atomic-threat-coverage/Atomic_Threat_Coverage/Triggers/T1090.md

# T1090 - Connection Proxy
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1090)
<blockquote>A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools)

The definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other.

The network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.</blockquote>

## Atomic Tests

- [Atomic Test #1 - Connection Proxy](#atomic-test-1---connection-proxy)


<br/>

## Atomic Test #1 - Connection Proxy
Enable traffic redirection.

To undo changes made by this test:
  unset http_proxy
  unset https_proxy

Note that this test may conflict with pre-existing system configuration.

**Supported Platforms:** macOS, Linux


#### Inputs
| Name | Description | Type | Default Value | 
|------|-------------|------|---------------|
| proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080|
| proxy_scheme | Protocol to proxy (http or https) | string | http|

#### Run it with `sh`!
```
export #{proxy_scheme}_proxy=#{proxy_server}
```
<br/>