T1090.001: Internal Proxy
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
it_bastion: PT-CR-2183: SKDPUNT_Connection_In_Session_Open: SKDPU NT detected execution of a command to create a new connection in a session
mitre_attck_command_and_control: PT-CR-461: Port_Forwarding_or_Tunneling: A potential attempt to forward a network port is detected
mitre_attck_command_and_control: PT-CR-467: Suspicious_Connection: A network request made by executable files is detected
mitre_attck_command_and_control: PT-CR-610: Proxy_Tools_Usage: A utility is started to proxy traffic
mitre_attck_command_and_control: PT-CR-969: Ligolo_Reverse_Tunneling: Creating a reverse tunnel using the Ligolo(-ng) utility
it_bastion: PT-CR-2170: SKDPUNT_Connection_In_Session_Closed: SKDPU NT detected the closing of an additional session in a user session
unix_mitre_attck_command_and_control: PT-CR-1700: Unix_Proxy_Forwarding: Possible traffic tunneling from a Unix host to a Windows host
remote_work: PT-CR-428: Possible_network_connect_through_local_tunnel: Attempts to connect to a remote host through a local tunnel
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
---|
Mitigation
ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. |
---|