Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.
Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.
Adversaries may also leverage legitimate protocols to impersonate expected web traffic or trusted services. For example, adversaries may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted data to disguise C2 communications or mimic legitimate services such as Gmail, Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation: Malleable-C2-U42)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1001.003 | Protocol or Service Impersonation |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1001.003 | Protocol or Service Impersonation |
Comments
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1001.003 | Protocol or Service Impersonation |
Comments
This diagnostic statement protects against Protocol or Service Impersonation through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1001.003 | Protocol or Service Impersonation | |
| CM-06 | Configuration Settings | mitigates | T1001.003 | Protocol or Service Impersonation | |
| SI-03 | Malicious Code Protection | mitigates | T1001.003 | Protocol or Service Impersonation | |
| CM-02 | Baseline Configuration | mitigates | T1001.003 | Protocol or Service Impersonation | |
| SI-04 | System Monitoring | mitigates | T1001.003 | Protocol or Service Impersonation | |
| AC-04 | Information Flow Enforcement | mitigates | T1001.003 | Protocol or Service Impersonation | |
| SC-07 | Boundary Protection | mitigates | T1001.003 | Protocol or Service Impersonation |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Other | Other | related-to | T1001.003 | Protocol or Service Impersonation |