T1090.001 Internal Proxy Mappings

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-4 Information Flow Enforcement Protects T1090.001 Internal Proxy
CA-7 Continuous Monitoring Protects T1090.001 Internal Proxy
CM-2 Baseline Configuration Protects T1090.001 Internal Proxy
CM-6 Configuration Settings Protects T1090.001 Internal Proxy
CM-7 Least Functionality Protects T1090.001 Internal Proxy
SC-7 Boundary Protection Protects T1090.001 Internal Proxy
SI-3 Malicious Code Protection Protects T1090.001 Internal Proxy
SI-4 System Monitoring Protects T1090.001 Internal Proxy
action.malware.variety.C2 Command and control (C2) related-to T1090.001 Proxy: Internal Proxy
amazon_guardduty Amazon GuardDuty technique_scores T1090.001 Internal Proxy
Comments
The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure. Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.
References
    amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1090.001 Internal Proxy
    Comments
    VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
    References