Tech Click

← all labs

MITRE ATT&CK — Map the Attack Chain

Medium Threat Intel · 30 min

Flag submissions require login via tc_sso. Reading instructions does not.

MITRE ATT&CK — Map the Attack Chain

Scenario

An incident timeline from a real(-ish) breach is in the right pane. Map each of the 5 numbered attacker actions to the correct MITRE ATT&CK Enterprise technique ID (format TXXXX or TXXXX.YYY for sub-techniques).

Steps in the timeline

  1. Attacker scans acme-corp.example and discovers exposed RDP on port 3389
  2. Attacker tries 200 username/password pairs from a leak database
  3. After successful login, the attacker creates a new local admin account svc-update
  4. The attacker schedules a task that runs powershell -enc <base64> every 60 min
  5. The attacker uploads stolen documents to a Dropbox-controlled URL via curl

Answer format

Submit 5 ATT&CK IDs comma-separated, in step order:

T1595,T1110.003,T1136.001,T1053.005,T1567.002

(Example shape — not the answer.)

Tips

  • Step 1 = Reconnaissance phase, active scan.
  • Step 2 = Credential Access via password spraying.
  • Step 3 = Persistence via local account creation.
  • Step 4 = Execution + Persistence via Scheduled Task/Job.
  • Step 5 = Exfiltration over Web Service.

Hints

Hint 1 (−10 pts)

Tactics in order: Reconnaissance → Credential Access → Persistence → Execution → Exfiltration. Look up each numbered technique in the ATT&CK matrix.

Hint 2 (−10 pts)

Step 1 = T1595 (Active Scanning). Step 2 = T1110.003 (Brute Force: Password Spraying). Step 3 = T1136.001 (Create Account: Local Account). Step 4 = T1053.005 (Scheduled Task/Job: Scheduled Task). Step 5 = T1567.002 (Exfil over Web Service: Cloud Storage).

Hint 3 (−10 pts)

Answer: T1595,T1110.003,T1136.001,T1053.005,T1567.002

Lab environment · sandboxed iframe · auto-resets every 60 min