tryhackme.com
Open in
urlscan Pro
2606:4700:10::6816:37e4
Public Scan
URL:
https://tryhackme.com/room/mitre
Submission: On November 15 via manual from US — Scanned from DE
Submission: On November 15 via manual from US — Scanned from DE
Form analysis
1 forms found in the DOMPOST /feedback
<form method="post" action="/feedback" id="roomFeedbackForm" class="d-none mt-3">
<input type="hidden" name="_csrf" value="j9Y6VpPk-SMkfG8J-Kt87spRDsXHjW7L0Rd4">
<input type="hidden" name="roomCode" value="mitre">
<input type="hidden" name="type" value="rooms">
<input type="hidden" name="redirect" value="json">
<div class="form-group">
<label class="mb-0" for="like">What do you like about the room?</label>
<textarea type="text" name="like" id="like" class="form-control"></textarea>
</div>
<div class="form-group">
<label class="mb-0" for="dislike">What don't you like about the room?</label>
<textarea type="text" name="dislike" id="dislike" class="form-control"></textarea>
</div>
<div class="form-group">
<label class="mb-0" for="details">Please send your suggestions, ideas and comments!</label>
<textarea id="details" type="text" name="details" class="form-control" style="padding: 5px;"></textarea>
</div>
<button type="submit" id="submitBtn" class="btn btn-success">Send Feedback</button>
</form>
Text Content
We use cookies to ensure you get the best user experience. For more information contact us. Read more Got it! * Learn Learn Hands-on Hacking Practice Reinforce your learning Search Explore over 700 rooms * Compete King of the Hill Attack & Defend Leaderboards Platform Rankings * For Education Teaching Use our security labs Create Labs Upload & Deploy VMs * For Business * Pricing * * Login * Join for FREE * Learn * Compete King of the Hill Attack & Defend Leaderboards Platform Rankings * Networks Throwback Attacking Active Directory Wreath Network Pivoting * For Education Teaching Use our security labs Create Labs Upload & Deploy VMs * For Business * Search * Login * Join for FREE 2827 MITRE Start AttackBox Use Kali Linux Web-based Kali Machine Use AttackBox Recommended Show Split View Cloud Details Awards Help Clone Room Writeups Reset Progress Leave This room will discuss the various resources MITRE has made available for the cybersecurity community. To access material, start machines and answer questions login. * Chart * Scoreboard * Discuss * Writeups * More Difficulty: Medium Rank Username Total Score DISCORD Come join our Discord server for support or further discussions There are no writeups submitted. Add Writeup Submit Writeups should have a link to TryHackMe and not include any passwords/cracked hashes/flags This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 86701 users are in here and this room is 1099 days old. Created by tryhackme and Dex01 Active Machine Information Loading... Loading... Loading... Loading... 0% Task 1 Introduction to MITRE For those that are new to the cybersecurity field, you probably never heard of MITRE. Those of us that have been around might only associate MITRE with CVEs (Common Vulnerabilities and Exposures) list, which is one resource you'll probably check when searching for an exploit for a given vulnerability. But MITRE researches in many areas, outside of cybersecurity, for the 'safety, stability, and well-being of our nation.' These areas include artificial intelligence, health informatics, space security, to name a few. From Mitre.org: "At MITRE, we solve problems for a safer world. Through our federally funded R&D centers and public-private partnerships, we work across government to tackle challenges to the safety, stability, and well-being of our nation." In this room, we will focus on other projects/research that the US-based non-profit MITRE Corporation has created for the cybersecurity community, specifically: * ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) Framework * CAR (Cyber Analytics Repository) Knowledge Base * ENGAGE (sorry, not a fancy acronym) * D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense) * AEP (ATT&CK Emulation Plans) Let's dive in, shall we... Room updated: July 1st, 2022 Answer the questions below Read the above Login to answer.. Task 2 Basic Terminology Before diving in, let's briefly discuss a few terms that you will often hear when dealing with the framework, threat intelligence, etc. APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries. The term 'advanced' can be misleading as it will tend to cause us to believe that each APT group all have some super-weapon, e.i. a zero-day exploit, that they use. That is not the case. As we will see a bit later, the techniques these APT groups use are quite common and can be detected with the right implementations in place. You can view FireEye's current list of APT groups here. TTP is an acronym for Tactics, Techniques, and Procedures, but what does each of these terms mean? * The Tactic is the adversary's goal or objective. * The Technique is how the adversary achieves the goal or objective. * The Procedure is how the technique is executed. If that is not