This is a Write up for the MITRE Room Created by heavenraiza
TASK 1 & 2 are simple click and complete tasks
TASK 3
Question 1: Only blue teamers will use the ATT&CK Matrix? (Yay/Nay)
Question 2: we need to head over to https://attack.mitre.org/
*Keep in mind it mentions to start your research on the Phishing page 
Question 3: is found under the Mitigations section on the Phishing page
Question 4: can be found under the Detection section of this same page
Question 5: Is located on the same page near the top
Question 6: click on the Groups link to learn more about them and the information is located under
Associated Group Descriptions
Question 7: is located under the Software Section
Question 8: is found when we click the hyperlink for PsExec we are led to a page about the tool and who has been known to use it and this will help us answer this question.
Question 9: Click on the FIN5 Group hyperlink to be taken to their page to find the next answers
Question 10: This located under the software section where we learn that the Windows Credential Editor is used by FIN5
And here is our TASK 3 Recap
Task 4
Question 1: Splunk search is pseudo
Question 2: Head to https://attack.mitre.org/ and click on the search icon on the top right and enter TA0003, if we click on the first link we are then taken to What type of Tactic this is.
Question 3: Head to https://car.mitre.org/ and I searched for Zeek
Question 4: Head to https://car.mitre.org/analytics/ and I searched for hash ( only 3 results )
Question 5: There is a section for Test Cases located on the same page
TASK 4 Recap
TASK 5
Question 1 & 2: we need to go tohttps://shield.mitre.org/ > Matrix > this lists all the techniques and we see that Detect has the most.
Question 3: all we need to do is a quick search from the search bar shows that DTE0011 is Decoy Content >
Question 4: involves continuing your search from the DTE0011
Question 5: https://shield.mitre.org/attack_mapping/mapping_all > get here by using the navigation bar and clicking Att&ck Mapping > Overview > then a few lines down there is a hyperlink for the complete mapping.
Task 5 Recap
TASK 6
Question 1: Click the APT3 hyperlink they provided in the room to find this answer
Question 2: This can be located viahttps://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf > Phase 2 > Persistence | utilize the table of contents to find this easily! 
Question 3: This can be found by reading the First Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow
Question 4: This can be found by reading the Second Scenario section viahttps://attackevals.mitre-engenuity.org/APT29/operational-flow
Task 6 Recap
TASK7
Question 1 & 2: We need to head back to MITRE and use the navigation bar to search groups ( or here is a link https://attack.mitre.org/groups/ ) a search on the page for Aviation reveals that APT33 is the group who may target us in this scenario
Question 3: Go to the APT33 Group page https://attack.mitre.org/groups/G0064/ > scroll to software
Question 4: If we Take a look at what Techniques they use under T1078.004 we find the information below to help us find this answer
Question 5: Further on this page we have a Detection writeup that we can use.
Question 6: On the top right of the page we will find the ID information to finish up this room!
Task 7 Recap
Thanks for stopping by and I hope this is able to help you complete any tasks/questions that were proving difficult to find!
Eric says:
Thanks for the help! I was stuck on the last question of Task 6 (I could not find that phrase referenced anywhere). This helped!
Jon Jepma says:
I’m Glad this helped you!