T1001.003 IBM QRadar · QRadar

Detect Protocol or Service Impersonation in IBM QRadar

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By mimicking legitimate protocols or web services, adversaries make their C2 traffic blend in with normal network traffic. Techniques include FakeTLS (malformed TLS handshakes that mimic real TLS but use different encryption), custom HTTP header manipulation, URI endpoint spoofing, SSL certificate impersonation, and mimicking well-known services like Gmail or Google Drive. Real-world examples include Lazarus Group's FakeTLS, Cobalt Strike malleable C2 profiles, SUNBURST's OIP protocol masquerading, and Mustang Panda's PUBLOAD/StarProxy tools.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1001 Data Obfuscation
Sub-technique
T1001.003 Protocol or Service Impersonation
Canonical reference
https://attack.mitre.org/techniques/T1001/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  sourceip,
  destinationip,
  destinationport,
  username,
  CATEGORYNAME(category) AS EventCategory,
  LOGSOURCETYPEID(logsourceid) AS LogSourceType,
  COUNT(*) AS ConnectionCount,
  SUM(eventcount) AS TotalEvents,
  MIN(starttime) AS EarliestConnection,
  MAX(starttime) AS LatestConnection,
  ROUND((MAX(starttime) - MIN(starttime)) / 60000.0, 1) AS DurationMinutes,
  CASE
    WHEN destinationport IN (443, 8443, 4443) AND
         username ILIKE ANY ('%svchost%', '%rundll32%', '%regsvr32%', '%mshta%', '%wscript%', '%cscript%', '%msbuild%', '%installutil%', '%regasm%', '%certutil%', '%bitsadmin%')
      THEN 'FakeTLS-suspicious-process'
    WHEN COUNT(*) >= 5 AND
         ROUND((MAX(starttime) - MIN(starttime)) / (COUNT(*) - 1) / 1000.0, 1) BETWEEN 30 AND 3600
      THEN 'regular-beaconing-pattern'
    WHEN destinationport IN (443, 8443, 4443, 8080, 8888) AND
         username ILIKE ANY ('%svchost%', '%rundll32%', '%regsvr32%', '%mshta%', '%wscript%', '%cscript%', '%msbuild%', '%installutil%', '%regasm%', '%regsvcs%', '%certutil%', '%bitsadmin%')
      THEN 'TLS-port-suspicious-process'
    ELSE 'anomalous-outbound'
  END AS SuspicionDetail
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 73, 143, 161)
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
  AND destinationport IN (80, 443, 8080, 8443, 4443, 8888)
  AND NOT destinationip ILIKE '10.%'
  AND NOT destinationip ILIKE '192.168.%'
  AND NOT destinationip ILIKE '172.16.%'
  AND NOT destinationip ILIKE '172.17.%'
  AND NOT destinationip ILIKE '172.18.%'
  AND NOT destinationip ILIKE '172.19.%'
  AND NOT destinationip ILIKE '172.20.%'
  AND NOT destinationip ILIKE '172.21.%'
  AND NOT destinationip ILIKE '172.22.%'
  AND NOT destinationip ILIKE '172.23.%'
  AND NOT destinationip ILIKE '172.24.%'
  AND NOT destinationip ILIKE '172.25.%'
  AND NOT destinationip ILIKE '172.26.%'
  AND NOT destinationip ILIKE '172.27.%'
  AND NOT destinationip ILIKE '172.28.%'
  AND NOT destinationip ILIKE '172.29.%'
  AND NOT destinationip ILIKE '172.30.%'
  AND NOT destinationip ILIKE '172.31.%'
  AND NOT destinationip ILIKE '127.%'
  AND username NOT ILIKE '%chrome%'
  AND username NOT ILIKE '%firefox%'
  AND username NOT ILIKE '%msedge%'
  AND username NOT ILIKE '%teams%'
  AND username NOT ILIKE '%slack%'
  AND username NOT ILIKE '%zoom%'
  AND username NOT ILIKE '%outlook%'
GROUP BY sourceip, destinationip, destinationport, username
HAVING ConnectionCount >= 3
ORDER BY ConnectionCount DESC
high severity medium confidence

Detects protocol or service impersonation C2 patterns in QRadar by correlating Sysmon network events and Windows Security logs to identify suspicious processes making repeated outbound connections to common TLS/HTTP ports. Groups by source host, destination, and process name to surface beaconing behavior and FakeTLS port usage by LOLBins.

Data Sources

QRadar with Sysmon DSMWindows Security Event Log DSMNetwork flow data

Required Tables

events

False Positives & Tuning

  • Enterprise patch management systems that use bitsadmin.exe or other system binaries to download updates over HTTPS will match on process name — cross-reference with WSUS or SCCM deployment windows
  • Software asset management tools that probe external inventory APIs from svchost-hosted DLL services will generate benign hits — validate connection destinations against known vendor IP ranges
  • Automated backup software or cloud sync agents running as Windows services under svchost.exe may make regular outbound HTTPS connections matching the beaconing interval threshold
Download portable Sigma rule (.yml)

Other platforms for T1001.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1FakeTLS Simulation: Raw TCP Connection on TLS Port

    Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationPort=4443, DestinationIp=127.0.0.1. Sysmon Event ID 1: Process Create with powershell.exe and TcpClient in CommandLine. The connection attempt will appear in network logs regardless of whether a listener exists.

  2. Test 2HTTP Header Manipulation: Cobalt Strike-Style Malleable C2 Simulation

    Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 127.0.0.1:8080. Sysmon Event ID 1: Process Create showing powershell.exe with WebRequest in CommandLine. If proxy logs are available, the manipulated HTTP headers (fake User-Agent, encoded cookie) would be visible. PowerShell ScriptBlock Event ID 4104 captures the full script including the fake headers.

  3. Test 3DNS-Based Protocol Impersonation: DNS Tunneling Simulation

    Expected signal: Sysmon Event ID 22: DNS Query events for each subdomain query (aGVsbG8.c2test.invalid, aG9zdG5hbWU.c2test.invalid, etc.) with Image=powershell.exe. Sysmon Event ID 1: Process Create for powershell.exe. Windows DNS Client event log may also capture the failed DNS resolutions. All queries will return NXDOMAIN.

  4. Test 4SUNBURST-Style Protocol Mimicry: Fake OIP Traffic Pattern

    Expected signal: Sysmon Event ID 3: Three Network Connection events from powershell.exe to 127.0.0.1:8080 with distinct URIs. Sysmon Event ID 1: Process Create for powershell.exe. PowerShell ScriptBlock Event ID 4104: Full script content including OIP-mimicking User-Agent and custom X-Solarwinds-Request header. If a web proxy is in the traffic path, it would log the fake Orion User-Agent from a non-Orion process.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1001.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1001Data Obfuscation

Related Sub-techniques

T1001.001Junk DataT1001.002Steganography

Related Techniques

T1001Data ObfuscationT1001.001Junk DataT1001.002SteganographyT1071.001Web ProtocolsT1071.004DNST1573.001Symmetric CryptographyT1573.002Asymmetric CryptographyT1568Dynamic ResolutionT1090.002External ProxyT1102Web ServiceT1132.001Standard EncodingT1205.002Socket Filters

Same Tactic: Command and Control

Popular Detections