T1090 Proxy Mappings

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1090 Proxy
AC-4 Information Flow Enforcement Protects T1090 Proxy
CA-7 Continuous Monitoring Protects T1090 Proxy
CM-2 Baseline Configuration Protects T1090 Proxy
CM-6 Configuration Settings Protects T1090 Proxy
CM-7 Least Functionality Protects T1090 Proxy
SC-7 Boundary Protection Protects T1090 Proxy
SC-8 Transmission Confidentiality and Integrity Protects T1090 Proxy
SI-10 Information Input Validation Protects T1090 Proxy
SI-15 Information Output Filtering Protects T1090 Proxy
SI-3 Malicious Code Protection Protects T1090 Proxy
SI-4 System Monitoring Protects T1090 Proxy
action.hacking.variety.Evade Defenses Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. related-to T1090 Proxy
action.hacking.vector.Other network service Network service that is not remote access or a web application. related-to T1090 Proxy
action.malware.variety.Backdoor or C2 Malware creates a remote control capability, but it's unclear if it's a backdoor for hacking or C2 for malware. Parent of 'C2' and 'Backdoor'. related-to T1090 Proxy
action.malware.variety.C2 Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. related-to T1090 Proxy

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1090.002 External Proxy 10
T1090.003 Multi-hop Proxy 10
T1090.004 Domain Fronting 3
T1090.001 Internal Proxy 10