERTIFICATE
×
HEY THERE, WHAT'S YOUR NAME?
If you want your name to appear on your certificate, please fill the field
below.
Full Name
YOU'RE HERE INCOGNITO? IT'S OK!
If you chose skip, your username will be used instead!
Generate with my full name
Generate with my username
Video Solution
Writeups
Forum Post
Knowledge Base
Ask Community
Show Connection Options
To access target machines you need to either:
AttackBox
Use a browser-based attack machine
OpenVPN
Connect to our network via a VPN
View the dedicated OpenVPN access page for more information
WHAT OPERATING SYSTEM ARE YOU USING?
* Windows
* Linux
* MacOS
1. Download your OpenVPN configuration pack.
2. Download the OpenVPN GUI application.
3. Install the OpenVPN GUI application. Then open the installer file and follow
the setup wizard.
4. Open and run the OpenVPN GUI application as Administrator.
5. The application will start running in the system tray. It's at the bottom of
your screen, near the clock. Right click on the application and click Import
File.
6. Select the configuration file you downloaded earlier.
7. Now right click on the application again, select your file and click Connect
1. Download your OpenVPN configuration pack.
2. Run the following command in your terminal: sudo apt install openvpn
3. Locate the full path to your VPN configuration file (normally in your
~/Downloads folder).
4. Use your OpenVPN file with the following command: sudo openvpn
/path/to/file.ovpn
1. Download your OpenVPN configuration pack.
2. Download OpenVPN for MacOS.
3. Install the OpenVPN GUI application, by opening the dmg file and following
the setup wizard.
4. Open and run the OpenVPN GUI application.
5. The application will start running and appear in your top bar. Right click
on the application and click Import File -> Local file.
6. Select the configuration file you downloaded earlier.
7. Right click on the application again, select your file and click connect.
HAVING PROBLEMS?
* If you can access 10.10.10.10, you're connected.
* Downloading and getting a 404? Go the access page and switch VPN servers.
* Getting inline cert error? Go the access page and switch VPN servers.
* If you are using a virtual machine, you will need to run the VPN inside that
machine.
* Is the OpenVPN client running as root? (On Windows, run OpenVPN GUI as
administrator. On Linux, run with sudo)
* Have you restarted your VM?
* Is your OpenVPN up-to-date?
* Only 1 OpenVPN connection is allowed. (Run ps aux | grep openvpn - are there
2 VPN sessions running?)
* Still having issues? Check our docs out.
ATTACKBOX
Use your own web-based linux machine to access machines on TryHackMe
To start your AttackBox in the room, click the Start AttackBox button. Your
private machine will take 2 minutes to start.
Free users get 1 free AttackBox hour. Subscribed users get more powerful
machines with unlimited deploys.
Hide IP