1. Home
  2. ATT&CK Techniques
  3. T1090 Proxy

T1090 Proxy Mappings

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.

View in MITRE ATT&CK®

Known Exploited Vulnerabilities Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability primary_impact T1090 Proxy
Comments
CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-062a
CVE-2019-3396 Atlassian Confluence Server and Data Center Server-Side Template Injection Vulnerability primary_impact T1090 Proxy
Comments
CVE-2019-3396 is a critical server-side template injection vulnerability in Atlassian Confluence Server and Data Center that could lead to remote code execution.
References
  1. https://cloud.google.com/blog/topics/threat-intelligence/game-over-detecting-and-stopping-an-apt41-operation/
  2. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a
CVE-2021-22986 F5 BIG-IP and BIG-IQ Centralized Management iControl REST Remote Code Execution Vulnerability primary_impact T1090 Proxy
Comments
The iControl REST interface has an unauthenticated remote command execution vulnerability. This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services.
References
  1. https://github.com/Al1ex/CVE-2021-22986
  2. https://www.jpcert.or.jp/english/at/2021/at210014.html
  3. https://my.f5.com/manage/s/article/K03009991

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1090.001 Internal Proxy 1