# T1090.003 Multi-hop Proxy

-----------------------------------------------------------------------

## Technique Description

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)

In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise.  By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes.  This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network.  This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.

## Technique Detection

When observing use of Multi-hop proxies, network data from the actual command and control servers could allow correlating incoming and outgoing flows to trace malicious traffic back to its source. Multi-hop proxies can also be detected by alerting on traffic to known anonymity networks (such as [Tor](https://attack.mitre.org/software/S0183)) or known adversary infrastructure that uses this technique.

In context of network devices, monitor traffic for encrypted communications from the Internet that is addressed to border routers.  Compare this traffic with the configuration to determine whether it matches with any configured site-to-site Virtual Private Network (VPN) connections the device was intended to have. Monitor traffic for encrypted communications originating from potentially breached routers that is addressed to other routers within the organization.  Compare the source and destination with the configuration of the device to determine if these channels are an authorized Virtual Private Network (VPN) connections or other encrypted modes of communication. Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted.  Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.

-----------------------------------------------------------------------

### Tactics:

  *   Command-And-Control

### Platforms:

  * Linux

  * macOS

  * Windows

  * Network

### Data Sources:

  * **Network Traffic:** Network Traffic Content

  * **Network Traffic:** Network Connection Creation

  * **Network Traffic:** Network Traffic Flow

-----------------------------------------------------------------------

### Adversarial usage:

| Adversary Group |  Adversarial Usage |
|----|----|
| CostaRicto | [CostaRicto](https://attack.mitre.org/groups/G0132) has used a layer of proxies to manage C2 communications.(Citation: BlackBerry CostaRicto November 2020)| 
| Operation Wocao | [Operation Wocao](https://attack.mitre.org/groups/G0116) has executed commands through the installed web shell via Tor exit nodes.(Citation: FoxIT Wocao December 2019)| 
| Inception | [Inception](https://attack.mitre.org/groups/G0100) used chains of compromised routers to proxy C2 communications between them and cloud service providers.(Citation: Symantec Inception Framework March 2018)| 
| FIN4 | [FIN4](https://attack.mitre.org/groups/G0085) has used Tor to log in to victims' email accounts.(Citation: FireEye Hacking FIN4 Dec 2014)| 
| Leviathan | [Leviathan](https://attack.mitre.org/groups/G0065) has used multi-hop proxies to disguise the source of their malicious traffic.(Citation: CISA AA21-200A APT40 July 2021)| 
| APT29 | A backdoor used by [APT29](https://attack.mitre.org/groups/G0016) created a [Tor](https://attack.mitre.org/software/S0183) hidden service to forward traffic from the [Tor](https://attack.mitre.org/software/S0183) client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network and has also used TOR.(Citation: Mandiant No Easy Breach)(Citation: MSTIC Nobelium Oct 2021)| 
| APT28 | [APT28](https://attack.mitre.org/groups/G0007) has routed traffic over [Tor](https://attack.mitre.org/software/S0183) and VPN servers to obfuscate their activities.(Citation: TrendMicro Pawn Storm Dec 2020)| 
-----------------------------------------------------------------------

## Mitre References

  * [Mitre-Attack](https://attack.mitre.org/techniques/T1090/003)

  * [Onion Routing](https://en.wikipedia.org/wiki/Onion_routing), Wikipedia. (n.d.). Onion Routing. Retrieved October 20, 2020.

> *Note: Do not edit this cell with information you want to keep. This cell will be wiped when the update script is ran. Store permanent information in one of the relevant cells below*

*Last pulled from Mitre on: 23 June 2022*



-----------------------------------------------------------------------

## Metadata

  * **Last Updated  Date:** 29 June 2022

  * **Author(s):** SSgt Johnathan Smith, SSgt John Beres, CTR Emily Porras, Michael Adams

  * **Validated:** NO

-----------------------------------------------------------------------

## Overall Hypothesis

- Adversaries could potentially use malware to reroute and encapsulate traffic through custom protocols and purpose-built networks like The Onion Router (TOR).  These protocols use common ports and encryption mechanisms but bounce C2 traffic between continuous changing of hosts in order to obfuscate/protect the source of the attacker’s real C2 infrastructure.   In order to expose this TTP, recommend cyber-defenders to used tools like Zeek, Venom, or Stoneway to alert on Tor or known adversary infrastructure that uses this TTP. 

#### APT 29 Hypothesis

- May attempt to use TOR to forward traffic through known ports such as 3389 (RDP), 137 (Netbios), 445 (SMB). APT 29 has also been know to use Meek plugin for TOR to assist in hiding their network traffic.

## Adversary Examples

| Adversary Specific Examples | Host Analytics | Network Analytics |
|-----------------------------|----------------|-------------------|
| APT29 |  | 1 |

## Detection Blindspots

- Encrypted traffic may make it difficult to identify payload.
- Sensor placement may not provide full visability of traffic needed to identify this TTP.

