Proxy Tools Detected by AhnLab EDR
Contents
Proxy Tools Detected by AhnLab EDR
After gaining control over infected systems, threat actors may also perform remote screen control using RDP. This is partly for convenience but can also serve the purpose of maintaining persistence. If the RDP service is not active during the attack process, threat actors may install RDP Wrappers, steal existing account credentials, or create new backdoor accounts.
However, if the infected system exists within a private network (e.g., behind a NAT environment), remote desktop access from outside becomes impossible even if the IP and account credentials are known. To address this, threat actors often install proxy tools equipped with features that expose the system to external access.
Commonly used tools include Ngrok and Plink, but threat actors may also develop their own tools. For example, groups like Kimsuky and Andariel use self-developed proxy tools during their attacks to control infected systems remotely through RDP. This section covers the …
After gaining control over infected systems, threat actors may also perform remote screen control using RDP. This is partly for convenience but can also serve the purpose of maintaining persistence. If the RDP service is not active during the attack process, threat actors may install RDP Wrappers, steal existing account credentials, or create new backdoor accounts.
However, if the infected system exists within a private network (e.g., behind a NAT environment), remote desktop access from outside becomes impossible even if the IP and account credentials are known. To address this, threat actors often install proxy tools equipped with features that expose the system to external access.
Commonly used tools include Ngrok and Plink, but threat actors may also develop their own tools. For example, groups like Kimsuky and Andariel use self-developed proxy tools during their attacks to control infected systems remotely through RDP. This section covers the …