Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| I&S-03 | Network Security | mitigates | T1090.001 | Internal Proxy |
Comments
This control provides for monitoring, encrypting, and restricting communications between environments. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
References
|
| I&S-06 | Segmentation and Segregation | mitigates | T1090.001 | Internal Proxy |
Comments
This control provides for appropriately segmented and segregated cloud environments. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
References
|
| I&S-09 | Network Defense | mitigates | T1090.001 | Internal Proxy |
Comments
This control provides for the implementation of defense-in-depth network security controls for securing the cloud environment. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific malware or unexpected protocol standards and traffic flows can be used to mitigate activity at the network level. Virtual private cloud (VPC) security groups and network access control lists (NACLs) can be used to limit traffic between systems and mitigate use of a connection proxy for communications.
References
|