Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Внешний прокси-сервер
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Внешний прокси-сервер
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Proxy:  Внешний прокси-сервер

ID Название
.001 Внутренний прокси-сервер
.002 Внешний прокси-сервер
.003 Цепочка прокси-серверов
.004 Домен-прикрытие

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion. External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.

ID: T1090.002
Относится к технике:  T1090
Тактика(-и): Command and Control
Платформы: ESXi, Linux, Network Devices, Windows, macOS
Источники данных: Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Версия: 1.2
Дата создания: 14 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
TrickBot

TrickBot has been known to reach a command and control server via one of nine proxy IP addresses. (Citation: Bitdefender Trickbot C2 infra Nov 2020) (Citation: Bitdefender Trickbot VNC module Whitepaper 2021)
InvisiMole

InvisiMole InvisiMole can identify proxy servers used by the victim and use them for C2 communication.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
QUIETEXIT

QUIETEXIT can proxy traffic via SOCKS.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
Okrum

Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.(Citation: ESET Okrum July 2019)
Regin

Regin leveraged several compromised universities as proxies to obscure its origin.(Citation: Kaspersky Regin)
ShimRat

ShimRat can use pre-configured HTTP proxies.(Citation: FOX-IT May 2016 Mofang)
Winnti for Windows

The Winnti for Windows HTTP/S C2 mode can make use of an external proxy.(Citation: Novetta Winnti April 2015)
Mythic

Mythic can leverage a modified SOCKS5 proxy to tunnel egress C2 traffic.(Citation: Mythc Documentation)
POWERSTATS

POWERSTATS has connected to C2 servers through proxies.(Citation: FireEye MuddyWater Mar 2018)
QakBot

QakBot has a module that can proxy C2 communications.(Citation: Kaspersky QakBot September 2021)
APT28

APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.(Citation: FireEye APT28)(Citation: Bitdefender APT28 Dec 2015)(Citation: DOJ GRU Indictment Jul 2018)
Lazarus Group

Lazarus Group has used multiple proxies to obfuscate network traffic from victims.(Citation: US-CERT FALLCHILL Nov 2017)(Citation: TrendMicro macOS Dacls May 2020)
APT29

APT29 uses compromised residential endpoints as proxies for defense evasion and network access.(Citation: NCSC et al APT29 2024)
APT39

APT39 has used various tools to proxy C2 communications.(Citation: BitDefender Chafer May 2020)
MuddyWater

MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location.(Citation: Symantec MuddyWater Dec 2018) MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)
Silence

Silence has used ProxyBot, which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4\Socks5.(Citation: Group IB Silence Sept 2018)

menuPass

menuPass has used a global service provider's IP as a proxy for C2 traffic from a victim.(Citation: FireEye APT10 April 2017)(Citation: FireEye APT10 Sept 2018)
Tonto Team

Tonto Team has routed their traffic through an external server in order to obfuscate their location.(Citation: TrendMicro Tonto Team October 2020)
APT3

An APT3 downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap)
GALLIUM

GALLIUM used a modified version of HTRAN to redirect connections between networks.(Citation: Cybereason Soft Cell June 2019)
FIN5

FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel.(Citation: Mandiant FIN5 GrrCON Oct 2016)

Контрмеры
Контрмера Описание
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Обнаружение

Analyze network data for uncommon data flows, such as a client sending significantly more data than it receives from an external server. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

Ссылки

  1. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  2. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  3. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  4. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  5. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  6. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  7. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  8. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  9. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
  10. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  11. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  12. Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.
  13. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  14. UK National Cyber Security Center et al. (2024, February). SVR cyber actors adapt tactics for initial cloud access. Retrieved March 1, 2024.
  15. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  16. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  17. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  18. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  19. Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021.
  20. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  21. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  22. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
  23. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  24. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  25. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  26. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  27. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  28. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  29. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  30. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  31. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.