T1090.001: T1090.001

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 15/03/2020 00:08 · Modified 14/04/2026 11:51

Essential information

MITRE technique ID: T1090.001
Confidence: 100/100
Revoked: No
Published: 15/03/2020 00:08
Modified: 14/04/2026 11:51
Author / Source: The MITRE Corporation

Aliases

Internal Proxy

Platforms

windows macos linux Network Devices ESXi

Description

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment. By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

Kill chain phases

Kill chain	Phase
mitre-attack	command-and-control

Marking (TLP)

External references

Trend Micro APT Attack Tools
mitre-attack (T1090.001)
University of Birmingham C2

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (21)

APT-C-13, Sandworm, FROZENBARENTS uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SHADOW-EARTH-053 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT39 uses ITG07Chafer

The MITRE Corporation Confidence 100

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN13 uses Elephant Beetle

The MITRE Corporation Confidence 100

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Strider uses ProjectSauron

The MITRE Corporation Confidence 100

[Strider](https://attack.mitre.org/groups/G0041) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation:…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Thrip uses DRAGONFISHSpring Dragon

The MITRE Corporation Confidence 100

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well…

First seen 01/01/1970 · Last seen 16/11/5138 ·
CL-UNK-1037 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
VerdantBamboo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Volt Typhoon uses BRONZE SILHOUETTEVanguard Panda

The MITRE Corporation Confidence 100

[Volt Typhoon](https://attack.mitre.org/groups/G1017) is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021 primarily targeting critical infrastructure organizations in the US and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Hive0163 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Longzhi uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 21

Duqu uses
POISONPLUG.SHADOW uses

Family
Qilin uses

Family
StarProxy uses

Family
BabyShark - S0414 uses

Family
W32.Stuxnet uses

Family
Cobalt Strike uses

Family
AGENTPSD uses

Family
BurrowShell uses

Family
Gafgyt uses

Family
CHOPSTICK uses
SweetPotato uses

Family

← Previous

Page / 7

1–12 of 75

Weaver Ant, the Web Shell Whisperer: Tracking a … related

26 MITREs 2 Malwares 1 Observable 1 APT

← Previous

Page / 2

13–13 of 13

Vulnerabilities (CVE) (13)

CVE-2022-0543 targets

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2023-52271 targets

6.5 Medium

The wsftprm.sys kernel driver 2.0.0.0 in Topaz Antifraud allows low-privileged attackers to kill any (Protected Process Light) process via an IOCTL (which …

Attack vector: LOCAL
Published: 08/01/2024
Modified: 16/06/2026

CVE-2021-26855 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-26857 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2021-26858 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution. This vulnerability is part of the ProxyLogon exploit chain.

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-1055 targets

5.6 Medium

A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL …

Attack vector: LOCAL
Published: 11/06/2025
Modified: 16/06/2026

Awaiting Analysis

CVE-2024-55591 KEV targets

9.8 Critical

An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version 7.0.0 through 7.0.16 and FortiProxy version 7.0.0 through …

Attack vector: Network
Published: 14/01/2025
Modified: 27/05/2026

Analyzed

CVE-2025-49844 targets

9.9 Critical

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user to use a …

Published: 03/10/2025
Modified: 03/10/2025

Received

CVE-2019-16098 targets

7.8 High

The driver in Micro-Star MSI Afterburner 4.6.2.15658 (aka RTCore64.sys and RTCore32.sys) allows any authenticated user to read and write to arbitrary memory, …

Attack vector: LOCAL
Published: 11/09/2019
Modified: 20/12/2025

CVE-2025-11953 KEV targets

9.8 Critical

The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes …

Attack vector: NETWORK
Published: 03/11/2025
Modified: 07/02/2026

Awaiting Analysis

CVE-2025-61155 targets

5.5 Medium

The GameDriverX64.sys kernel-mode anti-cheat driver (v7.23.4.7 and earlier) contains an access control vulnerability in one of its IOCTL handlers. A user-mode process …

Attack vector: LOCAL
Published: 28/10/2025
Modified: 30/01/2026

Received

← Previous

Page / 2

1–12 of 13

T1090 subtechnique-of

Proxy MITRE

Campaign (3)

SolarWinds Compromise uses
Operation Wocao uses
APT28 Nearest Neighbor Campaign uses

Tool (2)

Mythic uses

The MITRE Corporation Confidence 100

[Mythic](https://attack.mitre.org/software/S0699) is an open source, cross-platform post-exploitation/command and control platform. [Mythic](https://attack.mitre.org/software/S0699) is designed to "plug-n-play" with various agents and communication channels.(Citation: Mythic Github)(Citation: Mythic SpecterOps)(Citation: Mythc Documentation) Deployed…
Sliver uses

The MITRE Corporation Confidence 100

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control (C2) framework written in Golang. [Sliver](https://attack.mitre.org/software/S0633) includes its own package manager, "armory," for staging and downloading additional…

Contact About Legal notice Privacy policy Terms of use