The sub-techniques beta is now live! Read the release blog post for more info.

SSL/TLS Inspection

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

ID: M1020
Version: 1.0
Created: 06 June 2019
Last Modified: 06 June 2019

Techniques Addressed by Mitigation

Domain ID Name Description
Enterprise T1172 Domain Fronting

If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.

Enterprise T1032 Standard Cryptographic Protocol

SSL/TLS inspection can be used to see the contents of encrypted sessions to look for network-based indicators of malware communication protocols.