2 hours 24 minutes
This is module one, less than five mapping to a narrative report.
So our objectives for this lesson are to give you some practice identifying tactics, techniques and sub techniques in a narrative report.
If you're working with somebody else to be able to compare your results to another analyst, outcomes
and review the exercise results,
this is exercise one. We're going to have you actually take a narrative report and map to attack tactics and techniques
going to have you analyze a portion of a threat report
going through the process that we've been covering the rest of this module.
We've highlighted 21 techniques and sub techniques in a threat report called Cobalt Kitty. By cyber reason,
you're going to review the report. It should be under the resources tab in the system.
There will be two versions of the report,
one called Cobalt Kitty highlights only, and one called Cobalt Kitty Tactic. Unt's
You can use either. The tactic hints tell you what we would suggest. The tactic is,
whereas the highlights only is the harder version where you're going to have to come up with both,
it's a pdf. If you're using the right reader, you should be able to actually fill in the fields in the pdf itself. Or use a separate piece of paper to keep track of your results
right down the attack tactic and technique or sub technique you think applies to each highlighted behavior.
Remember, use the tricks and tips that we've given you throughout the rest of this module. Do search bar and keyword searches, the attack website.
You don't have to be perfect and there isn't necessarily right answer.
You may actually come up with different things, and we do. You may feel that some of the behaviors we've highlighted
aren't really covered in any techniques.
It's also gonna be an opportunity to dive into attack and take a look at some of the actual content in there.
So please pause the video now and we recommend giving yourself up to 30 minutes to do this exercise
done with that part of the exercise. I've got one more step for you
if you're doing this training, working with others.
So we said it was gonna be something that went up to step five.
So the step we didn't cover yet in the training
is to compare your results with other analysts.
Collaboration helps hedge against analyst biases.
Everyone has different types of biases will cover some of those in actually the next lesson.
But comparing with others can help us come up with better answers.
If you do have somebody to work with, compare what you had for each technique. Answer. So discuss. If there are differences, why how did you each arrive at your conclusions, and it is okay if you walk away disagreeing this. This is analysis at the end of the day.
So if you do have somebody to work with, please pause.
I suggest giving yourself 10 minutes for this part of the exercise.
If you don't have any other analysts to discuss your answers with, you can go on to the next portion.
So as we start to get into
what you came up with for answers on the exercise, some some things to think through
what were the easiest and hardest techniques or sub techniques to identify?
And why were those easier or harder for you?
Which tricks did you use to identify each technique or sub technique?
What challenges did you have? Was there anything you couldn't find
and how did you dress them. Which steps did you go through in trying to figure it out?
So I'm going to go through what our answers were for the highlighted portions of the threat report,
two types of payload were found in the spear. Phishing email
said it was a link and since be initial access spear phishing link.
Right next to that, we also had spear phishing emails, word documents.
Let's be initial axis fishing spearfishing attachment. Both. Those are pretty straightforward.
Two types of payloads were found in the spear. Phishing emails were documents with malicious macros. This takes a little bit more understanding of macros and sort of language is behind them.
But if if you dig into the details, you'll probably find defensive. Asian execution slash Execution Command in scripting Interpreter Visual Basic, which is language behind word macros.
Finally, maybe a little bit less obvious. Two types of payloads were found in the spear phishing emails. The report goes on to describe these as successful attacks,
implying that the user clicked on the email and so something that might are attacked as we do. Our own report mapping
is that we would add an execution user execution, malicious link.
So we highlighted the command at exit being the parent process here, which is the Windows Command shell.
This is execution commanding, scripting interpreter, Windows Command Shell.
This talks about scheduled tasks being created on Windows.
And so the execution and persistence scheduled tasks less job
which is the Windows specific version of scheduled task
Right in this command here. We actually have Misha directly.
And so we've got execution. Defensive Asian signed, binary prosecution signed binary proxy execution. Misha,
right in the name of the technique
downloads and executes an additional payload from the same server
downloads. Tools come straight into English tool transfer
Very similar to the command at exit. We had apparent process of power show
This is command and scripting. Interpreter power show
AFIS skated an ex sword power shell.
Well, the words line up right with the technique Name, obfuscated files or information. Right. In defensive Asian
registry auto runs.
This is an example gave actually in the introduction even but to register running keys Startup folder,
which is a sub technique of Buder login auto start execution in the persistence tactic,
and TFS alternate data stream is directly in the n T. F s file attributes technique.
It comes under defensive Asian
The Attackers created into or modified Windows services
created and modified are both in their so create or modify system processes. Windows Service
and also had actually running the service itself. The System Services Service execution
both under persistence
use Delicious outlook. Backdoor macro edited a specific registry value.
Uh, that's, uh, pretty specific technique that's under often office application startup within persistence
and then the registry modification we have under defensive Asian
communicated with command and control servers so strong hint here that were in command and control from command and control servers.
And then we have that. It's http so Web Protocols
Application layer protocol.
The Attackers downloaded Com script. It's using Rich Server 32
so we have again English tool transfer for the downloading of the tools
and with the Red Server 32 that's signed Binary proxy Execution. Red Server 32
Masquerading is a specific technique,
so the technique is masquerading. If you look more carefully at what they're doing, they're making it look like a legitimate Windows update. So it's match legitimate name or location,
network scanning, looking for open ports. That's network service scanning under discovery.
Okay, so how did you do?
If you feel like you would like some more practice or even if you just have a little bit of extra time, we actually provided a second report
we have highlighted in a very similar fashion.
Now we we don't give tactic hints in this version. We do have our answers in there as well. In a separate PdF and so also show up in the resources section as the Fire A a p t. 39 report
and I'm not going to go over the answers to that in this lesson.
So hopefully this lesson. You've gotten some practice identifying tactics, techniques and sub techniques in a narrative report. Talked a little bit about the importance of comparing your results to another analysts outcomes
and gone through and evaluated the exercise results.
MITRE ATT&CK Defender™ (MAD) ATT&CK® SOC Assessments Certification Training
This course prepares you for the ATT&CK® Security Operations Center Certification. In this course, students ...
2 CEU/CPE Hours Available
Certificate of Completion Offered
MITRE ATT&CK Defender™ (MAD) ATT&CK® Fundamentals Badge Training
This course is the fundamental piece of the MITRE ATT&CK Defender™ (MAD) series where we ...
2 CEU/CPE Hours Available
Certificate of Completion Offered