The network topology contains several devices connected to an internal network (172.16.0.1/24). The cyber threat actor established Persistence and C2 on the victim network by creating a persistent SSH tunnel/reverse SOCKS proxy … PowerShell script created a reverse SMB SOCKS proxy that allowed connections between attacker-controlled VPS … and the victim organization’s file server … Invoke-SocksProxy.ps1 creates a reverse proxy from the local machine to attacker infrastructure … What is a Reverse Proxy?Īs defined by the MITRE ATT&CK Framework:Īdversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications … to avoid direct connections to their infrastructure … Adversaries use these types of proxies to manage C2 communications reduce the number of simultaneous outbound network connections … Adversaries may chain together multiple proxies to further disguise the source of malicious traffic… Setup the Attack Proxy Nmap and Crackmapexec with Proxychainsĭescribed by the Cybersecurity and Infrastructure Security Agency (CISA):.The adversaries used a variant of Invoke-SocksProxy, an open-source reverse proxy tool found on GitHub. In recent news, a federal agency’s enterprise network was the victim of such an attack. Reverse proxies allow adversaries (APTs) to pivot attacks into secured environments, as they’re capable of bypassing inbound firewall restrictions.
0 kommentar(er)
