📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • MISP LAB05: Event Graph | MITRE ATT&CK
  • 1. Introduction
  • 2. Setup
  • 3. Overview
  • 4. Event Graph
  • 5. Connecting the dots
  • 6. MISP Galaxies - MITRE ATT&CK Framework
  • 7. Conclusion
  • 3. Security Questions
  • 4. Answers

Was this helpful?

  1. Threat Intelligence

MISP Exercise 5

PreviousMISP Exercise 4NextMISP Exercise 6

Last updated 3 years ago

Was this helpful?

MISP LAB05: Event Graph | MITRE ATT&CK

1. Introduction

In this Lab you are going to learn about visualisation in MISP. The sharing model of MISP is quite useful, but only if every investigator is able to quickly read the reports. Nobody wants to read through a long documentation, if he or she is just looking for an overview about the occurred security event.

2. Setup

Start docker image

cd /home/hacker/misp-docker-image docker-compose up

Connect to MISP by opening your preferred web browser and open the url http://instance-a.misp.localhost.

The MISP instance initialises all labs. Please wait until you are able to see the Hacking-Lab icon.

Login with the following credentials:

User: investigator@misp-lab5.com Password: compass

3. Overview

After login you'll see a event called Spear Phising Mail with malware attached. View the details to get more informations about the event.

Scroll down and try to get any information about what exactly happened in your company. As you properly noticed, it isn't that easy to understand without any context. What did John Doe exactly? Is he an attacker or a victim, and what do all these files and weblinks do?

4. Event Graph

Your college gave you a quick description what happened:

Your company received an email from John Doe. John Doe is an employee at your business. That means, that someone tried to impersonate him. The email contained a malicious document, which exploited a Common Vulnerability and Exposure (CVE). The document started via remote code execution a download from a website, hosted by the attacker. The site itself then starts downloading a malicious file. Later, the malicious file tried to execute a pass the hash attack (like Mimikatz it does). If the script was successful, it uploads the stolen data back to the attackers site.

In this step we are going to create an event graph which should help you and any other researcher to get a quick overview, without composing a full documentation.

Please open the the event graph by clicking the Event graph button.

The event graph is currently almost empty. Right-click with your mouse on the Unreferenced Objects tile and select Expand. Unreferenced Objects is a group of objects that have not been associated or placed in relationship with other objects. In the following screenshot you will see that there are no objects showing up yet.

All your MISP Objects will be displayed

The author of the email tried to impersonate John Doe, which is an employee in your enterprise. To create this relation between them, drag and drop the arrow from the email to the person object.

Your task is it now, to reference the other objects between each other. Read through the description that you received from your college and try to relate the remaining objects in the correct direction. If you need any assistance, open the next step and take a look at a possible solution.

5. Connecting the dots

As you can see, displaying attack tactics and techniques is quite difficult with the event graph. In the next step, you going to cover that too.

6. MISP Galaxies - MITRE ATT&CK Framework

MISP galaxies are a method used to express a large object called cluster that can be attached to MISP events or attributes. There are default vocabularies available in MISP galaxy from existing standards (like STIX, Veris, ATT&CK, ...) or your MISP site administrator can create custom ones for you.

Please go back to your event and scroll down until you are able to see the malicious_document.docx object. Then click on the right world icon, choose mitre-attack from the dropdown window and click on the Attack Pattern button.

Select Spear Phising Attack and click submit

Please go back to your event and scroll down until you are able to see the malicious_file.exe object. Then click again on the right world icon, choose mitre-attack from the dropdown window and click on the Attack Pattern button.

7. Conclusion

Now, you have successfully added the MITRE ATT&CK Framework to your MISP event. If a researcher now wants to know more about the attack tactics and techniques used here, he can view them directly.

Go back to your event and and click on the ATT&CK matrix button.

3. Security Questions

  1. What do you have learned in this lab?

  2. What are advantages of using the MISP event graph?

  3. You didn't used the left world icon in step 6. This would add tags to your attribute. What is the difference between tags and galaxies in MISP?

4. Answers

  1. In this exercise I've learned howto visualize a MISP Event by creating an Event Graph. Further I've learned to work with MISP Galaxies by tagging specific attributes with the MITRE ATT&CK patterns

  2. You will get a better overview how the different objects stands in relation to each other.

  3. MISP Taxonomies is a set of common classification libraries to tag, classify and organise information. MISP galaxies are a method used to express a large object called cluster that can be attached to MISP events or attributes.