Esc
Proxy - T1090

(ATT&CK® Technique)
Subtechniques

Definition

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1090["Proxy"] --> |produces| IntranetNetworkTraffic["Intranet Network Traffic"]; class T1090 OffensiveTechniqueNode;
        class IntranetNetworkTraffic ArtifactNode; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic";
        click T1090 href "/offensive-technique/attack/T1090/"; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic"; T1090["Proxy"] --> |produces| OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"]; class T1090 OffensiveTechniqueNode;
        class OutboundInternetNetworkTraffic ArtifactNode; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic";
        click T1090 href "/offensive-technique/attack/T1090/"; click OutboundInternetNetworkTraffic href "/dao/artifact/d3f:OutboundInternetNetworkTraffic"; T1090["Proxy"] --> |produces| OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"]; class T1090 OffensiveTechniqueNode;
        class OutboundInternetEncryptedWebTraffic ArtifactNode; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic";
        click T1090 href "/offensive-technique/attack/T1090/"; click OutboundInternetEncryptedWebTraffic href "/dao/artifact/d3f:OutboundInternetEncryptedWebTraffic";                                       NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1090["Proxy"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1090["Proxy"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";    PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1090["Proxy"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";                                                                Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1090["Proxy"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling";                                        NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1090["Proxy"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";       RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1090["Proxy"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";                         NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis";                          RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          RelayPatternAnalysis["Relay Pattern Analysis"] -.->
            | may-detect | T1090["Proxy"] ;
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis"; RelayPatternAnalysis["Relay Pattern Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          
          class RelayPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click RelayPatternAnalysis href "/technique/d3f:RelayPatternAnalysis";                             RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis";                    ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
            | may-detect | T1090["Proxy"] ;
          class ConnectionAttemptAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis";                        RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";                                            UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1090["Proxy"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";                                        NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1090["Proxy"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetEncryptedWebTraffic["Outbound Internet Encrypted Web Traffic"];

          OutboundTrafficFiltering["Outbound Traffic Filtering"] -.->
            | may-isolate | T1090["Proxy"] ;
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetEncryptedWebTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering"; OutboundTrafficFiltering["Outbound Traffic Filtering"] -->
          | filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          
          class OutboundTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click OutboundTrafficFiltering href "/technique/d3f:OutboundTrafficFiltering";                         NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | OutboundInternetNetworkTraffic["Outbound Internet Network Traffic"];

          
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class OutboundInternetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";                    NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | IntranetNetworkTraffic["Intranet Network Traffic"];

          
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";
json