# T1090.001 Internal Proxy

-----------------------------------------------------------------------

## Technique Description

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

## Technique Detection

Analyze network data for uncommon data flows between clients that should not or often do not communicate with one another. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

### Data Sources:

  * **Network Traffic:** Network Traffic Flow

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Connection Creation

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| Higaisa | [Higaisa](https://attack.mitre.org/groups/G0126) discovered system proxy settings and used them if available.(Citation: Zscaler Higaisa 2020)| 
| UNC2452 | [UNC2452](https://attack.mitre.org/groups/G0118) configured at least one instance of [Cobalt Strike](https://attack.mitre.org/software/S0154) to use a network pipe over SMB during the 2020 SolarWinds intrusion.(Citation: Symantec RAINDROP January 2021)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) can proxy traffic through multiple infected systems.(Citation: FoxIT Wocao December 2019)| 
| APT39 | [APT39](https://attack.mitre.org/groups/G0087) used custom tools to create SOCK5 and custom protocol proxies between infected hosts.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)| 
| Strider | [Strider](https://attack.mitre.org/groups/G0041) has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.(Citation: Kaspersky ProjectSauron Blog)| 
| Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used a compromised router to serve as a proxy between a victim network's corporate and restricted segments.(Citation: Kaspersky ThreatNeedle Feb 2021)| 
| APT29 | [APT29](https://attack.mitre.org/groups/G0016) has used SSH port forwarding capabilities on public-facing systems, and configured at least one instance of [Cobalt Strike](https://attack.mitre.org/software/S0154) to use a network pipe over SMB during the 2020 SolarWinds intrusion.(Citation: Symantec RAINDROP January 2021)(Citation: CrowdStrike StellarParticle January 2022)| 
| Turla | [Turla](https://attack.mitre.org/groups/G0010) has compromised internal network systems to act as a proxy to forward traffic to C2.(Citation: Talos TinyTurla September 2021)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1090/001)

  * [Trend Micro Apt Attack Tools](http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/), Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools of the Trade. Retrieved December 2, 2015.

  * [University Of Birmingham C2](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf), Gardiner, J.,  Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 8 July 2021

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Information Here

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| Example APT/Threat actor | 1, 2 | 2, 3, 5|

## Detection Blindspots

- Information Here

## Analytical References

  * [Other references: All custom links should go here](example.lan)

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```

#### Analytic 2

  * **Information:** 'Comments'

  * **Source:** 'ex Windows Audits, Sysmon'

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** 'Various notes to assist with hunting.'

  * **Query:** ```Input your query here```



-----------------------------------------------------------------------

## Network Analytics 1

-----------------------------------------------------------------------

### Hunter Notes

- (WIP) requiring validation and break down of actaul method used

#### Analytic 1

  * **Tool:** 'Kibana OR Arkime'

  * **Notes:** 'Turla: HyperStack, Carbon, and Kazuar below are some IOC hunts'

  * **Query:** ```winlog.event_data.PipeName: *adschemerpc*```
  * **Query:** ```DebugView.exe OR Agent.exe OR RuntimeBroker.exe OR WSUSTransfer.exe OR DSCEBIN.EXE OR sacril.dll OR ablhelper.dll OR frontapp.dll OR estdlawf.fes OR ADSchemeIntegrity.exe OR 101_iex_memory_code_exe.exe OR 1.ps1 OR hyperstack.exe OR ADSchemeIntegrity.exe```
  
  
#### C2 
  * **NOTE** ```C&C URLs for Carbon implant```
  * **Operator Note:** ```When looking for the C2 traffic, look for the to level domin and patterns first. Also this will be a last look as domains can change very easily```
  * **Query:** ```www.berlinguas[.]com/wp-content/languages/index.php OR www.balletmaniacs[.]com/wp-includes/fonts/icons/ OR pastebin[.]com:443/raw/5qXBPmAZ```
  
  * **NOTE** ```C&C URLs for Kazuar implant```
  * **Operator Note:** ```When looking for the C2 traffic, look for the to level domin and patterns first. Also this will be a last look as domains can change very easily```
  * **Query:** ```https://www.bombheros[.]com/wp-content/languages/index[.]php OR https://www.simplifiedhomesales[.]com/wp-includes/images/index.php OR http://mtsoft.hol[.]es/wp-content/gallery/ OR http://www.polishpod101[.]com/forum/language/en/sign/```
 
-----------------------------------------------------------------------

## Network Analytics 2

-----------------------------------------------------------------------

### Hunter Notes

- (WIP) requiring validation and break down of actaul method used

#### Analytic 2

  * **Tool:** 'Kibana OR Arkime'

  * **Notes:** 'Raindrop'

  * **Query:** ```winlog.event_data.PipeName: *adschemerpc*```
  * **Query:** ```DebugView.exe OR Agent.exe OR RuntimeBroker.exe OR WSUSTransfer.exe OR DSCEBIN.EXE OR sacril.dll OR ablhelper.dll OR frontapp.dll OR estdlawf.fes OR ADSchemeIntegrity.exe OR 101_iex_memory_code_exe.exe OR 1.ps1 OR hyperstack.exe OR ADSchemeIntegrity.exe```
  
  
#### C2 
  * **NOTE** ```C&C URLs for Carbon implant```
  * **Operator Note:** ```When looking for the C2 traffic, look for the to level domin and patterns first. Also this will be a last look as domains can change very easily```
  * **Query:** ```www.berlinguas[.]com/wp-content/languages/index.php OR www.balletmaniacs[.]com/wp-includes/fonts/icons/ OR pastebin[.]com:443/raw/5qXBPmAZ```
  
  * **NOTE** ```C&C URLs for Kazuar implant```
  * **Operator Note:** ```When looking for the C2 traffic, look for the to level domin and patterns first. Also this will be a last look as domains can change very easily```
  * **Query:** ```https://www.bombheros[.]com/wp-content/languages/index[.]php OR https://www.simplifiedhomesales[.]com/wp-includes/images/index.php OR http://mtsoft.hol[.]es/wp-content/gallery/ OR http://www.polishpod101[.]com/forum/language/en/sign/```
