EXPLORE

← Back to Explore

T1090.003

Multi-hop Proxy

Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. ...

ESXiLinuxmacOSNetwork DevicesWindows

8

Detections

4

Sources

11

Threat Actors

BY SOURCE

3sigma2elastic2splunk_escu1crowdstrike_cql

PROCEDURES (5)

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Dns2 detections

Auto-extracted: 2 detections for dns

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

THREAT ACTORS (11)

APT28 APT29 Ember Bear FIN4 Gamaredon Group Inception Leviathan Lotus Blossom Medusa Group Volt Typhoon ZIRCONIUM

DETECTIONS (8)

Connections to Tor Exit Nodes

crowdstrike_cql

DNS Query Tor .Onion Address - Sysmon

ProxyChains Activity

Query Tor Onion Address - DNS Client

Suspicious Utility Launched via ProxyChains

Tor Client/Browser Execution

Windows TOR Client Execution