Home
ATT&CK Techniques
T1090.002 External Proxy

T1090.002 External Proxy

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.

External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
DE.AE-02.01	Event analysis and detection	Mitigates	T1090.002	External Proxy	Comments This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts. References
DE.CM-01.01	Intrusion detection and prevention	Mitigates	T1090.002	External Proxy	Comments This diagnostic statement protects adversaries from infiltrating external proxies and taking over control of traffic between systems. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. References
PR.IR-01.03	Network communications integrity and availability	Mitigates	T1090.002	External Proxy	Comments This diagnostic statement protects against External Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation. References

NIST 800-53 Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
CA-07	Continuous Monitoring	mitigates	T1090.002	External Proxy
CM-06	Configuration Settings	mitigates	T1090.002	External Proxy
SI-03	Malicious Code Protection	mitigates	T1090.002	External Proxy
CM-02	Baseline Configuration	mitigates	T1090.002	External Proxy
CM-07	Least Functionality	mitigates	T1090.002	External Proxy
SI-04	System Monitoring	mitigates	T1090.002	External Proxy
AC-04	Information Flow Enforcement	mitigates	T1090.002	External Proxy
SC-07	Boundary Protection	mitigates	T1090.002	External Proxy

VERIS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
action.hacking.vector.Web application	Web application	related-to	T1090.002	External Proxy
action.malware.variety.Capture app data	Capture data from application or system process	related-to	T1090.002	External Proxy

Azure Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
azure_network_security_groups	Azure Network Security Groups	technique_scores	T1090.002	External Proxy	Comments This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques. References https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
azure_network_watcher_traffic_analytics	Azure Network Watcher: Traffic Analytics	technique_scores	T1090.002	External Proxy	Comments This control can detect abuse of external proxies. References https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas

AWS Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name	Notes
amazon_guardduty	Amazon GuardDuty	technique_scores	T1090.002	External Proxy	Comments The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score. References
amazon_virtual_private_cloud	Amazon Virtual Private Cloud	technique_scores	T1090.002	External Proxy	Comments VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques. References
aws_network_firewall	AWS Network Firewall	technique_scores	T1090.002	External Proxy	Comments AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones. References
aws_web_application_firewall	AWS Web Application Firewall	technique_scores	T1090.002	External Proxy	Comments The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic. AWSManagedRulesAnonymousIpList This is given a score of Partial because it provide protections based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time. References