Threat Intelligence - Trooper

APT Information gathering on OpenCTI, ATT&CK

By Ren Sie
Posted on September 21, 2024

Refer to Trooper for the challenge room on TryHackMe

Scenario

A multinational technology company has faced multiple cyber attacks in recent months, resulting in the theft of sensitive intellectual property and disruptions to operations. A threat advisory report on these attacks has been shared.

Task

As CTI analysts, our objective is to identify the tactics, techniques, and procedures (TTPs) used by the threat group, and to gather information about their identity and motives. We will use the OpenCTI platform and the MITRE ATT&CK navigator for this analysis.

What kind of phishing campaign does APT X use as part of their TTPs?

The threat group has used phishing to gain initial access. According to the report on Operation Tropic Trooper, the attackers sent emails with malicious attachments to exploit known vulnerabilities.

What is the name of the malware used by APT X?

The threat group used a USB worm infection strategy, transferring a malware installer via USB to an air-gapped host machine according to this report.

What is the malware's STIX ID?

Go to OpenCTI and search for the malware name in the Arsenal tab.

After accessing the malware details page, we can find its STIX ID.

With the use of a USB, what technique did APT X use for initial access?

Open the MITRE ATT&CK Navigator to locate the technique in the Initial Access column.

What is the identity of APT X?

The identity of the threat group can be identified in several ways: through the articles provided earlier or by searching for the malware name in the MITRE ATT&CK database.

How many Attack Pattern techniques are associated with the APT?

Once we identify the threat group, search for it in OpenCTI under the Threats tab.

Next, go to the Knowledge tab to review its attack pattern.

What is the name of the tool linked to the APT?

Refer to the right panel of the page and select the "Tools" tab.

After accessing the list of tools used by the threat group, we will identify the tool associated with the APT.

What is the sub-technique used by the APT under Valid Accounts?

After accessing the ATT&CK Navigator, use the search function to find "Valid Account." Once you locate the technique, click the icon next to it to display the sub-technique.

Under what Tactics does the technique above fall?

To determine the tactics associated with the "Valid Accounts" technique, use the search function. We will see four results; check which tactics correspond to each technique.

What technique is the group known for using under the tactic Collection?

By locating the technique under the "Collection" column, we can identify the technique used by the threat group.

Share: X (Twitter) Facebook LinkedIn