Detect Protocol or Service Impersonation in Sumo Logic CSE
Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By mimicking legitimate protocols or web services, adversaries make their C2 traffic blend in with normal network traffic. Techniques include FakeTLS (malformed TLS handshakes that mimic real TLS but use different encryption), custom HTTP header manipulation, URI endpoint spoofing, SSL certificate impersonation, and mimicking well-known services like Gmail or Google Drive. Real-world examples include Lazarus Group's FakeTLS, Cobalt Strike malleable C2 profiles, SUNBURST's OIP protocol masquerading, and Mustang Panda's PUBLOAD/StarProxy tools.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1001 Data Obfuscation
- Sub-technique
- T1001.003 Protocol or Service Impersonation
- Canonical reference
- https://attack.mitre.org/techniques/T1001/003/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where %"EventCode" = "3" OR %"event_id" = "3" OR _sourcecategory matches "*sysmon*"
| parse regex field=Image "(?<ProcessName>[^\\\\]+)$" nodrop
| parse regex field=DestinationIp "(?<DestIP>\\d+\\.\\d+\\.\\d+\\.\\d+)" nodrop
| where !(DestinationIp matches "10.*") AND !(DestinationIp matches "192.168.*") AND !(DestinationIp matches "172.16.*") AND !(DestinationIp matches "172.17.*") AND !(DestinationIp matches "172.18.*") AND !(DestinationIp matches "172.19.*") AND !(DestinationIp matches "172.20.*") AND !(DestinationIp matches "172.21.*") AND !(DestinationIp matches "172.22.*") AND !(DestinationIp matches "172.23.*") AND !(DestinationIp matches "172.24.*") AND !(DestinationIp matches "172.25.*") AND !(DestinationIp matches "172.26.*") AND !(DestinationIp matches "172.27.*") AND !(DestinationIp matches "172.28.*") AND !(DestinationIp matches "172.29.*") AND !(DestinationIp matches "172.30.*") AND !(DestinationIp matches "172.31.*") AND !(DestinationIp matches "127.*")
| where !(ProcessName matches "chrome.exe") AND !(ProcessName matches "firefox.exe") AND !(ProcessName matches "msedge.exe") AND !(ProcessName matches "iexplore.exe") AND !(ProcessName matches "teams.exe") AND !(ProcessName matches "slack.exe") AND !(ProcessName matches "zoom.exe") AND !(ProcessName matches "outlook.exe") AND !(ProcessName matches "onedrive.exe")
| eval isSuspiciousProcess = if(ProcessName matches "svchost.exe" OR ProcessName matches "lsass.exe" OR ProcessName matches "rundll32.exe" OR ProcessName matches "regsvr32.exe" OR ProcessName matches "mshta.exe" OR ProcessName matches "wscript.exe" OR ProcessName matches "cscript.exe" OR ProcessName matches "msbuild.exe" OR ProcessName matches "installutil.exe" OR ProcessName matches "regasm.exe" OR ProcessName matches "regsvcs.exe" OR ProcessName matches "certutil.exe" OR ProcessName matches "bitsadmin.exe", 1, 0)
| eval isFakeTLSPort = if(DestinationPort in ("443", "8443", "4443", "8080", "8888") AND isSuspiciousProcess = 1, 1, 0)
| timeslice 24h
| stats count as ConnectionCount, dcount(DestinationIp) as UniqueRemoteIPs, max(isFakeTLSPort) as FakeTLSFlag, max(isSuspiciousProcess) as SuspiciousProcessFlag, min(_messageTime) as FirstSeen, max(_messageTime) as LastSeen by host, Image, DestinationIp, DestinationPort, _timeslice
| where ConnectionCount >= 3
| eval DurationMinutes = round((LastSeen - FirstSeen) / 60000, 1)
| eval AvgIntervalSeconds = if(ConnectionCount > 1, round((LastSeen - FirstSeen) / 1000 / (ConnectionCount - 1), 1), null)
| eval BeaconingLikely = if(AvgIntervalSeconds > 30 AND AvgIntervalSeconds < 3600 AND ConnectionCount >= 5, 1, 0)
| eval SuspicionScore = FakeTLSFlag + SuspiciousProcessFlag + BeaconingLikely
| where SuspicionScore >= 1
| eval SuspicionDetail = if(FakeTLSFlag = 1 AND SuspiciousProcessFlag = 1, "FakeTLS-suspicious-process", if(SuspiciousProcessFlag = 1 AND BeaconingLikely = 1, "suspicious-process-beaconing", if(BeaconingLikely = 1, "regular-beaconing-pattern", if(FakeTLSFlag = 1, "TLS-port-non-browser", "anomalous-outbound"))))
| fields FirstSeen, host, Image, DestinationIp, DestinationPort, ConnectionCount, UniqueRemoteIPs, AvgIntervalSeconds, DurationMinutes, SuspicionScore, SuspicionDetail
| sort by SuspicionScore, ConnectionCountDetects protocol or service impersonation (T1001.003) in Sumo Logic by analyzing Sysmon EventCode 3 (network connection) logs to identify suspicious Windows processes making repeated outbound connections to TLS/HTTP ports. Computes a suspicion score based on FakeTLS port usage, suspicious process identification, and beaconing interval regularity to surface C2 traffic mimicking legitimate protocols.
