Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| DE.CM-01.03 | Unauthorized network connections and data transfers | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement provides protection from Proxy by using tools to detect and block the use of unauthorized devices and connections to prevent abuse by adversaries.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement protects adversaries from redirecting network traffic between systems by infiltrating connection proxies. Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists.
References
|
| PR.IR-04.01 | Utilization monitoring | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
|
| PR.IR-01.03 | Network communications integrity and availability | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement protects against Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1090 | Proxy |
Comments
This diagnostic statement protects against Proxy through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1090 | Proxy | |
| CM-06 | Configuration Settings | mitigates | T1090 | Proxy | |
| SC-08 | Transmission Confidentiality and Integrity | mitigates | T1090 | Proxy | |
| SI-10 | Information Input Validation | mitigates | T1090 | Proxy | |
| SI-15 | Information Output Filtering | mitigates | T1090 | Proxy | |
| SI-03 | Malicious Code Protection | mitigates | T1090 | Proxy | |
| CM-02 | Baseline Configuration | mitigates | T1090 | Proxy | |
| CM-07 | Least Functionality | mitigates | T1090 | Proxy | |
| SI-04 | System Monitoring | mitigates | T1090 | Proxy | |
| AC-03 | Access Enforcement | mitigates | T1090 | Proxy | |
| AC-04 | Information Flow Enforcement | mitigates | T1090 | Proxy | |
| SC-07 | Boundary Protection | mitigates | T1090 | Proxy |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1090 | Proxy | |
| action.hacking.vector.Other network service | Network service that is not remote access or a web application. | related-to | T1090 | Proxy | |
| action.malware.variety.C2 | Malware creates Command and Control capability for malware. Child of 'Backdoor or C2'. | related-to | T1090 | Proxy |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_dns | Alerts for DNS | technique_scores | T1090 | Proxy |
Comments
Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
| azure_network_security_groups | Azure Network Security Groups | technique_scores | T1090 | Proxy |
Comments
This control can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.
References
|
| azure_network_watcher_traffic_analytics | Azure Network Watcher: Traffic Analytics | technique_scores | T1090 | Proxy |
Comments
This control can detect anomalous traffic between systems and external networks.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_armor | Cloud Armor | technique_scores | T1090 | Proxy |
Comments
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of Cloud Armor network allow and block lists. However this can be circumvented by other techniques.
References
|
| cloud_ngfw | Cloud Next-Generation Firewall (NGFW)_ | technique_scores | T1090 | Proxy |
Comments
Cloud NGFW can allow or deny traffic based on the traffic's protocol, destination ports, sources, and destinations. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only supports a subset of the sub-techniques (2 of 4) and because it only blocks known bad IP addresses and domains and does not protect against unknown ones.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1090 | Proxy |
Comments
The following GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.
UnauthorizedAccess:EC2/TorClient UnauthorizedAccess:EC2/TorRelay
Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1090 | Proxy |
Comments
VPC security groups and network access control lists (NACLs) can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1090 | Proxy |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only supports a subset of the sub-techniques, and because it only blocks known bad IP addresses and domains and does not protect against unknown ones.
References
|
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1090 | Proxy |
Comments
The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.
AWSManagedRulesAnonymousIpList
This is given a score of Partial because it provides protections for only a subset of the sub-techniques, and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1090.002 | External Proxy | 19 |
| T1090.003 | Multi-hop Proxy | 18 |
| T1090.004 | Domain Fronting | 1 |
| T1090.001 | Internal Proxy | 15 |