Skip to content

Task 1 Introduction to MITRE

What is MITRE?

The MITRE organization is a cyber security research and development organization that started in 1958 to “serve as objective advisers in systems engineering to government agencies, both military and civilian” according to their website.

In this room, we will focus on other projects/research that the US-based non-profit MITRE Corporation has created for the cybersecurity community, specifically:

  • ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) Framework
  • CAR (Cyber Analytics Repository) Knowledge Base
  • D3FEND (Detection, Denial, and Disruption Framework Empowering Network Defense)
  • AEP (ATT&CK Emulation Plans)
No answer needed

Task 2 Basic Terminology

Some common terminology used by MITRE is defined here.

  • Advanced Persistent Threat (APT) – A group or individual that engages in long-term attacks against an organization.
  • Threat Group – any group of three or more perosns with recurring threating or disruptive behavior.
  • Nation State Actor – APTs that typically target geopolitical entities and have advanced resources. These can be government or military funded groups operating for political or economic interests.
  • Tactic – the threat group’s goal or objective.
  • Technique – how the objective is achieved.
  • Procedures – how the technique is executed.
No answer needed

Task 3 ATT&CK® Framework

The MITRE ATT&CK framework can be found at The answers for these questions can be found using the phishing page.

Besides blue teamers, who else will use the ATT&CK Matrix? 

MITRE ATT&CK is used equally by Blue and Red teams.

Red Teamers

What is the ID for this technique?

Viewing the MITRE ATT&CK Phishing page indicates the Technique ID T1566


Based on this technique, what mitigation covers identifying social engineering techniques?

If you scroll down the page to the Mitigations section, you will find that User Training is the mitigation technique that involves training users to identify social engineering techniques.

User Training

What are the data sources for Detection? (format: source1,source2,source3 with no spaces after commas)

The Detection section of the webpage details the data sources that can be monitored to identify this type of technique.

Application Log,File,Nework Traffic

What groups have used spear-phishing in their campaigns? (format: group1,group2)

The Procedure Examples section contains a list of groups that have used the spear-phishing technique.


Based on the information for the first group, what are their associated groups?

Clicking the Axiom link above opens the page for Axiom. The page indicates that Group 72 is an associated group.

Group 72

What software is associated with this group that lists phishing as a technique?

The software section of the Axiom page shows Hikit is a software used by the group that uses the phishing technique.


What is the description for this software?

Clicking on the Hikit link in the above image brings up the MITRE page for Hikit. Right under the page title is the software’s description.

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.

This group overlaps (slightly) with which other group?

Back on the Axiom page, the description for the group suggests there is overlap between the Axiom and Winnti groups.

Winnti Group

How many techniques are attributed to this group?

In the Techniques Used section of the Axiom group page, there are fifteen techniques listed.


Task 4 CAR Knowledge Base

The official definition of CAR is “The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK® adversary model. CAR defines a data model that is leveraged in its pseudocode representations but also includes implementations directly targeted at specific tools (e.g., Splunk, EQL) in its analytics. With respect to coverage, CAR is focused on providing a set of validated and well-explained analytics, in particular with regards to their operating theory and rationale.

This task uses the page:

For the above analytic, what is the pseudocode a representation of?

The Implementations section of CAR-2020-09-001 gives an example of the code. It also explains that hte code represents a splunk search.

splunk search

What tactic has an ID of TA0003?

The top of CAR-2020-09-001 page lists the tactics used. I clicked through each one until I found TA0003 on the Persistance page.


What is the name of the library that is a collection of Zeek (BRO) scripts? has a section titled “Analytic Source Code Libraries” that describes BZAR which is a collection of Zeek (Bro) scripts.


What is the name of the technique for running executables with the same hash and different names?

To find this technique, I used a Ctrl+f page search for the words “same hash” and found the technique called Masquerading.


Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?

Under the Implementations section of the CAR-2013-05-004 is the Unit Tests section. This gives additional instructions for admins to follow to cover against this technique.

Unit Tests

Task 5 MITRE Engage

Per the website, “MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.

The MITRE Engage Matrix Prepare section lists different actions that a cyber security professional can perform to prepare against an upcoming engagement.

