T1001.003 Protocol Impersonation Mappings

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.

Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-4 Information Flow Enforcement Protects T1001.003 Protocol Impersonation
CA-7 Continuous Monitoring Protects T1001.003 Protocol Impersonation
CM-2 Baseline Configuration Protects T1001.003 Protocol Impersonation
CM-6 Configuration Settings Protects T1001.003 Protocol Impersonation
SC-7 Boundary Protection Protects T1001.003 Protocol Impersonation
SI-3 Malicious Code Protection Protects T1001.003 Protocol Impersonation
SI-4 System Monitoring Protects T1001.003 Protocol Impersonation
action.malware.variety.Unknown Unknown related-to T1001.003 Data Obfuscation: Protocol Impersonation