Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.
Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name |
|---|---|---|---|---|
| AC-4 | Information Flow Enforcement | Protects | T1001.003 | Protocol Impersonation |
| CA-7 | Continuous Monitoring | Protects | T1001.003 | Protocol Impersonation |
| CM-2 | Baseline Configuration | Protects | T1001.003 | Protocol Impersonation |
| CM-6 | Configuration Settings | Protects | T1001.003 | Protocol Impersonation |
| SC-7 | Boundary Protection | Protects | T1001.003 | Protocol Impersonation |
| SI-3 | Malicious Code Protection | Protects | T1001.003 | Protocol Impersonation |
| SI-4 | System Monitoring | Protects | T1001.003 | Protocol Impersonation |
| action.malware.variety.Unknown | Unknown | related-to | T1001.003 | Data Obfuscation: Protocol Impersonation |