I clicked through each action to learn more until I discovered the one with ID SAC0002 which was Persona Creation.

Under Prepare, what is ID SAC0002?

Persona Creation

What is the name of the resource to aid you with the engagement activity from the previous question?

Looking through all of the tools provided by MITRE Engage I found a Persona Profile Worksheet that has been created to aid with Persona Creation.

Persona Profile Worksheet

Which engagement activity baits a specific response from the adversary?

In the Operate section of the MITRE Engage Matrix I noticed an activity called Lures that seemed relevant to “baiting a specific response”.


What is the definition of Threat Model?

MITRE Engage Matrix’s Understand section has the definition for Threat Model.

A risk assessment that models organizational strengths and weaknesses


D3FEND stands for Detection, Denial, and Disruption Framework Empowering Network Defense.

What is the first MITRE ATT&CK technique listed in the ATT&CK Lookup dropdown?

I clicked the ATT&CK Lookup dropdown box to find the first option on the list T1001 - Data Obfuscation

Data Obfuscation

In D3FEND Inferred Relationships, what does the ATT&CK technique from the previous question produces?

I then clicked on the link for Data Obfuscation, then scrolled down to the D3FEND Inferred Relationships section. The graph indicated that Data Obfuscation produces Outbound Internet Network Traffic.

Outbound Internet Network Traffic

Task 7 ATT&CK® Emulation Plans

In Phase 1 for the APT3 Emulation Plan, what is listed first?

The Adversary Emulation Plans page has information on the three phases of the APT 3 attack pattern.

The first step of Phase 1 is C2 Setup

C2 Setup

Under Persistence, what binary was replaced with cmd.exe?

To find the answer to this question I visited the APT 3 Adversary Emulation Plan documentation.

On page v of the documentation I found an entry in the Table of Contents listing the Persistence section on page 3-17. The PDF version of the documentation included a link so I just clicked the word Persistence which took me to the correct page.

This section showed APT 3 replaced sethc.exe (Sticky Keys) with cmd.exe as a method to obtain persistence on a machine.


Examining APT29, what  C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)

The github page for APT 29 has a Table of Contents that lists Scenario 1 – Infrastructure.

This page lists the C2 Frameworks used by APT 29 in Scenario 1 which is Pupy and Metasploit Framework.

Pupy,Metasploit Framework

What C2 framework is listed in Scenario 2 Infrastructure?

Going back to the Table of Contents, I found the link for Scenario 2 Infrastructure. On this page I found the C2 Framework listed as PoshC2


Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT&CK for the Software ID for the webshell. What is the id? (format: webshell,id)

I found the github page for Sandworm Scenario 1 and learned it used P.A.S. Webshell.

I then searched this webshell on MITRE ATT&CK to find the page for it here.

On this page I found the ID number S0598


Task 8 ATT&CK® and Threat Intelligence

Scenario: You are a security analyst who works in the aviation sector. Your organization is moving their infrastructure to the cloud. Your goal is to use the ATT&CK® Matrix to gather threat intelligence on APT groups who might target this particular sector and use techniques targeting your areas of concern. You are checking to see if there are any gaps in coverage. After selecting a group, look over the selected group’s information and their tactics, techniques, etc.

What is a group that targets your sector who has been in operation since at least 2013?

I used the search bar on the MITRE ATT&CK top bar to look for the keyword aviation. It found several links. I noticed the third one mentioned a group operating since at least 2013.

I clicked the link to confirm this group is APT33.


As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?

The list shows APT33 used a technique that focused on Cloud Accounts.

Cloud Accounts

What tool is associated with the technique from the previous question?

The above screenshot shows the associated tool used with Cloud Accounts is Ruler.


Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)

I clicked the link for Cloud Accounts and the Detection section mentioned the need to detect “abnormal or malicious behavior”.

abnormal or malicious behavior

What platforms does the technique from question #2 affect?

Further up the page for Cloud Accounts, the sidebar on the right outlines the platforms this technique can affect.

Azure AD, Google Workspace, IaaS, Office 365, SaaS

Leave a Reply

Your email address will not be published. Required fields are marked *