T1001.003: Protocol Impersonation

View on MITRE ATT&CK T1001.003
Tactic(s) Command and Control

Data from MITRE ATT&CK®:

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.

Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cyber Threat Graph Context

Explore how this ATT&CK Technique relates to the wider threat graph

Reporting on this Technique

Report

APT40 Advisory - PRC MSS tradecraft in action

This advisory, authored by the Australian Cyber Security Centre and multiple other international cybersecurity agencies, outlines the threat posed ...

View Source
Report

StopRansomware: Phobos Ransomware

This is a joint Cybersecurity Advisory produced by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). It ...

View Source

Mitigations for this technique

MITRE ATT&CK Mitigations

How to detect this technique

MITRE ATT&CK Data Components

Sigma Detections for this Technique

SP800-53 Controls

See which controls can help protect against this MITRE ATT&CK technique. This is based on mappings to associated SP800-53 controls produced by the MITRE Engenuity Center for Threat-Informed Defense.

Node
AC-4: Information Flow Enforcement
CA-7: Continuous Monitoring
SI-3: Malicious Code Protection
SC-7: Boundary Protection
CM-6: Configuration Settings
CM-2: Baseline Configuration
SI-4: System Monitoring