that clear now, don't worry. Hopefully, as you progress through each section, TTPs will make more sense. Answer the questions below Read the above Login to answer.. Task 3 ATT&CK® Framework What is the ATT&CK® framework? According to the website, "MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." In 2013, MITRE began to address the need to record and document common TTPs (Tactics, Techniques, and Procedures) that APT (Advanced Persistent Threat) groups used against enterprise Windows networks. This started with an internal project known as FMX (Fort Meade Experiment). Within this project, selected security professionals were tasked to emulated adversarial TTPs against a network, and data was collected from the attacks on this network. The gathered data helped construct the beginning pieces of what we know today as the ATT&CK® framework. The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for red teamers. If you haven't done so, navigate to the ATT&CK® website. Direct your attention to the bottom of the page to view the ATT&CK® Matrix for Enterprise. Across the top of the matrix, there are 14 categories. Each category contains the techniques an adversary could use to perform the tactic. The categories cover the seven-stage Cyber Attack Lifecycle (credit Lockheed Martin for the Cyber Kill Chain). (ATT&CK Matrix v11.2) Under Initial Access, there are 9 techniques. Some of the techniques have sub-techniques, such as Phishing. If we click on the gray bar to the right, a new layer appears listing the sub-techniques. To get a better understanding of this technique and it's associated sub-techniques, click on Phishing. We have been directed to a page dedicated to the technique known as Phishing and all related information regarding the technique, such as a brief description, Procedure Examples, and Mitigations. You can alternatively resort to using the Search feature to retrieve all associated information regarding a given technique, sub-technique, and/or group. Lastly, the same data can be viewed via the MITRE ATT&CK® Navigator: "The ATT&CK® Navigator is designed to provide basic navigation and annotation of ATT&CK® matrices, something that people are already doing today in tools like Excel. We've designed it to be simple and generic - you can use the Navigator to visualize your defensive coverage, your red/blue team planning, the frequency of detected techniques, or anything else you want to do." You can access the Navigator view when visiting a group or tool page. The ATT&CK® Navigator Layers button will be available. In the sub-menu select view. Let's get acquainted with this tool. Click here to view the ATT&CK® Navigator for Carbanak. At the top left, there are 3 sets of controls: selection controls, layer controls, and technique controls. I encourage you to inspect each of the options under each control to get familiar with them. The question mark at the far right will provide additional information regarding the navigator. To summarize, we can use the ATT&CK Matrix to map a threat group to their tactics and techniques. There are various methods the search can be initiated. The questions below will help you become more familiar with the ATT&CK®. It is recommended to start answering the questions from the Phishing page. Note, that this link is for version 8 of the ATT&CK Matrix. Answer the questions below Besides Blue teamers, who else will use the ATT&CK Matrix? (Red Teamers, Purpe Teamers, SOC Managers?) Login to answer.. What is the ID for this technique? Login to answer.. Hint Based on this technique, what mitigation covers identifying social engineering techniques? Login to answer.. What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas) Login to answer.. What groups have used spear-phishing in their campaigns? (format: group1,group2) Login to answer.. Based on the information for the first group, what are their associated groups? Login to answer.. What software is associated with this group that lists phishing as a technique? Login to answer.. What is the description for this software? Login to answer.. This group overlaps (slightly) with which other group? Login to answer.. How many techniques are attributed to this group? Login to answer.. Hint Task 4 CAR Knowledge Base Cyber Analytics Repository The official definition of CAR is "The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK® adversary model. CAR defines a data model that is leveraged in its pseudocode representations but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale." Instead of further attempting to explain what CAR is, let's dive in. With our newly acquired knowledge from the previous section, we should feel comfortable and understand the information that CAR is providing to us. Let's begin our journey by reviewing CAR-2020-09-001: Scheduled Task - File Access. Upon visiting the page, we're given a brief description of the analytics and references to ATT&CK (technique, sub-technique, and tactic). We're also provided with Pseudocode and a query on how to search for this specific analytic