1. Home
  2. ATT&CK Techniques
  3. T1090.003 Multi-hop Proxy

T1090.003 Multi-hop Proxy

Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.

For example, adversaries may construct or use onion routing networks – such as the publicly available Tor network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing) Adversaries may also use operational relay box (ORB) networks composed of virtual private servers (VPS), Internet of Things (IoT) devices, smart devices, and end-of-life routers to obfuscate their operations. (Citation: ORB Mandiant)

In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., Network Devices). By leveraging Patch System Image on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the Network Boundary Bridging method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.

Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-04.01 Utilization monitoring Mitigates T1090.003 Multi-hop Proxy
Comments
This diagnostic statement describes how the organization establishes and manages baseline measures of network activity. Supported by network monitoring tools and other controls to detect events and identify incidents. Mitigating mechanisms may include: Data Loss Prevention (DLP); Filtering Network Traffic; Limit Network Traffic; Network Intrusion Prevention Systems (NIPS); and Network Segmentation for these type of network-based techniques.
References
    PR.IR-01.03 Network communications integrity and availability Mitigates T1090.003 Multi-hop Proxy
    Comments
    This diagnostic statement protects against Multi-hop Proxy through the use of secure network configurations, architecture, implementations of zero trust architecture, and segmentation.
    References
      PR.PS-01.08 End-user device protection Mitigates T1090.003 Multi-hop Proxy
      Comments
      This diagnostic statement protects against Multi-hop Proxy through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
      References

        NIST 800-53 Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        CA-07 Continuous Monitoring mitigates T1090.003 Multi-hop Proxy
        CM-06 Configuration Settings mitigates T1090.003 Multi-hop Proxy
        SI-10 Information Input Validation mitigates T1090.003 Multi-hop Proxy
        SI-15 Information Output Filtering mitigates T1090.003 Multi-hop Proxy
        CM-07 Least Functionality mitigates T1090.003 Multi-hop Proxy
        AC-03 Access Enforcement mitigates T1090.003 Multi-hop Proxy
        AC-04 Information Flow Enforcement mitigates T1090.003 Multi-hop Proxy
        SC-07 Boundary Protection mitigates T1090.003 Multi-hop Proxy

        Azure Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        ai_threat_protection Microsoft Defender for Cloud: AI Threat Protection technique_scores T1090.003 Multi-hop Proxy
        Comments
        This capability can detect (alert: AI.Azure_AccessFromAnonymizedIP) when an AI is accessed from a Tor network IP.
        References
        1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-ai-workloads
        azure_network_security_groups Azure Network Security Groups technique_scores T1090.003 Multi-hop Proxy
        Comments
        This control can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
        References
        1. https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview
        azure_network_watcher_traffic_analytics Azure Network Watcher: Traffic Analytics technique_scores T1090.003 Multi-hop Proxy
        Comments
        This control can detect abuse of multi-hop proxies.
        References
        1. https://learn.microsoft.com/en-us/azure/network-watcher/traffic-analytics?tabs=Americas

        AWS Mappings

        Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
        amazon_guardduty Amazon GuardDuty technique_scores T1090.003 Multi-hop Proxy
        Comments
        The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.
        References
          amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1090.003 Multi-hop Proxy
          Comments
          VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
          References
            aws_network_firewall AWS Network Firewall technique_scores T1090.003 Multi-hop Proxy
            Comments
            AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.
            References
              aws_web_application_firewall AWS Web Application Firewall technique_scores T1090.003 Multi-hop Proxy
              Comments
              The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic. AWSManagedRulesAnonymousIpList This is given a score of Partial because it provide protections based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.
              References