S1144 FRP
FRP, which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. FRP can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.2431
| Item | Value |
|---|---|
| ID | S1144 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 10 July 2024 |
| Last Modified | 30 July 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | FRP has the ability to use HTTP and HTTPS to enable the forwarding of requests for internal services via domain name.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | FRP can support the use of a JSON configuration file.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | FRP can use STCP (Secret TCP) with a preshared key to encrypt services exposed to public networks.2 |
| enterprise | T1573.002 | Asymmetric Cryptography | FRP can be configured to only accept TLS connections.2 |
| enterprise | T1046 | Network Service Discovery | As part of load balancing FRP can set healthCheck.type = "tcp" or healthCheck.type = "http" to check service status on specific hosts with TCPing or an HTTP request.2 |
| enterprise | T1095 | Non-Application Layer Protocol | FRP can communicate over TCP, TCP stream multiplexing, KERN Communications Protocol (KCP), QUIC, and UDP.2 |
| enterprise | T1572 | Protocol Tunneling | FRP can tunnel SSH and Unix Domain Socket communications over TCP between external nodes and exposed resources behind firewalls or NAT.2 |
| enterprise | T1090 | Proxy | FRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.2 |
| enterprise | T1090.003 | Multi-hop Proxy | The FRP client can be configured to connect to the server through a proxy.2 |
| enterprise | T1049 | System Network Connections Discovery | FRP can use a dashboard and U/I to display the status of connections from the FRP client and server.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0108 | Blue Mockingbird | 3 |
| G0059 | Magic Hound | 1 |
| G1017 | Volt Typhoon | 74 |
| G1049 | AppleJeus | 6 |
References
-
DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. ↩↩
-
fatedier. (n.d.). What is frp?. Retrieved July 10, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. ↩↩
-
NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. ↩↩
-
Recorded Future Insikt Group. (2022, April 6). Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group. Retrieved November 21, 2024. ↩
-
Jeff Johnson, Fred Plan, Adrian Sanchez, Renato Fontana, Jake Nicastro, Dimiter Andonov, Marius Fodoreanu, Daniel Scott. (2023, April 20). 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible. Retrieved August 25, 2025. ↩
-
Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. ↩