within Splunk. A pseudocode is a plain, human-readable way to describe a set of instructions or algorithms that a program or system will perform. Note the reference to Sysmon. If you're not familiar with Sysmon, check out the Sysmon room. To take full advantage of CAR, we can view the Full Analytic List or the CAR ATT&CK® Navigator layer to view all the analytics. Full Analytic List In the Full Analytic List view, we can see what implementations are available for any given analytic at a single glance, along with what OS platform it applies to. CAR ATTACK Navigator (The techniques highlighted in purple are the analytics currently in CAR) Let's look at another analytic to see a different implementation, CAR-2014-11-004: Remote PowerShell Sessions. Under Implementations, a pseudocode is provided and an EQL version of the pseudocode. EQL (pronounced as 'equal'), and it's an acronym for Event Query Language. EQL can be utilized to query, parse, and organize Sysmon event data. You can read more about this here. To summarize, CAR is a great place for finding analytics that takes us further than the Mitigation and Detection summaries in the ATT&CK® framework. This tool is not a replacement for ATT&CK® but an added resource. Answer the questions below What tactic has an ID of TA0003? Login to answer.. Hint What is the name of the library that is a collection of Zeek (BRO) scripts? Login to answer.. Hint What is the name of the technique for running executables with the same hash and different names? Login to answer.. Hint Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique? Login to answer.. Hint Task 5 MITRE Engage MITRE ENGAGE Per the website, "MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals." MITRE Engage is considered an Adversary Engagement Approach. This is accomplished by the implementation of Cyber Denial and Cyber Deception. With Cyber Denial we prevent the adversary's ability to conduct their operations and with Cyber Deception we intentionally plant artifacts to mislead the adversary. The Engage website provides a starter kit to get you 'started' with the Adversary Engagement Approach. The starter kit is a collection of whitepapers and PDFs explaining various checklists, methodologies, and processes to get you started. As with MITRE ATT&CK, Engage has its own matrix. Below is a visual of the Engage Matrix. (Source: https://engage.mitre.org) Let's quickly explain each of these categories based on the information on the Engage website. * Prepare the set of operational actions that will lead to your desired outcome (input) * Expose adversaries when they trigger your deployed deception activities * Affect adversaries by performing actions that will have a negative impact on their operations * Elicit information by observing the adversary and learn more about their modus operandi (TTPs) * Understand the outcomes of the operational actions (output) Refer to the Engage Handbook to learn more. You can interact with the Engage Matrix Explorer. We can filter by information from MITRE ATT&CK. Note that by default the matrix focuses on Operate, which entails Expose, Affect, and Elicit. You can click on Prepare or Understand if you wish to focus solely on that part of the matrix. That should be enough of an overview. We'll leave it to you to explore the resources provided to you on this website. Before moving on, let's practice using this resource by answering the questions below. Answer the questions below Under Prepare, what is ID SAC0002? Login to answer.. What is the name of the resource to aid you with the engagement activity from the previous question? Login to answer.. Hint Which engagement activity baits a specific response from the adversary? Login to answer.. What is the definition of Threat Model? Login to answer.. Task 6 MITRE D3FEND D3FEND What is this MITRE resource? Per the D3FEND website, this resource is "A knowledge graph of cybersecurity countermeasures." D3FEND is still in beta and is funded by the Cybersecurity Directorate of the NSA. D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense. At the time of this writing, there are 408 artifacts in the D3FEND matrix. See the below image. Let's take a quick look at one of the D3FENDs artifacts, such as Decoy File. As you can see, you're provided with information on what is the technique (definition), how the technique works (how it works), things to think about when implementing the technique (considerations), and how to utilize the technique (example). Note, as with other MITRE resources, you can filter based on the ATT&CK matrix. Since this resource is in beta and will change significantly in future releases, we won't spend that much time on D3FEND. The objective of this task is to make you aware of this MITRE resource and hopefully you'll keep an eye on it as it matures in the future. We will still encourage you to navigate the website a bit by answering the questions below. Answer the questions below What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown? Login to