// BTLO  ·  Threat Intelligence

ATT&CK

BTLO Easy Mitre attack framework
[Execution, Command and Control]
proof of completion → challenge page → ← all labs

Overview

A threat intelligence challenge focused on operationalizing the MITRE ATT&CK framework. Rather than log analysis or malware triage, this lab tests your ability to navigate the ATT&CK matrix and extract actionable intelligence — mapping techniques, identifying threat actors, and understanding detection strategies.

ATT&CK Framework Navigation

Cloud Discovery — Azure AD & Office 365

When an attacker obtains valid credentials to a cloud environment like Azure AD or Office 365, they can perform Discovery without touching any API. The relevant technique is T1538 — Cloud Service Dashboard, which covers adversaries using the cloud service’s web GUI directly to enumerate the environment. Since the hint specifies no API interaction, this rules out techniques like T1526 (Cloud Service Discovery via API calls) and points squarely at the browser-based dashboard approach.

Mitigation: enforce MFA, restrict access to administrative portals, and implement Conditional Access policies to detect anomalous login locations or devices.

Uncommon Data Flow — Port 4050

Observing unusual C2 traffic on port 4050 is a fingerprint for G0099 — APT-C-36 (also known as Blind Eagle), a suspected South American espionage group primarily targeting Colombian government institutions and financial sector corporations. This group is documented under T1571 — Non-Standard Port, using port 4050 for C2 communications to blend into legitimate traffic and evade port-based filtering.

Initial Access — 9 Techniques

The tactic covering methods an attacker uses to get into your network is TA0001 — Initial Access. The framework documents exactly 9 techniques under this tactic:

Account Access Removal Software

The software documented by the framework that prohibits users from accessing their accounts via deletion, lockout, or password changes is S0372 — LockerGoga. This ransomware strain is documented under T1531 (Account Access Removal) for its behavior of changing account passwords and forcibly logging off users prior to encryption — preventing incident responders from accessing systems during the attack.

Detecting Pass the Hash

Pass the Hash (T1550.002) allows attackers to authenticate using captured NTLM hashes without knowing the plaintext password, enabling lateral movement across a network. Per the MITRE ATT&CK framework’s detection guidance, the recommended approach is to monitor newly created logons and credentials used in events and review for discrepancies — specifically looking for NTLM Type 3 network logons that don’t align with expected user behaviour or authentication patterns.

Key Windows Event IDs to monitor:

Your company heavily relies on cloud services like Azure AD, and Office 365 publicly. What technique should you focus on mitigating, to prevent an attacker performing Discovery activities if they have obtained valid credentials? (Hint: Not using an API to interact with the cloud environment!)
Click flag to reveal T1538
You were analyzing a log and found uncommon data flow on port 4050. What APT group might this be?
Click to reveal answer G0099
The framework has a list of 9 techniques that falls under the tactic to try to get into your network. What is the tactic ID?
Click flag to reveal TA0001
A software prohibits users from accessing their account by deleting, locking the user account, changing password etc. What such software has been documented by the framework?
Click to reveal answer S0372
Using ‘Pass the Hash’ technique to enter and control remote systems on a network is common. How would you detect it in your company?
Click flag to reveal Monitor newly created logons and credentials used in events and review for discrepancies
← blue team ops inksec.io red team →