## Analytical References

  * [SlideShare - No Easy Breach](https://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016)
  * [TOR Status - HomePage](https://torstatus.rueckgr.at/index.php?SR=Uptime&SO=Desc)
  * [FireEYe - APT29 Domain Fronting 2017](https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html)
  * [Threat Hunter Playbook - DLL Injection via CreateRemoteThread and LoadLibrary](https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html)
  * [Synack - Mac Malware of 2016](https://www.synack.com/blog/mac-malware-2016/)
  * [Objective See - Mac Malware of 2017](https://objective-see.org/blog/blog_0x25.html)
  * [We Live Security - ESET GREYENERGY](https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf)
  * [Secureworks - WCry Ransomware Analysis](https://www.secureworks.com/research/wcry-ransomware-analysis)
  * [NJCCIC - Ursnif Trojan](https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/ursnif)
   

-----------------------------------------------------------------------

## Host Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Information Here

#### Analytic 1

  * **Information:** Detect HTTP proxy listening for Tor connections

  * **Source:** Windows Audits, Sysmon

  * **Tool:** Kibana

  * **Notes:** 

  * **Query:** ```event_id:5154 AND source_port:[3389, 139, 445]```

#### Analytic 2

  * **Information:** Identify processes that listen on localhost 3389 (RDP), 139 (Netbios), or 445 (SMB)

  * **Source:** Windows Audits, Sysmon

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** look for any processes that shouldn't be running/connecting to those services. Sometimes browsers will connect to these ports on localhost when visiting certain websites.

  * **Query:** ```event_id:3 AND destinationport:[3389,139,445] AND Destinationip:127.0.0.1```
  
  
#### Analytic 3

  * **Information:** Identify instances of command line execution including the "--front" switch which the meek plugin is known to use

  * **Source:** Windows Audits, Sysmon

  * **Tool:** 'Arkime, Kibana, Autopsy'

  * **Notes:** look for any processes that shouldn't be running/connecting to those services. Sometimes browsers will connect to these ports on localhost when visiting certain websites.

  * **Query:** ```event_id:1 AND command.line:"*--front*"```



-----------------------------------------------------------------------

## Network Analytics

-----------------------------------------------------------------------

### Hunter Notes

- Look for commonly use ports 9001 & 9030. 9000 series should be investigated
- TOR has a unique public key system to verify the identity of its nodes.   i.e. weird-looking SSL certificate
- If time is available, hunter could create a repository of approximately ~7500 IP addresses that are associated with TOR.  There are listed available via open source.
- TOR client uses a non-existent domain name in TLS server_name extension
- Monitor ICMP traffic from the Internet that is addressed to border routers and is encrypted. Few if any legitimate use cases exist for sending encrypted data to a network device via ICMP.
- Identify common ports with uncommon traffic. Example TOR traffic on port 3389.
- Host coordination will be needed to identify ports being forwarded:

<img src="../../Images/T1090.003_Meek.PNG" 
        alt="Picture"
        width="862.5" 
        height="339" />

### Tor Communication Setup
<img src="../../Images/T1090.003_TOR.PNG" 
        alt="Picture"
        width="800" 
        height="600" />

<img src="../../Images/T1090.003_TOR2.PNG" 
        alt="Picture"
        width="800" 
        height="600" />

<img src="../../Images/T1090.003_TOR3.PNG" 
        alt="Picture" 
        width="800" 
        height="600" />

![Tor4](../../Images/T1090.003_TOR4.PNG)

### Deep Dive
- Get Handle to Target Processs
  - The malware first needs to target a process for injection (e.g. svchost.exe). This is usually done by searching through processes by calling a trio of Application Program Interfaces (APIs) > CreateToolhelp32Snapshot, Process32First, and Process32Next. After finding the target process, the malware gets the handle of the target process by calling OpenProcess.
 
- Get address of the LoadLibraryA function
  - Kernel32.dll is loaded into every Windows process, and within it is a useful function called LoadLibrary. When LoadLibrary is called in a certain process, it maps a DLL into that process.
 
- Allocate Memory for DLL
  - Why do we write the DLL path to Process B using VirtualAllocEx and then WriteRemoteMemory? This is because LoadLibrary needs to know what DLL you want to inject. The string it accepts as a parameter needs to be present in Process B’s memory. The malware calls VirtualAllocEx to have a space to write the path to its DLL. The malware then calls WriteProcessMemory to write the path in the allocated memory.
 
