This is a Write up for the MITRE Room Created by heavenraiza

 

TASK 1 & 2 are simple click and complete tasks

 

TASK 3

Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)

 

Question 2: we need to head over to https://attack.mitre.org/

*Keep in mind it mentions to start your research on the Phishing page

 

Question 3: is found under the Mitigations section on the Phishing page

 

Question 4: can be found under the Detection section of this same page

 

Question 5: Is located on the same page near the top

 

Question 6: click on the Groups link to learn more about them and the information is located under

Associated Group Descriptions

 

Question 7: is located under the Software Section

 

Question 8: is found when we click the hyperlink for PsExec we are led to a page about the tool and who has been known to use it and this will help us answer this question.

 

Question 9: Click on the FIN5 Group hyperlink to be taken to their page to find the next answers

 

Question 10: This located under the software section where we learn that the Windows Credential Editor is used by FIN5

 

And here is our TASK 3 Recap

 

Task 4

Question 1: Splunk search is pseudo

 

Question 2: Head to https://attack.mitre.org/ and click on the search icon on the top right and enter TA0003, if we click on the first link we are then taken to What type of Tactic this is.

 

Question 3: Head to https://car.mitre.org/ and I searched for Zeek

 

Question 4: Head to https://car.mitre.org/analytics/ and I searched for hash ( only 3 results )

 

Question 5: There is a section for Test Cases located on the same page

TASK 4 Recap

 

TASK 5

Question 1 & 2: we need to go tohttps://shield.mitre.org/ > Matrix > this lists all the techniques and we see that Detect has the most.

 

Question 3: all we need to do is a quick search from the search bar shows that DTE0011 is Decoy Content >

 

Question 4: involves continuing your search from the DTE0011

 

Question 5: https://shield.mitre.org/attack_mapping/mapping_all > get here by using the navigation bar and clicking Att&ck Mapping > Overview > then a few lines down there is a hyperlink for the complete mapping.

 

Task 5 Recap

 

TASK 6

Question 1: Click the APT3 hyperlink they provided in the room to find this answer

 

Question 2: This can be located viahttps://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf > Phase 2 > Persistence | utilize the table of contents to find this easily!

 

Question 3: This can be found by reading the First Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow 

 

Question 4: This can be found by reading the Second Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow 

Task 6 Recap

 

TASK7

Question 1 & 2: We need to head back to MITRE and use the navigation bar to search groups ( or here is a link https://attack.mitre.org/groups/ ) a search on the page for Aviation reveals that APT33 is the group who may target us in this scenario

Question 3: Go to the APT33 Group page https://attack.mitre.org/groups/G0064/ > scroll to software

 

Question 4: If we Take a look at what Techniques they use under T1078.004 we find the information below to help us find this answer

 

Question 5: Further on this page we have a Detection writeup that we can use.

 

Question 6: On the top right of the page we will find the ID information to finish up this room!

Task 7 Recap

 

Thanks for stopping by and I hope this is able to help you complete any tasks/questions that were proving difficult to find!