| ID | Name |
|---|---|
| ATAGS-T1193.001 | Internal Proxy |
| ATAGS-T1193.002 | External Proxy |
| ATAGS-T1193.003 | Multi-hop Proxy |
| ATAGS-T1193.004 | Domain Fronting |
Threat Actors may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Threat Actors use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.