Try it using Invoke-Atomic

Proxy: Multi-hop Proxy

Description from ATT&CK

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)

In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging Patch System Image, adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the Network Boundary Bridging method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.

Atomic Tests

Atomic Test #1 - Psiphon

Psiphon 3 is a circumvention tool from Psiphon Inc. that utilizes VPN, SSH and HTTP Proxy technology to provide you with uncensored access to Internet. This process will launch Psiphon 3 and establish a connection. Shortly after it will be shut down via process kill commands. More information can be found about Psiphon using the following urls http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html https://psiphon.ca/faq.html

Supported Platforms: windows

auto_generated_guid: 14d55ca0-920e-4b44-8425-37eedd72b173

Inputs:

None

Attack Commands: Run with powershell!

1
2
PathToAtomicsFolder\T1090.003\src\Psiphon.bat

Cleanup Commands:

1
2
3
4
$Proxy = Get-Content $env:Temp\proxy-backup.txt -ErrorAction Ignore
if($null -ne $Proxy) 
{Set-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -Value $Proxy}

Dependencies: Run with powershell!

Description: The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt

Check Prereq Commands:

1
2
if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
4
if(-not (test-path $env:Temp\proxy-backup.txt)){
$Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
Set-Content $env:Temp\proxy-backup.txt $Proxy}

Description: The Psiphon executable must exist in the Downloads folder

Check Prereq Commands:

1
2
if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"

Description: Batch file containing commands to run must be in src directory

Check Prereq Commands:

1
2
if (Test-Path PathToAtomicsFolder\T1090.003\src\Psiphon.bat) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
Invoke-WebRequest -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat"

Atomic Test #2 - Tor Proxy Usage - Windows

This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy will be launched, run for 60 seconds, and then exit.

Supported Platforms: windows

auto_generated_guid: 7b9d85e5-c4ce-4434-8060-d3de83595e69

Inputs:

Name Description Type Default Value
TorExe Location of tor.exe file. String $env:temp\tor\Tor\tor.exe

Attack Commands: Run with powershell!

1
2
3
4
invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
sleep -s 60
stop-process -name "tor" | out-null

Dependencies: Run with powershell!

Description: tor.exe must be installed on the machine

Check Prereq Commands:

1
2
if (Test-Path #{TorExe}) {exit 0} else {exit 1}

Get Prereq Commands:

1
2
3
Start-BitsTransfer -Source "https://archive.torproject.org/tor-package-archive/torbrowser/11.0.6/tor-win32-0.4.6.9.zip" -Destination "$env:temp\tor.zip" -dynamic
expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"

Atomic Test #3 - Tor Proxy Usage - Debian/Ubuntu

This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched.

Supported Platforms: linux

auto_generated_guid: 5ff9d047-6e9c-4357-b39b-5cf89d9b59c7

Inputs:

None

Attack Commands: Run with sh!

1
2
sudo systemctl start tor 

Cleanup Commands:

1
2
sudo systemctl stop tor

Dependencies: Run with sh!

Description: Tor must be installed on the machine

Check Prereq Commands:

1
2
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi

Get Prereq Commands:

1
2
sudo apt-get -y install tor

Atomic Test #4 - Tor Proxy Usage - MacOS

This test is designed to launch the tor proxy service, which is what is utilized in the background by the Tor Browser and other applications with add-ons in order to provide onion routing functionality. Upon successful execution, the tor proxy service will be launched.

Supported Platforms: macos

auto_generated_guid: 12631354-fdbc-4164-92be-402527e748da

Inputs:

None

Attack Commands: Run with sh!

1
2
osascript -e 'tell application "Terminal" to do script "tor"'

Cleanup Commands:

1
2
killall tor > /dev/null 2>&1

Dependencies: Run with sh!

Description: Tor must be installed on the machine

Check Prereq Commands:

1
2
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi

Get Prereq Commands:

1
2
3
if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
brew install tor

source