T1090.001 - Proxy: Internal Proxy
Description from ATT&CK (opens in a new tab)
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN (opens in a new tab), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.
Atomic Tests
Atomic Test #1 - Connection Proxy
Enable traffic redirection.
Note that this test may conflict with pre-existing system configuration.
Supported Platforms: Linux, macOS
auto_generated_guid: 0ac21132-4485-4212-a681-349e8a6637cd
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| proxy_server | Proxy server URL | url | 127.0.0.1 |
| proxy_port | Proxy server port | integer | 3128 |
| proxy_scheme | Protocol to proxy (http or https) | string | http |
| test_url | URL to test proxy connection | string | http://google.com (opens in a new tab) |
| run_squid | If set to true, the test will install and configure a proxy server on the endpoint. | ||
| Note that this test may conflict with pre-existing system configuration. | string | false |
Attack Commands: Run with sh!
export #{proxy_scheme}_proxy=#{proxy_server}:#{proxy_port}
curl #{test_url}Cleanup Commands:
unset #{proxy_scheme}_proxy
[ "#{run_squid}" == "true" ] && (kill -9 $(ps aux | grep "squid -N" | grep -v "grep" | awk '{print $2}'))Dependencies: Run with sh!
Description: Squid must be installed and running
Check Prereq Commands:
if ([ "#{run_squid}" = "false" ] || ([ -x "$(command -v squid --version)" ] && (ps aux | grep "squid -N" | grep -v "grep"))); then exit 0; else exit 1; fi;Get Prereq Commands:
[ "#{run_squid}" = "true" ] && ([ -x "$(command -v squid --version)" ] || sudo DEBIAN_FRONTEND=noninteractive apt-get -y install squid curl || sudo yum install -y squid curl || sudo dnf install -y squid curl || brew install curl squid) && (squid -N -d 1 &) && exit 0
echo "Value #{run_squid} for variable "run_squid" is not valid" && exit 1Atomic Test #2 - Connection Proxy for macOS UI
Enable traffic redirection on macOS UI (not terminal). The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface.
Note that this test may conflict with pre-existing system configuration.
Supported Platforms: macOS
auto_generated_guid: 648d68c1-8bcd-4486-9abe-71c6655b6a2c
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| proxy_server | Proxy server URL (host) | url | 127.0.0.1 |
| proxy_port | Proxy server port | integer | 8080 |
| interface | Protocol to proxy (http or https) | string | Wi-Fi |
Attack Commands: Run with sh!
networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port}
networksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port}Cleanup Commands:
networksetup -setwebproxystate #{interface} off
networksetup -setsecurewebproxystate #{interface} offAtomic Test #3 - portproxy reg key
Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 Upon execution there will be a new proxy entry in netsh netsh interface portproxy show all
Supported Platforms: Windows
auto_generated_guid: b8223ea9-4be2-44a6-b50a-9657a3d4e72a
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| connectaddress | Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. | string | 127.0.0.1 |
| connectport | Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. | string | 1337 |
| listenport | Specifies the IPv4 port, by port number or service name, on which to listen. | string | 1337 |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}Cleanup Commands:
netsh interface portproxy delete v4tov4 listenport=#{listenport} -ErrorAction Ignore | Out-Null