Ctrl+K

T1090 - Proxy

T1090 - Proxy#

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.

Atomic Tests:#

Currently, no tests are available for this technique.

Detection#

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)

Consider monitoring for traffic to known anonymity networks (such as Tor).

Shield Active Defense#

Network Manipulation#

Make changes to network properties and functions to achieve a desired effect.

Network Manipulation allows a defender to throttle network speeds, segment the network, maintain a unique IP addressing scheme, or add a kill switch to cut off network access if needed.

Opportunity#

There is an opportunity to block an adversary that is seeking to use a proxied connection.

Use Case#

A defender could block traffic to known anonymity networks and C2 infrastructure through the use of network allow and block lists.

Procedures#

Add a kill switch to a decoy network that can be used to shutdown all network communication if an adversary takes an action that is out of the desired scope. Introduce intermittent network packet loss on a decoy network to interfere with an adversary’s activities.

Contents