You are working as a SOC analyst and receive an alert from your SIEM indicating the execution of a PowerShell command on a user workstation. Further investigation reveals that the command silently downloads a script from a remote IP and executes it in memory without writing to disk. You suspect this may be part of a living-off-the-land technique used by advanced attackers. How does the MITRE ATT&CK framework most effectively assist in analyzing this situation?

Question

Accepted Answer

It maps the observed behavior to known adversarial techniques to aid detection and response planning

Answer

It provides predefined firewall rules to block outbound PowerShell traffic

Answer

It encrypts PowerShell scripts to prevent reverse engineering by attackers

Answer

It automatically quarantines the machine and deletes the PowerShell script

Crowdly

You are working as a SOC analyst and receive an alert from your SIEM indicating ...

Want instant access to all verified answers on moodle.polytechnic.bh?