1. Home
  2. ATT&CK Techniques
  3. T1090.001 Internal Proxy

T1090.001 Internal Proxy

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
DE.AE-02.01 Event analysis and detection Mitigates T1090.001 Internal Proxy
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
    DE.CM-01.01 Intrusion detection and prevention Mitigates T1090.001 Internal Proxy
    Comments
    This diagnostic statement protects adversaries from infiltrating internal proxies and taking over control of traffic between systems. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
    References
      PR.IR-01.03 Network communications integrity and availability Mitigates T1090.001 Internal Proxy
      Comments
      This diagnostic statement protects against Internal Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CA-07 Continuous Monitoring mitigates T1090.001 Internal Proxy
        CM-06 Configuration Settings mitigates T1090.001 Internal Proxy
        SI-03 Malicious Code Protection mitigates T1090.001 Internal Proxy
        CM-02 Baseline Configuration mitigates T1090.001 Internal Proxy
        CM-07 Least Functionality mitigates T1090.001 Internal Proxy
        SI-04 System Monitoring mitigates T1090.001 Internal Proxy
        AC-04 Information Flow Enforcement mitigates T1090.001 Internal Proxy
        SC-07 Boundary Protection mitigates T1090.001 Internal Proxy

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        azure_network_security_groups Azure Network Security Groups technique_scores T1090.001 Internal Proxy
        Comments
        This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
        References
        1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
        azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1090.001 Internal Proxy
        Comments
        This control can detect abuse of internal proxies.
        References
        1. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas

        AWS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        amazon_guardduty Amazon GuardDuty technique_scores T1090.001 Internal Proxy
        Comments
        The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.
        References
          amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1090.001 Internal Proxy
          Comments
          VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
          References