ID | Name |
---|---|
T1090.001 | Internal Proxy |
T1090.002 | External Proxy |
T1090.003 | Multi-hop Proxy |
T1090.004 | Domain Fronting |
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
For example, adversaries may construct or use onion routing networks – such as the publicly available Tor network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.[1]
In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., Network Devices). By leveraging Patch System Image on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the Network Boundary Bridging method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.
Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.[2]
ID | Name | Description |
---|---|---|
G0007 | APT28 |
APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.[3] |
G0016 | APT29 |
A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.[4][5] |
S0438 | Attor | |
C0004 | CostaRicto |
During CostaRicto, the threat actors used a layer of proxies to manage C2 communications.[7] |
S0687 | Cyclops Blink |
Cyclops Blink has used Tor nodes for C2 traffic.[8] |
S0281 | Dok | |
S0384 | Dridex |
Dridex can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[10] |
G0085 | FIN4 | |
S0342 | GreyEnergy |
GreyEnergy has used Tor relays for Command and Control servers.[12] |
G0100 | Inception |
Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.[13] |
S0604 | Industroyer |
Industroyer used Tor nodes for C2.[14] |
S0276 | Keydnap |
Keydnap uses a copy of tor2web proxy for HTTPS communications.[15] |
S0641 | Kobalos |
Kobalos can chain together multiple compromised machines as proxies to reach their final targets.[16][17] |
G0065 | Leviathan |
Leviathan has used multi-hop proxies to disguise the source of their malicious traffic.[18] |
S0282 | MacSpy | |
S1106 | NGLite |
NGLite has abused NKN infrastructure for its C2 communication.[2] |
S1100 | Ninja |
Ninja has the ability to use a proxy chain with up to 255 hops when using TCP.[19] |
S1107 | NKAbuse |
NKAbuse has abused the NKN public blockchain protocol for its C2 communications.[20][21] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes.[22] |
S0623 | Siloscape | |
S0491 | StrongPity |
StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.[24] |
S0183 | Tor |
Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.[25] |
S0022 | Uroburos |
Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.[26] |
S0386 | Ursnif | |
S0366 | WannaCry |
ID | Mitigation | Description |
---|---|---|
M1037 | Filter Network Traffic |
Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network allow and block lists. It should be noted that this kind of blocking may be circumvented by other techniques like Domain Fronting. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0029 | Network Traffic | Network Connection Creation |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
Network Traffic Content |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
||
Network Traffic Flow |
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |