FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.[1][2][3][4]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | 代理 |
FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.[1] |
|
| .003 | Multi-hop Proxy |
The FRP client can be configured to connect to the server through a proxy.[1] |
||
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
FRP can use STCP (Secret TCP) with a preshared key to encrypt services exposed to public networks.[1] |
| .002 | 加密通道: Asymmetric Cryptography | |||
| Enterprise | T1572 | 协议隧道 |
FRP can tunnel SSH and Unix Domain Socket communications over TCP between external nodes and exposed resources behind firewalls or NAT.[1] |
|
| Enterprise | T1059 | .007 | 命令与脚本解释器: JavaScript | |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
FRP has the ability to use HTTP and HTTPS to enable the forwarding of requests for internal services via domain name.[1] |
| Enterprise | T1049 | 系统网络连接发现 |
FRP can use a dashboard and U/I to display the status of connections from the FRP client and server.[1] |
|
| Enterprise | T1046 | 网络服务发现 |
As part of load balancing FRP can set |
|
| Enterprise | T1095 | 非应用层协议 |
FRP can communicate over TCP, TCP stream multiplexing, KERN Communications Protocol (KCP), QUIC, and UDP.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0108 | Blue Mockingbird | |
| G0059 | Magic Hound | |
| G1017 | Volt Typhoon |