FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
FRP has the ability to use HTTP and HTTPS to enable the forwarding of requests for internal services via domain name.[1] |
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript | |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
FRP can use STCP (Secret TCP) with a preshared key to encrypt services exposed to public networks.[1] |
| .002 | Encrypted Channel: Asymmetric Cryptography | |||
| Enterprise | T1046 | Network Service Discovery |
As part of load balancing FRP can set |
|
| Enterprise | T1095 | Non-Application Layer Protocol |
FRP can communicate over TCP, TCP stream multiplexing, KERN Communications Protocol (KCP), QUIC, and UDP.[1] |
|
| Enterprise | T1572 | Protocol Tunneling |
FRP can tunnel SSH and Unix Domain Socket communications over TCP between external nodes and exposed resources behind firewalls or NAT.[1] |
|
| Enterprise | T1090 | Proxy |
FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.[1] |
|
| .003 | Multi-hop Proxy |
The FRP client can be configured to connect to the server through a proxy.[1] |
||
| Enterprise | T1049 | System Network Connections Discovery |
FRP can use a dashboard and U/I to display the status of connections from the FRP client and server.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0108 | Blue Mockingbird | |
| G0059 | Magic Hound | |
| G1017 | Volt Typhoon |