Technique on mitre.org

T1090.001: Internal Proxy

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

unix_mitre_attck_command_and_control: PT-CR-2638: Subrule_Unix_Possible_GS_Netcat_Usage: Multiple local network connections to a single port or multiple network connections to a single external IP address on port 443. This may indicate the use of a network traffic proxying utility. unix_mitre_attck_command_and_control: PT-CR-2648: Unix_Possible_GSocket_Usage: Attempt to connect to an external host over port 443 using a Global Socket Toolkit utility (gsocket, blitz, gs-mount, or gs-sftp). This may indicate network reconnaissance, accessing local resources, or lateral movement by an attacker. unix_mitre_attck_command_and_control: PT-CR-2639: Unix_Possible_GS_Netcat_Usage: Attempt to connect to an external host on destination port 443. This may indicate that the gs-netcat utility is being used for network reconnaissance, accessing local resources, or lateral movement. unix_mitre_attck_command_and_control: PT-CR-1700: Unix_Proxy_Forwarding: Possible traffic tunneling from a Unix host to a Windows host hacking_tools: PT-CR-2600: Cobalt_Strike_Browserpivot: Using a Cobalt Strike beacon, the "browserpivot" command that allows turning the Internet Explorer (MS Edge) browser into a proxy was executed on victim's host mitre_attck_command_and_control: PT-CR-2598: Possible_Proxy_Usage: Network traffic proxying. Possible use of such utilities as Shadowsocks, NekoRay, RTUN, and Burp Suite. mitre_attck_command_and_control: PT-CR-610: Proxy_Tools_Usage: A utility is started to proxy traffic mitre_attck_command_and_control: PT-CR-428: Possible_Network_Local_Tunnel: Attempt to connect to a remote host using a tunnel. This may indicate that the tunnel is being used for network reconnaissance, accessing local resources, or lateral movement. mitre_attck_command_and_control: PT-CR-467: Suspicious_Connection: A network request made by executable files is detected mitre_attck_command_and_control: PT-CR-969: Ligolo_Reverse_Tunneling: Creating a reverse tunnel using the Ligolo(-ng) utility mitre_attck_command_and_control: PT-CR-461: Port_Forwarding_Or_Tunneling: A potential attempt to forward a network port is detected it_bastion: PT-CR-2183: SKDPUNT_Connection_In_Session_Open: SKDPU NT detected execution of a command to create a new connection in a session it_bastion: PT-CR-2170: SKDPUNT_Connection_In_Session_Closed: SKDPU NT detected the closing of an additional session in a user session

Detection

ID	DS0029	Data source and component	Network Traffic: Network Traffic Content	Description	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

ID	DS0029	Data source and component	Network Traffic: Network Traffic Flow	Description	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections that are sent or received by untrusted hosts.

ID	Data source and component	Description
DS0029	Network Traffic: Network Traffic Content	Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).
DS0029	Network Traffic: Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Mitigation

ID	M1031	Name	Network Intrusion Prevention	Description	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.

ID	Name	Description
M1031	Network Intrusion Prevention	Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.