MITRE ATT&CK Framework (Practice Flashcards)

Question 1

What does MITRE ATT&CK stand for?

Answer 1

MITRE Adversarial Tactics, Techniques, and Common Knowledge.

Question 2

What is the main purpose of the MITRE ATT&CK Framework?

Answer 2

To document known adversary behaviors based on real-world observations.

Question 3

How is the ATT&CK Framework organized?

Answer 3

By tactics (goals), techniques (how goals are achieved), and sub-techniques (more specific methods).

Question 4

What is a Tactic in MITRE ATT&CK?

Answer 4

The adversary’s technical goal during an attack (e.g., initial access, lateral movement).

Question 5

What is a Technique in MITRE ATT&CK?

Answer 5

A method used to achieve a tactic (e.g., phishing, valid accounts).

Question 6

Name three core tactics in the MITRE ATT&CK Enterprise Matrix.

Answer 6

• Initial Access
• Execution
• Persistence

Question 7

What tactic involves the adversary trying to maintain their foothold?

Answer 7

Persistence.

Question 8

Which tactic refers to an attacker trying to run malicious code?

Answer 8

Execution.

Question 9

What is the goal of the Privilege Escalation tactic?

Answer 9

To gain higher-level permissions on a system or network.

Question 10

Which tactic includes attempts to move from one system to another?

Answer 10

Lateral Movement.

Question 11

What tactic covers techniques like exfiltrating sensitive files?

Answer 11

Exfiltration.

Question 12

Which tactic focuses on hiding attacker activity?

Answer 12

Defense Evasion.

Question 13

What tactic involves accessing systems for the first time?

Answer 13

Initial Access.

Question 14

What tactic is used when an attacker tries to disrupt or destroy systems?

Answer 14

Impact.

Question 15

What technique is used to trick users into clicking malicious links?

Answer 15

Phishing (T1566).

Question 16

What sub-technique involves delivering malicious files via email?

Answer 16

Phishing: Spearphishing Attachment (T1566.001).

Question 17

What technique uses stolen usernames and passwords?

Answer 17

Valid Accounts (T1078).

Question 18

What technique allows attackers to maintain access through reboots?

Answer 18

Registry Run Keys/Startup Folder (T1547.001).

Question 19

Which technique allows attackers to mimic legitimate users or processes?

Answer 19

Masquerading (T1036).

Question 20

What is the technique for using scripts to execute code?

Answer 20

Command and Scripting Interpreter (T1059).

Question 21

What technique is used for lateral movement using Windows admin shares?

Answer 21

Remote Services: SMB/Windows Admin Shares (T1021.002).

Question 22

What technique involves stealing credentials from memory?

Answer 22

OS Credential Dumping (T1003).

Question 23

What technique is used to set up unauthorized communication channels?

Answer 23

Command and Control (T1071).

Question 24

What sub-technique involves using DNS for C2 communications?

Answer 24

Application Layer Protocol: DNS (T1071.004).

Question 25

What technique involves overwriting or deleting logs to avoid detection?

Answer 25

Indicator Removal on Host (T1070).

Question 26

How can SOC teams use MITRE ATT&CK for threat detection?

Answer 26

By mapping alerts and behaviors to known tactics and techniques.

Question 27

What is a 'detection opportunity' in ATT&CK mapping?

Answer 27

A place in the attack flow where SOC can detect adversary behavior.

Question 28

What tool aligns with MITRE ATT&CK and helps simulate attacks?

Answer 28

Atomic Red Team.

Question 29

What is ATT&CK Navigator?

Answer 29

A visualization tool to explore and customize ATT&CK matrices.

Question 30

How is MITRE ATT&CK different from the Cyber Kill Chain?

Answer 30

ATT&CK is behavior-based and granular; the Kill Chain is linear and phase-based.

Question 31

What technique involves executing code in the address space of another process?

Answer 31

Process Injection (T1055).

Question 32

What technique is used to maintain access by modifying authentication mechanisms?

Answer 32

Modify Authentication Process (T1556).

Question 33

Which technique abuses legitimate scheduled tasks or cron jobs?

Answer 33

Scheduled Task/Job (T1053).

Question 34

What technique uses hidden or alternate locations for file storage?

Answer 34

Hidden Files and Directories (T1564.001).

Question 35

What sub-technique uses PowerShell to execute malicious commands?

Answer 35

Command and Scripting Interpreter: PowerShell (T1059.001).

Question 36

What tactic would include the technique 'Inhibit System Recovery (T1490)'?

Answer 36

Impact.

Question 37

What data source is essential to detect privilege escalation activities?

Answer 37

Windows Security Event Logs.

Question 38

What technique allows an attacker to access an endpoint through remote tools like TeamViewer?

Answer 38

Remote Access Software (T1219).

Question 39

What is the purpose of Discovery tactics in MITRE ATT&CK?

Answer 39

To gather information about the system and network post-compromise.

Question 40

What discovery technique lists running processes?

Answer 40

Process Discovery (T1057).

Question 41

What tactic includes techniques such as 'Clipboard Data Collection'?

Answer 41

Collection.

Question 42

What technique exfiltrates data over a command and control channel?

Answer 42

Exfiltration Over C2 Channel (T1041).

Question 43

What is Living off the Land (LotL) in MITRE ATT&CK terms?

Answer 43

Using legitimate tools (e.g., PowerShell, WMI) to perform malicious activity.

Question 44

What is DLL Search Order Hijacking (T1574.001) used for?

Answer 44

Persistence and execution by tricking programs into loading a malicious DLL.

Question 45

What technique could be used to disable Windows Defender?

Answer 45

Impair Defenses (T1562).

Question 46

What kind of detection would catch lateral movement via PsExec?

Answer 46

Windows Event ID 5140 (shared access), Sysmon Event ID 1 (process creation).

Question 47

What are 'groups' in MITRE ATT&CK used for?

Answer 47

They categorize threat actor behavior and map techniques used by specific APTs.

Question 48

What real-world APT group is known to use spear phishing and credential dumping?

Answer 48

APT29 (Cozy Bear).

Question 49

How can MITRE ATT&CK assist in purple teaming exercises?

Answer 49

By providing real-world techniques to simulate attacks and validate detections.

Question 50

What MITRE project complements ATT&CK with defensive coverage strategies?

Answer 50

MITRE D3FEND.