answer.. In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produce? Login to answer.. Hint Task 7 ATT&CK® Emulation Plans If these tools provided to us by MITRE are not enough, under MITRE ENGENUITY, we have CTID, the Adversary Emulation Library, and ATT&CK® Emulation Plans. CTID MITRE formed an organization named The Center of Threat-Informed Defense (CTID). This organization consists of various companies and vendors from around the globe. Their objective is to conduct research on cyber threats and their TTPs and share this research to improve cyber defense for all. Some of the companies and vendors who are participants of CTID: * AttackIQ (founder) * Verizon * Microsoft (founder) * Red Canary (founder) * Splunk Per the website, "Together with Participant organizations, we cultivate solutions for a safer world and advance threat-informed defense with open-source software, methodologies, and frameworks. By expanding upon the MITRE ATT&CK knowledge base, our work expands the global understanding of cyber adversaries and their tradecraft with the public release of data sets critical to better understanding adversarial behavior and their movements." Adversary Emulation Library & ATT&CK® Emulations Plans The Adversary Emulation Library is a public library making adversary emulation plans a free resource for blue/red teamers. The library and the emulations are a contribution from CTID. There are several ATT&CK® Emulation Plans currently available: APT3, APT29, and FIN6. The emulation plans are a step-by-step guide on how to mimic the specific threat group. If any of the C-Suite were to ask, "how would we fare if APT29 hits us?" This can easily be answered by referring to the results of the execution of the emulation plan. Review the emulation plans to answer the questions below. Answer the questions below In Phase 1 for the APT3 Emulation Plan, what is listed first? Login to answer.. Under Persistence, what binary was replaced with cmd.exe? Login to answer.. Hint Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2) Login to answer.. What C2 framework is listed in Scenario 2 Infrastructure? Login to answer.. Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id) Login to answer.. Task 8 ATT&CK® and Threat Intelligence Threat Intelligence (TI) or Cyber Threat Intelligence (CTI) is the information, or TTPs, attributed to the adversary. By using threat intelligence, as defenders, we can make better decisions regarding the defensive strategy. Large corporations might have an in-house team whose primary objective is to gather threat intelligence for other teams within the organization, aside from using threat intel already readily available. Some of this threat intel can be open source or through a subscription with a vendor, such as CrowdStrike. In contrast, many defenders wear multiple hats (roles) within some organizations, and they need to take time from their other tasks to focus on threat intelligence. To cater to the latter, we'll work on a scenario of using ATT&CK® for threat intelligence. The goal of threat intelligence is to make the information actionable. Scenario: You are a security analyst who works in the aviation sector. Your organization is moving their infrastructure to the cloud. Your goal is to use the ATT&CK® Matrix to gather threat intelligence on APT groups who might target this particular sector and use techniques targeting your areas of concern. You are checking to see if there are any gaps in coverage. After selecting a group, look over the selected group's information and their tactics, techniques, etc. Answer the questions below What is a group that targets your sector who has been in operation since at least 2013? Login to answer.. As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it? Login to answer.. What tool is associated with the technique from the previous question? Login to answer.. Referring to the technique from question 2, what mitigation method suggests using SMS messages as an alternative for its implementation? Login to answer.. What platforms does the technique from question #2 affect? Login to answer.. Task 9 Conclusion In this room, we explored tools/resources that MITRE has provided to the security community. The room's goal was to expose you to these resources and give you a foundational knowledge of their uses. Many vendors of security products and security teams across the globe consider these contributions from MITRE invaluable in the day-to-day efforts to thwart evil. The more information we have as defenders, the better we are equipped to fight back. Some of you might be looking to transition to become a SOC analyst, detection engineer, cyber threat analyst, etc. these tools/resources are a must to know. As mentioned before, though, this is not only for defenders. As red teamers, these tools/resources are useful as well. Your objective is to mimic the adversary and attempt to bypass all the controls in place within the environment. With these resources, as the red teamer, you can effectively mimic a true adversary and communicate your findings in a common language