T1090.003 Multi-hop Proxy Mappings

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)

In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging Patch System Image, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the Network Boundary Bridging method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-3 Access Enforcement Protects T1090.003 Multi-hop Proxy
AC-4 Information Flow Enforcement Protects T1090.003 Multi-hop Proxy
CA-7 Continuous Monitoring Protects T1090.003 Multi-hop Proxy
CM-6 Configuration Settings Protects T1090.003 Multi-hop Proxy
CM-7 Least Functionality Protects T1090.003 Multi-hop Proxy
SC-7 Boundary Protection Protects T1090.003 Multi-hop Proxy
SI-10 Information Input Validation Protects T1090.003 Multi-hop Proxy
SI-15 Information Output Filtering Protects T1090.003 Multi-hop Proxy
action.malware.variety.C2 Command and control (C2) related-to T1090.003 Proxy: Multi-hop Proxy
amazon_guardduty Amazon GuardDuty technique_scores T1090.003 Multi-hop Proxy
amazon_virtual_private_cloud Amazon Virtual Private Cloud technique_scores T1090.003 Multi-hop Proxy
aws_web_application_firewall AWS Web Application Firewall technique_scores T1090.003 Multi-hop Proxy
aws_network_firewall AWS Network Firewall technique_scores T1090.003 Multi-hop Proxy