Esc

Internal Proxy - T1090.001

(ATT&CK® Technique)

Definition

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1090001["Internal Proxy"] --> |produces| IntranetNetworkTraffic["Intranet Network Traffic"]; class T1090001 OffensiveTechniqueNode;
        class IntranetNetworkTraffic ArtifactNode; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic";
        click T1090001 href "/offensive-technique/attack/T1090.001/"; click IntranetNetworkTraffic href "/dao/artifact/d3f:IntranetNetworkTraffic";             NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
            | may-detect | T1090001["Internal Proxy"] ;
          class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
            | may-detect | T1090001["Internal Proxy"] ;
          class Client-serverPayloadProfiling DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.->
            | may-detect | T1090001["Internal Proxy"] ;
          class ConnectionAttemptAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
            | may-detect | T1090001["Internal Proxy"] ;
          class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation";                     RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
            | may-detect | T1090001["Internal Proxy"] ;
          class RemoteTerminalSessionDetection DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection";                                        PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
            | may-detect | T1090001["Internal Proxy"] ;
          class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
            | may-detect | T1090001["Internal Proxy"] ;
          class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection";  NetworkTrafficFiltering["Network Traffic Filtering"] -->
          | filters | IntranetNetworkTraffic["Intranet Network Traffic"];

          NetworkTrafficFiltering["Network Traffic Filtering"] -.->
            | may-isolate | T1090001["Internal Proxy"] ;
          class NetworkTrafficFiltering DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering";                                       UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
          | analyzes | IntranetNetworkTraffic["Intranet Network Traffic"];

          UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
            | may-detect | T1090001["Internal Proxy"] ;
          class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
          class IntranetNetworkTraffic ArtifactNode;
          click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis";

json