that both sides can understand. In a nutshell, this is known as purple teaming. Answer the questions below Read the above Login to answer.. Created by tryhackme and Dex01 This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 86701 users are in here and this room is 1099 days old. -------------------------------------------------------------------------------- Copyright TryHackMe 2018-2023128 City Road, London, EC1V 2NX LEARN * Hacktivities * Leaderboards * Paths DOCS * Teaching * About Us * Blog * Buy Vouchers SOCIALS * Twitter * Email * Discord * Forum WEB-BASED MACHINE INFORMATION Use the web-based machine to attack other target machines you start on TryHackMe. * Public IP: * Private IP: (Use this for your reverse shells) * Username: * Password: * Protocol: -------------------------------------------------------------------------------- * To copy to and from the browser-based machine, highlight the text and press CTRL+SHIFT+C or use the clipboard * When accessing target machines you start on TryHackMe tasks, make sure you're using the correct IP (it should not be the IP of your AttackBox) × Complete the room to earn this badge QUESTION HINT × ... × CONGRATULATIONS You've completed the room! Share this with your friends: Leave feedback What do you like about the room? What don't you like about the room? Please send your suggestions, ideas and comments! Send Feedback TO ACCESS THIS MACHINE, YOU NEED TO EITHER × Use a VPN Connect to our network via a VPN See Instructions or Use the AttackBox Use a web-based attack machine (recommended) Start AttackBox EXPIRING SOON Your machine is going to expire soon. Close this and add an hour to stop it from terminating! Close EXPIRED MACHINE Your machine has expired and terminated. Close HOW TO ACCESS MACHINES × Now you've started your machine, to access it you need to either Download your VPN configuration file and import it into a OpenVPN client Control a web-based machine with everything you need, all from inside your browser × Close RESET YOUR PROGRESS × Warning You will keep your points but all your answers in this room will be erased. Yes, please! CLOUD INFORMATION × * Environment * Credentials GENERATING YOUR CERTIFICATE × HEY THERE, WHAT'S YOUR NAME? If you want your name to appear on your certificate, please fill the field below. Full Name YOU'RE HERE INCOGNITO? IT'S OK! If you chose skip, your username will be used instead! Generate with my full name Generate with my username Video Solution Writeups Forum Post Knowledge Base Ask Community Show Connection Options To access target machines you need to either: AttackBox Use a browser-based attack machine OpenVPN Connect to our network via a VPN View the dedicated OpenVPN access page for more information WHAT OPERATING SYSTEM ARE YOU USING? * Windows * Linux * MacOS 1. Download your OpenVPN configuration pack. 2. Download the OpenVPN GUI application. 3. Install the OpenVPN GUI application. Then open the installer file and follow the setup wizard. 4. Open and run the OpenVPN GUI application as Administrator. 5. The application will start running in the system tray. It's at the bottom of your screen, near the clock. Right click on the application and click Import File. 6. Select the configuration file you downloaded earlier. 7. Now right click on the application again, select your file and click Connect 1. Download your OpenVPN configuration pack. 2. Run the following command in your terminal: sudo apt install openvpn 3. Locate the full path to your VPN configuration file (normally in your ~/Downloads folder). 4. Use your OpenVPN file with the following command: sudo openvpn /path/to/file.ovpn 1. Download your OpenVPN configuration pack. 2. Download OpenVPN for MacOS. 3. Install the OpenVPN GUI application, by opening the dmg file and following the setup wizard. 4. Open and run the OpenVPN GUI application. 5. The application will start running and appear in your top bar. Right click on the application and click Import File -> Local file. 6. Select the configuration file you downloaded earlier. 7. Right click on the application again, select your file and click connect. HAVING PROBLEMS? * If you can access 10.10.10.10, you're connected. * Downloading and getting a 404? Go the access page and switch VPN servers. * Getting inline cert error? Go the access page and switch VPN servers. * If you are using a virtual machine, you will need to run the VPN inside that machine. * Is the OpenVPN client running as root? (On Windows, run OpenVPN GUI as administrator. On Linux, run with sudo) * Have you restarted your VM? * Is your OpenVPN up-to-date? * Only 1 OpenVPN connection is allowed. (Run ps aux | grep openvpn - are there 2 VPN sessions running?) * Still having issues? Check our docs out. ATTACKBOX Use your own web-based linux machine to access machines on TryHackMe To start your AttackBox in the room, click the Start AttackBox button. Your private machine will take 2 minutes to start. Free users get 1 free AttackBox hour. Subscribed users get more powerful machines with unlimited deploys. Hide IP