title: Protocol or Service Impersonation (T1001.003)
id: df00tech-t1001-003
status: experimental
description: "Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By mimicking legitimate protocols or web services, adversaries make their C2 traffic blend in with normal network traffic. Techniques include FakeTLS (malformed TLS handshakes that mimic real TLS but use different encryption), custom HTTP header manipulation, URI endpoint spoofing, SSL certificate impersonation, and mimicking well-known services like Gmail or Google Drive. Real-world examples include Lazarus Group's FakeTLS, Cobalt Strike malleable C2 profiles, SUNBURST's OIP protocol masquerading, and Mustang Panda's PUBLOAD/StarProxy tools."
references:
  - https://attack.mitre.org/techniques/T1001/003/
  - https://df00tech.com/detections/T1001.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1001.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate monitoring agents (Datadog, SolarWinds, Nagios) that beacon on regular intervals to their management servers"
  - Application performance monitoring tools making regular HTTP health checks from svchost-hosted services
  - Custom internal applications using non-standard TLS ports for internal API communications
  - "Software update mechanisms in enterprise software (Java, Adobe, etc.) making regular check-in connections"
level: high