Exercise 5:

Making Defensive Recommendations Guided Exercise

0. Determine priority techniques

Techniques identified from the previous exercise:

⁃ Spearphishing Attachment
⁃ Spearphishing Link
⁃ Scheduled Task
⁃ Scripting
⁃ User Execution
⁃ Registry Run Keys/Startup Folder
⁃ Network Service Scanning

For this exercise, we’re going to be working with T1053 - Scheduled Task

1. Research how techniques are being used

How was Scheduled Task used in the Cobalt Kitty report?

2. Research defensive options related to technique

What data sources are there for Scheduled Task on the ATT&CK website?
(Hint: https://attack.mitre.org/techniques/T1053/)

Based on the Detection portion of the Scheduled Task page what kind of
resources can be monitored to detect a new Scheduled Task being added?

3. Research organizational capability/constraints

For this exercise, assume that you have Windows Event Log Collection going
to a SIEM, but no ability to collect process execution logging.

4. Determine what tradeoffs are for org on specific options

Based on the organizational constraints that have been given in 3., what would
the tradeoffs for the defenses in 2. look like?

Are there defensive options that can be removed?

5. Make recommendations
Based on the tradeoffs you analyzed in 4., what defensive options would you
recommend?

Would they cover the specific procedure you found from Cobalt Kitty in 1.?

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public
release. Distribution unlimited 18-1528-44.