Tool: FRP

Description

[FRP](https://attack.mitre.org/software/S1144), which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. [FRP](https://attack.mitre.org/software/S1144) can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.(Citation: FRP GitHub)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: RedCanary Mockingbird May 2020)(Citation: DFIR Phosphorus November 2021)

External References

• mitre-attack
• DFIR Phosphorus November 2021
• FRP GitHub
• RedCanary Mockingbird May 2020
• Joint Cybersecurity Advisory Volt Typhoon June 2023

Techniques Used by This Tool

• T1046 — Network Service Discovery
• T1049 — System Network Connections Discovery
• T1059.007 — JavaScript
• T1071.001 — Web Protocols
• T1090 — Proxy
• T1090.003 — Multi-hop Proxy
• T1095 — Non-Application Layer Protocol
• T1572 — Protocol Tunneling
• T1573.001 — Symmetric Cryptography
• T1573.002 — Asymmetric Cryptography

APT Groups Using This Tool

• Volt Typhoon
• Magic Hound
• Blue Mockingbird