Description
Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.
Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.
Adversaries may also leverage legitimate protocols to impersonate expected web traffic or trusted services. For example, adversaries may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted data to disguise C2 communications or mimic legitimate services such as Gmail, Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation: Malleable-C2-U42)
Platforms
Mitigations (1)
Network Intrusion PreventionM1031
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate some obfuscation activity at the network level.
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS bu... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has utilized TLS record headers in network packets to impersonate various versions of TLS proto... |
| G0126 | Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) used a FakeTLS session for C2 communications.(Citation: Zscaler Higaisa 2020) |
Associated Software (18)
| ID | Name | Type | Context |
|---|---|---|---|
| S1120 | FRAMESTING | Malware | [FRAMESTING](https://attack.mitre.org/software/S1120) uses a cookie named `DSID` to mimic the name of a cookie used by Ivanti Connect Secure appliance... |
| S1227 | StarProxy | Malware | [StarProxy](https://attack.mitre.org/software/S1227) has utilized TLS record headers in network packets to impersonate various versions of TLS protoco... |
| S1228 | PUBLOAD | Malware | [PUBLOAD](https://attack.mitre.org/software/S1228) has modified HTTP POST requests to resemble legitimate communications.(Citation: Lab52 MUSTANG PAND... |
| S0154 | Cobalt Strike | Malware | [Cobalt Strike](https://attack.mitre.org/software/S0154) can leverage the HTTP protocol for C2 communication, while hiding the actual data in either a... |
| S0245 | BADCALL | Malware | [BADCALL](https://attack.mitre.org/software/S0245) uses a FakeTLS method during C2.(Citation: Malware Analysis Report 10135536-G) |
| S0387 | KeyBoy | Malware | [KeyBoy](https://attack.mitre.org/software/S0387) uses custom SSL libraries to impersonate SSL in C2 traffic.(Citation: PWC KeyBoys Feb 2017) |
| S0586 | TAINTEDSCRIBE | Malware | [TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) has used FakeTLS for session authentication.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE ... |
| S0239 | Bankshot | Malware | [Bankshot](https://attack.mitre.org/software/S0239) generates a false TLS handshake using a public certificate to disguise C2 network communications.(... |
| S0246 | HARDRAIN | Malware | [HARDRAIN](https://attack.mitre.org/software/S0246) uses FakeTLS to communicate with its C2 server.(Citation: MAR10135536-F) |
| S0022 | Uroburos | Malware | [Uroburos](https://attack.mitre.org/software/S0022) can use custom communication methodologies that ride over common protocols including TCP, UDP, HT... |
| S0559 | SUNBURST | Malware | [SUNBURST](https://attack.mitre.org/software/S0559) masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.(Citation: FireEye... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP.(Citation: ESET InvisiMole ... |
| S1100 | Ninja | Malware | [Ninja](https://attack.mitre.org/software/S1100) has the ability to mimic legitimate services with customized HTTP URL paths and headers to hide malic... |
| S0076 | FakeM | Malware | [FakeM](https://attack.mitre.org/software/S0076) C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applicati... |
| S1226 | BOOKWORM | Malware | [BOOKWORM](https://attack.mitre.org/software/S1226) has modified HTTP POST requests to resemble legitimate communications.(Citation: Palo Alto Network... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) used FakeTLS headers in network packets to impersonate various versions of TLS protocols to blend... |
| S0181 | FALLCHILL | Malware | [FALLCHILL](https://attack.mitre.org/software/S0181) uses fake Transport Layer Security (TLS) to communicate with its C2 server.(Citation: US-CERT FAL... |
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439) leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and ... |
References
- Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved September 24, 2024.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
Frequently Asked Questions
What is T1001.003 (Protocol or Service Impersonation)?
T1001.003 is a MITRE ATT&CK technique named 'Protocol or Service Impersonation'. It belongs to the Command and Control tactic(s). Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adv...
How can T1001.003 be detected?
Detection of T1001.003 (Protocol or Service Impersonation) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1001.003?
There are 1 documented mitigations for T1001.003. Key mitigations include: Network Intrusion Prevention.
Which threat groups use T1001.003?
Known threat groups using T1001.003 include: Lazarus Group, Mustang Panda, Higaisa.