Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Protocol or Service Impersonation
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Protocol or Service Impersonat...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Data Obfuscation:  Protocol or Service Impersonation

ID Name
.001 Junk Data
.002 Steganography
.003 Protocol or Service Impersonation

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic. Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity. Adversaries may also leverage legitimate protocols to impersonate expected web traffic or trusted services. For example, adversaries may manipulate HTTP headers, URI endpoints, SSL certificates, and transmitted data to disguise C2 communications or mimic legitimate services such as Gmail, Google Drive, and Yahoo Messenger.(Citation: ESET Okrum July 2019)(Citation: Malleable-C2-U42)

ID: T1001.003
Sub-technique of:  T1001
Tactic(s): Command and Control
Platforms: ESXi, Linux, macOS, Windows
Data Sources: Network Traffic: Network Traffic Content
Version: 2.1
Created: 15 Mar 2020
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
Lazarus Group

Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method, potentially evading SSL traffic inspection/decryption.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee-GhostSecret-fixurl)
FRAMESTING

FRAMESTING uses a cookie named `DSID` to mimic the name of a cookie used by Ivanti Connect Secure appliances for maintaining VPN sessions.(Citation: Mandiant Cutting Edge Part 2 January 2024)
Cobalt Strike

Cobalt Strike can leverage the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI.(Citation: Cobalt Strike Manual 4.3 November 2020)
BADCALL

BADCALL uses a FakeTLS method during C2.(Citation: Malware Analysis Report 10135536-G)
KeyBoy

KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.(Citation: PWC KeyBoys Feb 2017)
Higaisa

Higaisa used a FakeTLS session for C2 communications.(Citation: Zscaler Higaisa 2020)
TAINTEDSCRIBE

TAINTEDSCRIBE has used FakeTLS for session authentication.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
Bankshot

Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.(Citation: MAR10135536-B)
HARDRAIN

HARDRAIN uses FakeTLS to communicate with its C2 server.(Citation: MAR10135536-F)
Uroburos

Uroburos can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. (Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
SUNBURST

SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.(Citation: FireEye SUNBURST Backdoor December 2020)

During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.(Citation: Mandiant APT41)
InvisiMole

InvisiMole can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
Ninja

Ninja has the ability to mimic legitimate services with customized HTTP URL paths and headers to hide malicious traffic.(Citation: Kaspersky ToddyCat June 2022)
FakeM

FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers. Additionally, some variants of FakeM use modified SSL code for communications back to C2 servers, making SSL decryption ineffective.(Citation: Scarlet Mimic Jan 2016)
FALLCHILL

FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.(Citation: US-CERT FALLCHILL Nov 2017)
Okrum

Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.(Citation: ESET Okrum July 2019)

Mitigations
Mitigation Description
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

References

  1. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  2. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  3. Chris Navarrete Durgesh Sangvikar Andrew Guan Yu Fu Yanhui Jia Siddhart Shibiraj. (2022, March 16). Cobalt Strike Analysis and Tutorial: How Malleable C2 Profiles Make Cobalt Strike Difficult to Detect. Retrieved September 24, 2024.
  4. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  5. Ryan Sherstobitoff. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved August 15, 2024.
  6. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  7. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
  8. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  9. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  10. US-CERT. (2018, February 6). Malware Analysis Report 10135536-G. Retrieved August 15, 2024.
  11. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  12. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  13. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  14. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved August 15, 2024.
  15. US-CERT. (2018, February 5). Malware Analysis Report (MAR) - 10135536-F. Retrieved August 15, 2024.
  16. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  17. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  18. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  19. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  20. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  21. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  22. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  23. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.