# MITRE {% embed url="" %} FireEye's current list of APT groups {% endembed %} {% embed url="" %} ATT\&CK® Matrix for Enterprise {% endembed %} ### ATT\&CK Framework "MITRE ATT\&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations." The ATT\&CK® framework covers platforms such as Windows, Linux, and Mac OS and is contributed by security researchers and threat intelligence reports and is a tool for blue and red teamers. The ATT\&CK matrix can be used to map a threat group to their tactics and techniques. \ \&#xNAN;***Besides blue teamers, who else will use the ATT\&CK Matrix?*** Red Teamers ***What is the ID for this technique?***\ T1566 ***Based on this technique, what mitigation covers identifying social engineering techniques?***\ User Training ***What are the data sources for Detection?*** \ Application log, file, network traffic ***What groups have used spear-phishing in their campaigns? (format: group1,group2)***\ Axiom, Gold Southfield ***Based on the information for the first group, what are their associated groups?***\ Group 72 ***What software is associated with this group that lists phishing as a technique?***\ Hikit ***What is the description for this software?***\ Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise ***This group overlaps (slightly) with which other group?***\ Winnti Group ***How many techniques are attributed to this group?***\ 15 ### CAR Knowledge Base Including implementations targeted at specific tools *(SPLUNK, EQL*) in its analytics, **CAR** defines a data model leveraged in pseudocode representations. The MITRE **Cyber Analytics Repository** provides a set of validated and well-explained analytics regarding operating theory and rationale. With CAR, a description of the analytic and references to ATT\&CK is provided along with Pseudocode and a query to search the specific analytic within SPLUNK. Pseudocode is a human-readable way to describe a set of instructions/algorithms a program or system will perform. {% embed url="" %} [Full Analytic List](https://car.mitre.org/analytics) {% endembed %} {% embed url="" %} [CAR ATT\&CK® Navigator layer](https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/mitre-attack/car/master/docs/coverage/car_analytic_coverage_04_05_2022.json) {% endembed %} Using the Full Analytic List, an EQL version of the psuedocode is provided. Event Query Language (EQL) can be utilized to query, parse, and organize Sysmon event data.

https://assets.tryhackme.com/additional/mitrev2/t4-eql-pseudo.png

***For the above analytic, what is the pseudocode a representation of?*** Splunk Search ***What tactic has an ID of TA0003?*** Persistence ***What is the name of the library that is a collection of Zeek (BRO) scripts?*** BZAR ***What is the name of the technique for running executables with the same hash and different names?*** Masquerading ***Examine CAR-2013-05-004, besides Implementations, what additional information is provided to analysts to ensure coverage for this technique?*** Unit Tests ### MITRE Engage "*MITRE Engage is a framework for planning and discussing adversary engagement operations that empowers you to engage your adversaries and achieve your cybersecurity goals.*" Performed by the implementation of Cyber Denial and Cyber Deception, MITRE Engage is examined as an Adversary Engagement Approach. **Cyber Denial** - Prevent adversary's ability to conduct operations **Cyber Deceptio**n - Intentionally plant artifacts to mislead adversary {% embed url="" %} MITRE Engage Start Kit {% endembed %} The Engage matrix categories explained: * **Prepare** the set of operational actions that will lead to your desired outcome (input) * **Expose** adversaries when they trigger your deployed deception activities * **Affect** adversaries by performing actions that will have a negative impact on their operations * **Elicit** information by observing the adversary and learn more about their modus operandi (TTPs) * **Understand** the outcomes of the operational actions (output) {% embed url="" %} MITRE Engage Matrix {% endembed %} ***Under Prepare, what is ID SAC0002?*** PERSONA CREATION ***What is the name of the resource to aid you with the engagement activity from the previous question?*** PERSONA PROFILE WORKSHEET ***Which engagement activity baits a specific response from the adversary?*** LURES ***What is the definition of Threat Model?*** A risk assessment that models organizational strengths and weaknesses ### MITRE D3FEND "*A knowledge graph of cybersecurity countermeasures.*" {% embed url="" %} D3FEND beta site {% endembed %} **Detection, Denial, and Disruption Framework Empowering Network Defense** (D3FEND) is still in beta and funded by Cybersecurity Directorate of NSA. Within the site provides the technique, how it works, considerations when implemented, and utilization. ***What is the first MITRE ATT\&CK technique listed in the ATT\&CK Lookup dropdown?*** Data Obfuscation ***In D3FEND Inferred Relationships, what does the ATT\&CK technique from the previous question produces?*** Outbound Internet Network Traffic ### ATT\&CK Emulation Plans {% embed url="" %} CTID, the Adversary Emulation Library, and ATT\&CK® Emulation Plans {% endembed %} The Center of Threat-Informed Defense (CTID) globally consists of companies and vendors with the objective to conduct research on cyber threats and their TTPs. Sharing this research improves cyber defense. \ \ Some participants include: * AttackIQ (founder) * Verizon * Microsoft (founder) * Red Canary (founder) * Splunk The Adversary Emulation Library supplies free resources to blue/red teamers for adversary emulation plans as a contribution from CTID. These EPs are guides to mimic the specific threat group. {% embed url="" %} Adversary Emulation Library {% endembed %} {% embed url="" %} ATT\&CK Emulation Plans {% endembed %} Some current AEPs are [APT3](https://attack.mitre.org/resources/adversary-emulation-plans/), [APT29](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/apt29), and [FIN6.](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin6) ***In Phase 1 for the APT3 Emulation Plan, what is listed first?*** C2 Setup ***Under Persistence, what binary was replaced with cmd.exe?*** sethc.exe ***Examining APT29, what C2 frameworks are listed in Scenario 1 Infrastructure? (format: tool1,tool2)*** [Pupy,Metasploit Framework](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Resources/Scenario_1/install_day1_tools.sh) ***What C2 framework is listed in Scenario 2 Infrastructure?*** [PoshC2](https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/apt29/Emulation_Plan/Scenario_2/Infrastructure.md) ***Examine the emulation plan for Sandworm. What webshell is used for Scenario 1? Check MITRE ATT\&CK for the Software ID for the webshell. What is the id? (format: webshell,id)*** [P.A.S.,S0598](https://attack.mitre.org/software/S0598/) ### ATT\&CK and Threat Intelligence **Threat Intelligence (TI)** or **Cyber Threat Intelligence (CTI)** is the information, or TTPs, attributed to the adversary. The goal of threat intelligence is to make the information actionable. Defenders use TI to make better decisions for defensive strategy. Some TI can be open source or through vendors, such as [**CrowdStrike**](https://www.crowdstrike.com/). **Scenario**: *You are a security analyst who works in the aviation sector. Your organization is moving their infrastructure to the cloud. Your goal is to use the ATT\&CK® Matrix to gather threat intelligence on APT groups who might target this particular sector and use techniques targeting your areas of concern. You are checking to see if there are any gaps in coverage. After selecting a group, look over the selected group's information and their tactics, techniques, etc.* ***What is a group that targets your sector who has been in operation since at least 2013?*** APT33 ***As your organization is migrating to the cloud, is there anything attributed to this APT group that you should focus on? If so, what is it?*** Cloud Accounts ***What tool is associated with the technique from the previous question?*** Ruler ***Per the detection tip, what should you be detecting? (format: phrase1 or phrase2)*** Abnormal or malicious behavior ***What platforms does the technique from question #2 affect?*** Azure AD, Google Workspace, IaaS, Office 365, SaaS --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jacob-taylor.gitbook.io/security-analyst/path-1/cyber-defense-framework/mitre.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.