Hope you’re doing well reader and appreciate any input on this.
I am writing a report trying to explain a sequence of events with MITRE mappings and just wanted to ask a few questions as this seems a little confusing.
1. Command and Control techniques: For an established C2 downloading files through HTTP, is that: Application Layer Protocol: Web Protocols (T1071.001) or Ingress Tool Transfer (T1105)? I was favoring Application Layer Protocol: Web Protocols for executables downloaded over HTTP as indicated in proxy logs but I am just getting confused as the executables download are tools used later on.
2. When describing process injection with rundll32, should I establish: Defense Evasion: Signed Binary Proxy Execution: Rundll32 ( T1218.011) followed by Defense Evasion: Process Injection (T1055)? Understandably, process injection maps to another tactic – Persistence, however based on log activity its more likely for evasion. Just seems weird having two defense evasion activities back to back
Apologies for entry level question, my first time writing this style of report and some of the MITRE mappings has me confused.