Scribd Logo
Upload

Welcome to Scribd!

  • Lab Guide Delivering Value With The ATTCK Sightings Report 1

    Uploaded by

    Bridie Letford
    7 views18 pages
    This document provides instructions for completing three lab exercises in the BAS platform that test different MITRE ATT&CK techniques. The first lab tests scheduled tasks/jobs (T1053) by creating an assessment, adding assets, and including the "Persistence Through Scheduled Task" scenario. The second lab tests command and scripting interpreters (T1059) by adding two additional scenarios to the test. The third lab tests hijacking execution flow (T1574) by reviewing and adding the "DLL Search Order Hijacking" scenario before running the assessment on demand and generating a report.

    Original Description:

    Original Title

    Lab-Guide-Delivering-Value-with-the-ATTCK-Sightings-Report-1

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for completing three lab exercises in the BAS platform that test different MITRE ATT&CK techniques. The first lab tests scheduled tasks/jobs (T1053) by creating an assessment, adding assets, and including the "Persistence Through Scheduled Task" scenario. The second lab tests command and scripting interpreters (T1059) by adding two additional scenarios to the test. The third lab tests hijacking execution flow (T1574) by reviewing and adding the "DLL Search Order Hijacking" scenario before running the assessment on demand and generating a report.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views18 pages

    Lab Guide Delivering Value With The ATTCK Sightings Report 1

    Uploaded by

    Bridie Letford
    This document provides instructions for completing three lab exercises in the BAS platform that test different MITRE ATT&CK techniques. The first lab tests scheduled tasks/jobs (T1053) by creating an assessment, adding assets, and including the "Persistence Through Scheduled Task" scenario. The second lab tests command and scripting interpreters (T1059) by adding two additional scenarios to the test. The third lab tests hijacking execution flow (T1574) by reviewing and adding the "DLL Search Order Hijacking" scenario before running the assessment on demand and generating a report.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    Delivering Value with the ATT&CK

    Sightings Report
    Lab Guide

    Revision 2022.03.11
    Table of Contents
    Lab Exercise 1: Testing Scheduled Task/Job (T1053) in BAS 3

    Lab Exercise 2: Testing Command and Scripting Interpreter (T1059) in BAS 9

    Lab Exercise 3: Hijack Execution Flow (T1574) in BAS 13

    2
    Lab Exercise 1: Testing Scheduled Task/Job (T1053)
    in BAS
    1. Click on the “Create New Assessment” button in the top right.

    2. Select “Create Custom”

    3
    3. We need to select the assets we want to perform the test on. To do this, select
    “Manage Assets” by mousing over the pencil icon.

    4. Select both assets that show up and hit “Apply”.

    4
    5. Click the “+” sign in the Tests section to “Add tests”.

    6. You need to select the scenario you want to include now. Select “Add Scenarios”

    5
    7. You can search through the scenario library now. We want to find “T1053.005”. Type that in
    the search bar (It is helpful to click the scenario you want from the list of results before you
    hit enter) to find it in the scenario library.

    8. We want “Persistence Through Scheduled Task”. But before we select it, let’s take a closer
    look. In the top right-hand corner of the scenario, select the three vertical dots. Then select
    “Details”.

    6
    9. Now you can read all about the Scenario. Read through to gain a deeper
    understanding, and focus specifically on “Overview”, “Parameters”, “Detection Info”, and
    “MITRE ATT&CK”.

    10. When you are ready, select “Add to Test”.

    7
    11. In the top right of the page, select “Add Scenarios” then click “Proceed”.

    You have completed Lab Excercise 1. Please return to the


    course videos before proceeding to the next lab.

    8
    Lab Exercise 2: Testing Command and Scripting
    Interpreter (T1059) in BAS
    1. We have already created a test in Lab 1, and we already have our assets selected. Now, we
    can jump back into the scenario library. To do so, click the 3 vertical dots to the right of your
    test and select “Manage Scenarios”.

    2. We can see our previous scenario here but now we want to add another. Select “Add
    Scenarios”.

    9
    3. We can search through the scenario library again now. We want to find “T1059.001” aka
    “Execute Encoded Powershell Command” first. Type that name in the search bar (It is
    helpful to click the scenario you want from the list of results before you hit enter) to find it in
    the scenario library. Then, select the scenario with the correct name and ID. Click the
    checkbox of the Scenario with the correct title and ID.

    4. We are also interested in adding “T1059.004” aka “Password Policy Discovery Script”. Select
    the “x” tag next to T1059.001 and click it so it deselects your search.

    10
    5. Search “T1059.004”. Then, Check off that scenario like you did previously with the first
    scenario. Then, select “Add Scenarios” in the top right of the screen.

    6. Now that we have added our scenarios to our test, let’s take a closer look at each one. In the
    right-hand corner of the scenario, select the three vertical dots. Then select “Details”.

    11
    7. Now we can read all about this Scenario. Read through both of your added scenarios to
    gain a deeper understanding, and focus specifically on “Overview”, “Parameters”, “Detection
    Info”, and “MITRE ATT&CK”.

    You have completed Lab Excercise 2. Please return to the


    course videos before proceeding to the next lab.

    12
    Lab Exercise 3: Hijack Execution Flow (T1574) in
    BAS
    1. We have one last scenario to add to our test. Click on “Manage Scenarios” again.

    2. Now select “Add Scenarios”.

    13
    3. This time we want “DLL Search Order Hijacking (T1574.001)”. Search the ID
    “T1574.001” and select the box when it comes up. Before we add it to our scenarios, let’s
    review it like we did with the others. Select “Details” at the bottom of the scenario.

    4. Review the same tabs as before (Overview, Parameters, Detection Info, and MITRE ATT&CK).

    14
    5. When you are finished reviewing, click “Close” and then select “Add Scenarios” in
    the top right, and “Proceed”.

    6. Now we are ready to run our assessment! Click on “On Demand” on the left column. Then
    click “Run Now”.

    15
    7. Your assessment should be running now. As it runs, you do not need to wait for
    detections, only preventions.

    16
    8. Now that the prevention tests are complete, we can go to the “Reports” tab for an
    in-depth look. It is currently empty. Let’s create a report from our assessment results. Select
    “Add Report”

    9. Now we need to add some details. First, name the report. “Lab Assessment” is fine. Then,
    select the “Detailed Report” type. Finally, choose the assessment you ran and click “Save
    Changes”.

    17
    10. We have created a report! You can select the 3 vertical dots on the right of the report for
    options. You can view it if you’d like, or download it as a PDF. Now you can use this PDF on
    your final exam. Good luck!

    You have completed Lab Excercise 3. Please return to the


    course videos to complete the course and take the final
    exam.

    18

    You might also like