September 3, 2021

Mapping MITRE TTPs


Hope you’re doing well reader and appreciate any input on this.

I am writing a report trying to explain a sequence of events with MITRE mappings and just wanted to ask a few questions as this seems a little confusing.

1. Command and Control techniques: For an established C2 downloading files through HTTP, is that: Application Layer Protocol: Web Protocols (T1071.001) or Ingress Tool Transfer (T1105)? I was favoring Application Layer Protocol: Web Protocols for executables downloaded over HTTP as indicated in proxy logs but I am just getting confused as the executables download are tools used later on.
2. When describing process injection with rundll32, should I establish: Defense Evasion: Signed Binary Proxy Execution: Rundll32 ( T1218.011) followed by Defense Evasion: Process Injection (T1055)? Understandably, process injection maps to another tactic – Persistence, however based on log activity its more likely for evasion. Just seems weird having two defense evasion activities back to back

Apologies for entry level question, my first time writing this style of report and some of the MITRE mappings has me confused.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.