T1090.003 - Proxy: Multi-hop Proxy
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source.
For example, adversaries may construct or use onion routing networks – such as the publicly available [Tor](https://attack.mitre.org/software/S0183) network – to transport encrypted C2 traffic through a compromised population, allowing communication with any device within the network.(Citation: Onion Routing)
In the case of network infrastructure, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain (i.e., [Network Devices](https://attack.mitre.org/techniques/T1584/008)). By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001) on routers, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method allowing the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s Wide-Area Network (WAN). Protocols such as ICMP may be used as a transport.
Similarly, adversaries may abuse peer-to-peer (P2P) and blockchain-oriented infrastructure to implement routing between a decentralized network of peers.(Citation: NGLite Trojan)
Atomic Tests
Atomic Test #1 - Psiphon
Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you
with uncensored access to Internet.
This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands.
More information can be found about Psiphon using the following urls
http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
https://psiphon.ca/faq.html
Supported Platforms: Windows
auto_generated_guid: 14d55ca0-920e-4b44-8425-37eedd72b173
Attack Commands: Run with
!
1
| & "PathToAtomicsFolder\T1090.003\src\Psiphon.bat"
|
Cleanup Commands:
1
2
3
| $Proxy = Get-Content $env:Temp\proxy-backup.txt -ErrorAction Ignore
if($null -ne $Proxy)
{Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -Value $Proxy}
|
Dependencies: Run with
!
Description: The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
Check Prereq Commands:
1
| if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}
|
Get Prereq Commands:
1
2
3
| if(-not (test-path $env:Temp\proxy-backup.txt)){
$Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
Set-Content $env:Temp\proxy-backup.txt $Proxy}
|
Description: The Psiphon executable must exist in the Downloads folder
Check Prereq Commands:
1
| if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\psiphon3.exe") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
2
| New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction ignore -Force | Out-Null
Invoke-WebRequest "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\psiphon3.exe"
|
Description: Batch file containing commands to run must be in src directory
Check Prereq Commands:
1
| if (Test-Path "PathToAtomicsFolder\T1090.003\src\Psiphon.bat") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
2
| New-Item -Type Directory "PathToAtomicsFolder\T1090.003\src\" -ErrorAction ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat" -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat"
|
Atomic Test #2 - Tor Proxy Usage - Windows
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit.
Supported Platforms: Windows
auto_generated_guid: 7b9d85e5-c4ce-4434-8060-d3de83595e69
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| TorExe | Location of tor.exe file. | string | PathToAtomicsFolder\..\ExternalPayloads\tor\Tor\tor.exe|
Attack Commands: Run with
!
1
2
3
| invoke-expression 'cmd /c start powershell -Command {cmd /c "#{TorExe}"}'
sleep -s 60
stop-process -name "tor" | out-null
|
Dependencies: Run with
!
Description: tor.exe must be installed on the machine
Check Prereq Commands:
1
| if (Test-Path "#{TorExe}") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
2
3
| New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\tor.zip"
expand-archive -LiteralPath "PathToAtomicsFolder\..\ExternalPayloads\tor.zip" -DestinationPath "PathToAtomicsFolder\..\ExternalPayloads\tor"
|
Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu/FreeBSD
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
Upon successful execution, the tor proxy service will be launched.
Supported Platforms: Linux
auto_generated_guid: 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7
Attack Commands: Run with
! Elevation Required (e.g. root or admin)
1
| [ "$(uname)" = 'FreeBSD' ] && sysrc tor_enable="YES" && service tor start || sudo systemctl start tor
|
Cleanup Commands:
1
| [ "$(uname)" = 'FreeBSD' ] && service tor stop && sysrc -x tor_enable || sudo systemctl stop tor
|
Dependencies: Run with
!
Description: Tor must be installed on the machine
Check Prereq Commands:
1
| if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
|
Get Prereq Commands:
1
| (which apt && sudo apt-get -y install tor) || (which pkg && pkg install -y tor)
|
Atomic Test #4 - Tor Proxy Usage - MacOS
This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality.
Upon successful execution, the tor proxy service will be launched.
Supported Platforms: macOS
auto_generated_guid: 12631354-fdbc-4164-92be-402527e748da
Attack Commands: Run with
!
1
| osascript -e 'tell application "Terminal" to do script "tor"'
|
Cleanup Commands:
1
| killall tor > /dev/null 2>&1
|
Dependencies: Run with
!
Description: Tor must be installed on the machine
Check Prereq Commands:
1
| if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
|
Get Prereq Commands:
1
2
| if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
brew install tor
|