- Execute Code
  - Finally, to have the code executed in another process, the malware calls APIs such as CreateRemoteThread, NtCreateThreadEx, or RtlCreateUserThread. The latter two are undocumented. However, the general idea is to pass the address of LoadLibrary to one of these APIs so that a remote process has to execute the DLL on behalf of the malware. The CreateRemoteThread function creates a thread in the virtual address space of an arbitrary process.

- Here is a YAML formatted "playbook" created by Roberto Rodriguez @Cyb3rWard0g that best describes the approach going forward:
  - <details>
    <summary>Click to expand!</summary>
    
    ## YAML Output
    ```yaml
    title: DLL Injection via CreateRemoteThread and LoadLibrary
    id: WIN-180719170510
    author: Roberto Rodriguez @Cyb3rWard0g
    playbook_link:
    creation_date: 2018/07/19
    platform: Windows
    permissions_required:
      - Administrator
    attack_coverage:
      - technique: T1055
        tactics:
          - TA0005
    hypothesis: Adversaries might be injecting a dll to another process to execute code via CreateRemoteThread and LoadLibrary functions.
    description: |-
      This technique is one of the most common techniques used to inject malware into another process.
      The malware writes the path to its malicious dynamic-link library (DLL) in the virtual address space of another process, and ensures the remote process loads it by creating a remote thread in the target process.
      
      ### Get Handle to Target Processs
      The malware first needs to target a process for injection (e.g. svchost.exe).
      This is usually done by searching through processes by calling a trio of Application Program Interfaces (APIs) > CreateToolhelp32Snapshot, Process32First, and Process32Next.
      After finding the target process, the malware gets the handle of the target process by calling OpenProcess.
      
      There are two processes involved in this attack > your DLLInjector process (Process A), and the remote process you want to inject with a DLL (Process B).
      To interact with the remote process, Process A must call OpenProcess() while passing the remote process’s process ID as an argument. OpenProcess will then return to Process A a Handle to Process B.
      Having a Handle to the remote process allows Process A to interact with it in powerful ways. Process A can allocate memory, write memory, and create an execution thread in Process B by calling functions like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread and passing the Handle to Process B as an argument to those functions.
      
      ### Get address of the LoadLibraryA function
      Kernel32.dll is loaded into every Windows process, and within it is a useful function called LoadLibrary.
      When LoadLibrary is called in a certain process, it maps a DLL into that process.
      LoadLibrary needs to know what DLL to load, so you need to provide it the path to the DLL on your system.
      LoadLibrary will then find the DLL at that path and load that DLL into memory for you.
      Note > LoadLibraryA is the function name. “A” means you provide the DLL path as an ASCII string.
      
      ### Allocate Memory for DLL
      Why do we write the DLL path to Process B using VirtualAllocEx and then WriteRemoteMemory? This is because LoadLibrary needs to know what DLL you want to inject.
      The string it accepts as a parameter needs to be present in Process B’s memory.
      The malware calls VirtualAllocEx to have a space to write the path to its DLL.
      The malware then calls WriteProcessMemory to write the path in the allocated memory.
      
      ### Execute Code
      Finally, to have the code executed in another process, the malware calls APIs such as CreateRemoteThread, NtCreateThreadEx, or RtlCreateUserThread.
      The latter two are undocumented. However, the general idea is to pass the address of LoadLibrary to one of these APIs so that a remote process has to execute the DLL on behalf of the malware.
      The CreateRemoteThread function creates a thread in the virtual address space of an arbitrary process.
      
