TryHackMe: MITRE Writeup

4 min readOct 25, 2022


MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
The ATT&CK® framework has grown and expanded throughout the years. One notable expansion was that the framework focused solely on the Windows platform but has expanded to cover other platforms, such as macOS and Linux. The framework is heavily contributed to by many sources, such as security researchers and threat intelligence reports. Note this is not only a tool for blue teamers. The tool is also useful for red teamers.

“The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK® adversary model. CAR defines a data model that is leveraged in its pseudocode representations but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.”

MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals. MITRE Engage is considered an Adversary Engagement Approach. This is accomplished by the implementation of Cyber Denial and Cyber Deception. With Cyber Denial we prevent the adversary’s ability to conduct their operations and with Cyber Deception we intentionally plant artefacts to mislead the adversary.

D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense. It is a knowledge graph of cybersecurity countermeasures.

The Adversary Emulation Library is a public library making adversary emulation plans a free resource for blue/red teamers. The library and the emulations are a contribution from CTID. There are several ATT&CK® Emulation Plans currently available: APT3, APT29, and FIN6.


TASK 3: ATT&CK® Framework

  1. Besides blue teamers, who else will use the ATT&CK Matrix? Answer: Red Teamers
  2. What is the ID for this technique? Answer: T1566
  3. Based on this technique, what mitigation covers identifying social engineering techniques? Answer: User Training
  4. What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas). Answer: Application Log,File,Nework Traffic
  5. What groups have used spear-phishing in their campaigns? (format: group1,group2). Answer: Axiom,Gold SOUTHFIELD
  6. Based on the information for the first group, what are their associated groups? Answer: Group 72
  7. What software is associated with this group that lists phishing as a technique? Answer: Hikit
  8. What is the description for this software? Answer: Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.
  9. This group overlaps (slightly) with which other group? Answer: Winnti Group
  10. How many techniques are attributed to this group? Answer: 15

TASK 4: CAR Knowledge Base

  1. For the above analytic, what is the pseudocode a representation of? Answer: Splunk search
  2. What tactic has an ID of TA0003? Answer: Persistence
  3. What is the name of the library that is a collection of Zeek (BRO) scripts? Answer: BZAR
  4. What is the name of the technique for running executables with the same hash and different names? Answer: Masquerading
  5. Examine CAR-2013–05–004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique? Answer: Unit Tests

TASK 5: MITRE Engage

  1. Under Prepare, what is ID SAC0002? Answer: Persona Creation
  2. What is the name of the resource to aid you with the engagement activity from the previous question? Answer: PERSONA PROFILE WORKSHEET
  3. Which engagement activity baits a specific response from the adversary? Answer: lures
  4. What is the definition of Threat Model? Answer: A risk assessment that models organizational strengths and weaknesses


  1. What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown? Answer: Data Obfuscation
  2. In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produces? Answer: Outbound Internet Network Traffic

TASK 7: ATT&CK® Emulation Plans

  1. In Phase 1 for the APT3 Emulation Plan, what is listed first? Answer: c2 setup
  2. Under Persistence, what binary was replaced with cmd.exe? Answer: sethc.exe
  3. Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2). Answer: Pupy,Metasploit Framework
  4. What C2 framework is listed in Scenario 2 Infrastructure? Answer: poshc2
  5. Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id). Answer: P.A.S.,S0598

TASK 8: ATT&CK® and Threat Intelligence

  1. What is a group that targets your sector who has been in operation since at least 2013? Answer: APT33
  2. As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it? Answer: cloud accounts
  3. What tool is associated with the technique from the previous question? Answer: Ruler
  4. Per the detection tip, what should you be detecting? (format: phrase1 or phrase2). Answer: abnormal or malicious behavior
  5. What platforms does the technique from question #2 affect? Answer: Azure AD, Google Workspace, IaaS, Office 365, SaaS

We are at the end of this room……………………………





Working towards making the world cyber safe.