To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)
In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging Patch System Image, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the Network Boundary Bridging method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| AC-3 | Access Enforcement | Protects | T1090.003 | Multi-hop Proxy | |
| AC-4 | Information Flow Enforcement | Protects | T1090.003 | Multi-hop Proxy | |
| CA-7 | Continuous Monitoring | Protects | T1090.003 | Multi-hop Proxy | |
| CM-6 | Configuration Settings | Protects | T1090.003 | Multi-hop Proxy | |
| CM-7 | Least Functionality | Protects | T1090.003 | Multi-hop Proxy | |
| SC-7 | Boundary Protection | Protects | T1090.003 | Multi-hop Proxy | |
| SI-10 | Information Input Validation | Protects | T1090.003 | Multi-hop Proxy | |
| SI-15 | Information Output Filtering | Protects | T1090.003 | Multi-hop Proxy |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.C2 | Command and control (C2) | related-to | T1090.003 | Proxy: Multi-hop Proxy |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| amazon_guardduty | Amazon GuardDuty | technique_scores | T1090.003 | Multi-hop Proxy |
Comments
The UnauthorizedAccess:EC2/TorClient GuardDuty finding type flags events where adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command-and-control server to avoid direct connections to their infrastructure.
Due to the detection being limited to a specific type of proxy, Tor, its coverage is Minimal resulting in a Minimal score.
References
|
| amazon_virtual_private_cloud | Amazon Virtual Private Cloud | technique_scores | T1090.003 | Multi-hop Proxy |
Comments
VPC security groups and network access control lists (NACLs) can restrict access between systems, enclaves, and workloads thereby mitigating these proxy related sub-techniques.
References
|
| aws_web_application_firewall | AWS Web Application Firewall | technique_scores | T1090.003 | Multi-hop Proxy |
Comments
The AWS WAF protects web applications from access by adversaries that leverage tools that obscure their identity (e.g., VPN, proxies, Tor, hosting providers). AWS WAF provides this protection via the following rule set that blocks incoming traffic from IP addresses known to anonymize connection information or be less likely to source end user traffic.
AWSManagedRulesAnonymousIpList
This is given a score of Partial because it provide protections for only a subset of the sub-techniques (2 out of 4) and is based only on known IP addresses. Furthermore, it blocks the malicious content in near real-time.
References
|
| aws_network_firewall | AWS Network Firewall | technique_scores | T1090.003 | Multi-hop Proxy |
Comments
AWS Network Firewall has the ability to pass, drop, or alert on traffic based on the network protocol as well as perform deep packet inspection on the payload. This functionality can be used to block traffic from known bad IP addresses and to known bad domains that serve as proxies for adversaries. This mapping is given a score of partial because it only blocks known bad IP addresses and domains and does not protect against unknown ones.
References
|