      Use CreateRemoteThread to create a remote thread starting at the memory address (which means this will execute LoadLibrary in the remote process).
      Besides the memory address of the remote function you want to call, CreateRemoteThread also allows you to provide an argument for the function if it requires one.
      LoadLibrary wants the memory address of where you wrote that DLL path from earlier, so provide CreateRemoteThread that address as well.
    validation_dataset:
      - type: mordor
        url: https://raw.githubusercontent.com/hunters-forge/mordor/master/datasets/small/windows/defense_evasion/empire_dll_injection.tar.gz
    analytics:
      - name: Analytic I
        data_sources:
          - Microsoft-Windows-Sysmon/Operational
        false_positives: High
        description: Look for any use of the CreateRemoteThread function to create a remote thread starting at the memory address (which means this will execute LoadLibrary in the remote process)
        logic: |-
          SELECT `@timestamp`, computer_name, SourceImage, TargetImage
          FROM mordorTable
          WHERE channel = "Microsoft-Windows-Sysmon/Operational"
              AND event_id = 8
              AND lower(StartModule) LIKE "%kernel32.dll"
              AND StartFunction = "LoadLibraryA"
      - name: Analytic II
        data_sources:
          - Microsoft-Windows-Sysmon/Operational
        false_positives: Medium
        description: You can look for the same file being created and loaded. The process that creates the file and loads the file are not the same.
        logic: |-
          SELECT f.`@timestamp` AS file_date, m.`@timestamp` AS module_date, f.computer_name, f.Image AS file_image, m.Image AS module_image, m.ImageLoaded, f.TargetFilename
          FROM mordorTable f
          INNER JOIN (
              SELECT `@timestamp`,computer_name,Image,ImageLoaded,TargetLogonId,IpAddress
              FROM mordorTable
              WHERE channel = "Microsoft-Windows-Sysmon/Operational"
                  AND event_id = 7
              ) m
          ON f.TargetFilename = m.ImageLoaded
          WHERE f.channel = "Microsoft-Windows-Sysmon/Operational"
              AND f.event_id = 11
              AND f.computer_name = m.computer_name
    detection_blindspots: |-
      Instead of passing the address of the LoadLibrary, adversaries can copy the malicious code into an existing open process and cause it to execute (either via a small shellcode, or by calling CreateRemoteThread) via a technique known as PE injection.
      The advantage of this is that the adversary does not have to drop a malicious DLL on the disk.
      Similar to the basic dll injection technique, the malware allocates memory in a host process (e.g. VirtualAllocEx), and instead of writing a “DLL path” it writes its malicious code by calling WriteProcessMemory.
    hunter_notes: |-
      * Looking for CreateRemoteThread APIs with LoadLibrary functions might return several entries in your environment. I recommend to stack the values of the source and target processes or user to baseline your environmennt.
      * Look for processes loading files that have just been created on disk (i.e 1min time window). Stack the values of the processes and files involved. You can tag the files as signed or unsigned depending on the information provided in the security events.
    hunt_output:
      - category: signature
        type: SIGMA
        name: sysmon_createremotethread_loadlibrary
        url: https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/signatures/sigma/sysmon_createremotethread_loadlibrary.yml
    references: |-
      * https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
      * https://resources.infosecinstitute.com/using-createremotethread-for-dll-injection-on-windows/
      * https://arvanaghi.com/blog/dll-injection-using-loadlibrary-in-C/
      * https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-DllInjection.ps1#L249
      * https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-DllInjection.ps1#L291
      * https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-DllInjection.ps1#L295
      * https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-DllInjection.ps1#L303
      * https://github.com/EmpireProject/Empire/blob/master/data/module_source/code_execution/Invoke-DllInjection.ps1#L307
      * https://docs.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya
    ```
  </details>

### Older Analytics
- ```sql
    --Analytic I

    --FP Rate - High
    --Log Channel - ['Microsoft-Windows-Sysmon/Operational']
    --Description - Look for any use of the CreateRemoteThread function to create a remote thread starting at the memory address (which means this will execute LoadLibrary in the remote process)
    
    df = spark.sql(
        '''
    SELECT `@timestamp`, computer_name, SourceImage, TargetImage
    FROM mordorTable
    WHERE channel = "Microsoft-Windows-Sysmon/Operational"
    AND event_id = 8
    AND lower(StartModule) LIKE "%kernel32.dll"
    AND StartFunction = "LoadLibraryA"
    '''
    )
    df.show(10,False)
    ```

- ```sql
    --Analytic II

    --FP Rate: Medium
    --Log Channel:['Microsoft-Windows-Sysmon/Operational']
    --Description: You can look for the same file being created and loaded. The process that creates the file and loads the file are not the same.

    df = spark.sql(
        '''
    SELECT f.`@timestamp` AS file_date, m.`@timestamp` AS module_date, f.computer_name, f.Image AS file_image, m.Image AS module_image, m.ImageLoaded, f.TargetFilename
    FROM mordorTable f
    INNER JOIN (
    SELECT `@timestamp`,computer_name,Image,ImageLoaded,TargetLogonId,IpAddress
    FROM mordorTable
    WHERE channel = "Microsoft-Windows-Sysmon/Operational"
    AND event_id = 7
    ) m
    ON f.TargetFilename = m.ImageLoaded
    WHERE f.channel = "Microsoft-Windows-Sysmon/Operational"
    AND f.event_id = 11
    AND f.computer_name = m.computer_name
    '''
    )
    df.show(10,False)
    ```

#### Analytic 1

  * **Information:** use the TOR Status Page to verify what servers are active.

  * **Source:** PCAP, sessions*

  * **Tool:** Arkime, Kibana

  * **Notes:** Identify Common Tor ports seen across the network, Identify protocols not running on standard ports, (RDP, SMB, etc.) and examine traffic that is seen to what is expected.

  * **Query Arkime:** 
    - `port.dst == [9000,9001]`
    - `protocols == [rdp,smb]`
    - `port.dst == [3389, 445, 137] && protocols != [smb, rdp]`   
    
  * **Query Kibana:** 
    - `port.dst : (9000,9001])`
    - `protocol : [rdp, smb]`