Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1090 | Proxy | |
| AC-4 | Information Flow Enforcement | Protects | T1090 | Proxy | |
| CA-7 | Continuous Monitoring | Protects | T1090 | Proxy | |
| CM-2 | Baseline Configuration | Protects | T1090 | Proxy | |
| CM-6 | Configuration Settings | Protects | T1090 | Proxy | |
| CM-7 | Least Functionality | Protects | T1090 | Proxy | |
| SC-7 | Boundary Protection | Protects | T1090 | Proxy | |
| SC-8 | Transmission Confidentiality and Integrity | Protects | T1090 | Proxy | |
| SI-10 | Information Input Validation | Protects | T1090 | Proxy | |
| SI-15 | Information Output Filtering | Protects | T1090 | Proxy | |
| SI-3 | Malicious Code Protection | Protects | T1090 | Proxy | |
| SI-4 | System Monitoring | Protects | T1090 | Proxy | |
| action.hacking.variety.Use of backdoor or C2 | Use of Backdoor or C2 channel | related-to | T1090 | Proxy | |
| action.hacking.vector.Backdoor or C2 | Backdoor or command and control channel | related-to | T1090 | Proxy | |
| action.malware.variety.C2 | Command and control (C2) | related-to | T1090 | Proxy | |
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1090 | Proxy |
Comments
The following GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.
UnauthorizedAccess:EC2/TorClient UnauthorizedAccess:EC2/TorRelay
Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1090 | Proxy |
Comments
VPC security groups and network access control lists (NACLs) can restrict ports and inter-system / inter-enclave connections as described by the Proxy related sub-techniques although it doesn't provide protection for domain-fronting. It furthermore provides partial protection of this technique's procedure examples resulting in an overall Partial score.
References
|
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1090 | Proxy |
Comments
The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.
AWSManagedRulesAnonymousIpList
This is given a score of Partial because it provides protections for only a subset of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1090 | Proxy |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only supports a subset of the sub-techniques (2 of 4) and because it only blocks known bad IP addresses and domains and does not protect against unknown ones.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1090.004 | Domain Fronting | 2 |
| T1090.002 | External Proxy | 13 |
| T1090.001 | Internal Proxy | 11 |
| T1090.003 | Multi-hop Proxy | 13 |