Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0175: meek

meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

EnterpriseS0175ToolObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

meek is an open-source Tor plugin that can tunnel Tor traffic through HTTPS. Its practical significance is that encrypted web traffic may be used to hide command-and-control paths, especially when paired with domain fronting. For leaders, the issue is not the tool alone, but whether the organization can distinguish normal HTTPS use from traffic patterns that intentionally obscure the true destination.

Executive priority

Prioritize this as a visibility and control-validation issue for internet egress, SOC monitoring, and incident response readiness across Linux, Windows, and macOS environments. Because ATT&CK links meek to Domain Fronting and notes use by APT29, security leaders should ask whether proxy, TLS, DNS, and web gateway evidence is retained well enough to investigate suspicious HTTPS tunneling without assuming all encrypted traffic is benign.

Technical view

ATT&CK provides no dedicated detection guidance for meek, so defenders should validate coverage around the related technique T1090.004 Domain Fronting. SOC and detection teams should confirm they can inspect or correlate HTTPS metadata such as SNI, HTTP Host where available, destination domains, CDN/service usage, DNS lookups, proxy logs, process-to-network activity, and unusual Tor-related or tunneling behavior on Linux, Windows, and macOS endpoints. IR teams should be prepared to pivot from suspicious encrypted egress to host process context and user/device ownership.

Likely telemetry

  • Web proxy and secure web gateway logs
  • DNS query and resolver logs
  • TLS metadata including SNI where collected
  • HTTP Host header visibility where available through approved inspection points
  • Firewall and network egress logs

Detection direction

  • Validate detections and hunts for Domain Fronting indicators, especially mismatches or unusual relationships between TLS SNI, HTTP Host, DNS resolution, and observed destination infrastructure where telemetry permits.
  • Tune carefully for legitimate CDN and cloud service traffic to reduce false positives; domain-fronting-style signals can overlap with normal enterprise web usage depending on architecture.
  • Correlate network indicators with endpoint process context rather than relying only on destination reputation, since HTTPS tunneling may obscure intended destinations.
  • Review whether encrypted traffic inspection, proxy logging, or metadata collection is absent for key user, server, and cloud egress paths; those gaps are likely to determine investigative success.
  • Use the APT29 relationship as threat-intelligence context for prioritization, not as proof of activity in the local environment.

Mitigation priorities

  • Establish clear egress control and logging requirements for endpoints and servers on Linux, Windows, and macOS.
  • Ensure proxy, DNS, firewall, and endpoint telemetry retention is sufficient for incident response involving suspicious HTTPS tunnels.
  • Review policies for Tor-related tools and unauthorized tunneling software, then align monitoring and acceptable-use enforcement accordingly.
  • Where business-appropriate, restrict direct outbound internet access and require managed egress paths that preserve investigation evidence.
  • Test incident response playbooks for encrypted command-and-control or proxy abuse scenarios using defensive validation, not assumptions of tool-specific detection.
Analyst notes and limits

The supplied ATT&CK object identifies meek as an open-source Tor plugin for tunneling Tor traffic through HTTPS, links it to Domain Fronting, and includes a relationship showing APT29 uses the tool. The strongest defensive value is therefore in validating HTTPS egress visibility, domain-fronting detection logic, and endpoint-to-network correlation rather than treating the software name as the only detection target.

MITRE provides no official detection text, tactics are not specified on the tool object, and the object has limited descriptive detail. Any assessment of exposure, active use, or detection coverage requires local telemetry, asset context, proxy/TLS visibility, and incident evidence.

Official MITRE ATT&CK definition

meek

meek is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1090.004 Domain Fronting Sub-technique

meek uses Domain Fronting to disguise the destination of network traffic as another server that is hosted in the same Content Delivery Network (CDN) as the intended destination.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Relationship explorer

All related ATT&CK context

uses · Group G0016: APT29 Enterprise uses · Technique T1090.004: Domain Fronting Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
81079f374ec66593...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 81079f374ec6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack S0175
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use