Data Sources
Required Tables
False Positives & Tuning
- Windows Update or Microsoft telemetry processes hosted in svchost.exe making regular check-ins to Microsoft CDN endpoints will generate hits — validate destination IP ranges against Microsoft published IP lists
- Corporate DLP or endpoint security software that uses rundll32.exe or similar host processes for its network agent component may make periodic outbound HTTPS connections to vendor cloud infrastructure
- Developer tools like MSBuild used in CI/CD pipelines to download NuGet packages or communicate with artifact repositories over HTTPS will match on process name — correlate with build system schedules
Other platforms for T1001.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1FakeTLS Simulation: Raw TCP Connection on TLS Port
Expected signal: Sysmon Event ID 3: Network Connection with Image=powershell.exe, DestinationPort=4443, DestinationIp=127.0.0.1. Sysmon Event ID 1: Process Create with powershell.exe and TcpClient in CommandLine. The connection attempt will appear in network logs regardless of whether a listener exists.
- Test 2HTTP Header Manipulation: Cobalt Strike-Style Malleable C2 Simulation
Expected signal: Sysmon Event ID 3: Network Connection from powershell.exe to 127.0.0.1:8080. Sysmon Event ID 1: Process Create showing powershell.exe with WebRequest in CommandLine. If proxy logs are available, the manipulated HTTP headers (fake User-Agent, encoded cookie) would be visible. PowerShell ScriptBlock Event ID 4104 captures the full script including the fake headers.
- Test 3DNS-Based Protocol Impersonation: DNS Tunneling Simulation
Expected signal: Sysmon Event ID 22: DNS Query events for each subdomain query (aGVsbG8.c2test.invalid, aG9zdG5hbWU.c2test.invalid, etc.) with Image=powershell.exe. Sysmon Event ID 1: Process Create for powershell.exe. Windows DNS Client event log may also capture the failed DNS resolutions. All queries will return NXDOMAIN.
- Test 4SUNBURST-Style Protocol Mimicry: Fake OIP Traffic Pattern
Expected signal: Sysmon Event ID 3: Three Network Connection events from powershell.exe to 127.0.0.1:8080 with distinct URIs. Sysmon Event ID 1: Process Create for powershell.exe. PowerShell ScriptBlock Event ID 4104: Full script content including OIP-mimicking User-Agent and custom X-Solarwinds-Request header. If a web proxy is in the traffic path, it would log the fake Orion User-Agent from a non-Orion process.
References (13)
- https://attack.mitre.org/techniques/T1001/003/
- https://unit42.paloaltonetworks.com/cobalt-strike-malleable-c2-profile/
- https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf
- https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
- https://www.mandiant.com/resources/cutting-edge-part-2
- https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133a
- https://www.novetta.com/2016/02/blockbuster/
- https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/
- https://lab52.io/blog/mustang-panda-is-actively-targeting-europe-with-plugx-variants/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- https://github.com/activecm/rita
- https://zeek.org/
- https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-schema-tables
Unlock Pro Content
Get the full detection package for T1001.003 including response playbook, investigation guide, and atomic red team tests.