Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1090 | Proxy | |
| AC-4 | Information Flow Enforcement | Protects | T1090 | Proxy | |
| CA-7 | Continuous Monitoring | Protects | T1090 | Proxy | |
| CM-2 | Baseline Configuration | Protects | T1090 | Proxy | |
| CM-6 | Configuration Settings | Protects | T1090 | Proxy | |
| CM-7 | Least Functionality | Protects | T1090 | Proxy | |
| SC-7 | Boundary Protection | Protects | T1090 | Proxy | |
| SC-8 | Transmission Confidentiality and Integrity | Protects | T1090 | Proxy | |
| SI-10 | Information Input Validation | Protects | T1090 | Proxy | |
| SI-15 | Information Output Filtering | Protects | T1090 | Proxy | |
| SI-3 | Malicious Code Protection | Protects | T1090 | Proxy | |
| SI-4 | System Monitoring | Protects | T1090 | Proxy | |
| network_security_groups | Network Security Groups | technique_scores | T1090 | Proxy |
Comments
This control can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.
References
|
| azure_sentinel | Azure Sentinel | technique_scores | T1090 | Proxy |
Comments
This control provides minimal coverage for one sub-technique of this technique, resulting in an overall coverage score of Minimal.
References
|
| alerts_for_dns | Alerts for DNS | technique_scores | T1090 | Proxy |
Comments
Can detect DNS activity to anonymity networks e.g. TOR. Because this detection is specific to DNS, its coverage score is Minimal resulting in an overall Minimal score.
References
|
| azure_network_traffic_analytics | Azure Network Traffic Analytics | technique_scores | T1090 | Proxy |
Comments
This control can detect anomalous traffic between systems and external networks.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1090.004 | Domain Fronting | 1 |
| T1090.002 | External Proxy | 10 |
| T1090.001 | Internal Proxy | 10 |
| T1090.003 | Multi-hop Proxy | 11 |