T1090.001: Internal Proxy
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
unix_mitre_attck_command_and_control: PT-CR-2638: Subrule_Unix_Possible_GS_Netcat_Usage: Multiple local network connections to a single port or multiple network connections to a single external IP address on port 443. This may indicate the use of a network traffic proxying utility. unix_mitre_attck_command_and_control: PT-CR-2648: Unix_Possible_GSocket_Usage: Attempt to connect to an external host over port 443 using a Global Socket Toolkit utility (gsocket, blitz, gs-mount, or gs-sftp). This may indicate network reconnaissance, accessing local resources, or lateral movement by an attacker. unix_mitre_attck_command_and_control: PT-CR-2639: Unix_Possible_GS_Netcat_Usage: Attempt to connect to an external host on destination port 443. This may indicate that the gs-netcat utility is being used for network reconnaissance, accessing local resources, or lateral movement. unix_mitre_attck_command_and_control: PT-CR-1700: Unix_Proxy_Forwarding: Possible traffic tunneling from a Unix host to a Windows host hacking_tools: PT-CR-2600: Cobalt_Strike_Browserpivot: Using a Cobalt Strike beacon, the "browserpivot" command that allows turning the Internet Explorer (MS Edge) browser into a proxy was executed on victim's host mitre_attck_command_and_control: PT-CR-2598: Possible_Proxy_Usage: Network traffic proxying. Possible use of such utilities as Shadowsocks, NekoRay, RTUN, and Burp Suite. mitre_attck_command_and_control: PT-CR-610: Proxy_Tools_Usage: A utility is started to proxy traffic mitre_attck_command_and_control: PT-CR-428: Possible_Network_Local_Tunnel: Attempt to connect to a remote host using a tunnel. This may indicate that the tunnel is being used for network reconnaissance, accessing local resources, or lateral movement. mitre_attck_command_and_control: PT-CR-467: Suspicious_Connection: A network request made by executable files is detected mitre_attck_command_and_control: PT-CR-969: Ligolo_Reverse_Tunneling: Creating a reverse tunnel using the Ligolo(-ng) utility mitre_attck_command_and_control: PT-CR-461: Port_Forwarding_Or_Tunneling: A potential attempt to forward a network port is detected it_bastion: PT-CR-2183: SKDPUNT_Connection_In_Session_Open: SKDPU NT detected execution of a command to create a new connection in a session it_bastion: PT-CR-2170: SKDPUNT_Connection_In_Session_Closed: SKDPU NT detected the closing of an additional session in a user session
Detection
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Content | Description | Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Traffic Flow | Description | Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
---|
ID | DS0029 | Data source and component | Network Traffic: Network Connection Creation | Description | Monitor for newly constructed network connections that are sent or received by untrusted hosts. |
---|
Mitigation
ID | M1031 | Name | Network Intrusion Prevention | Description | Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific C2 protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. |
---|