detection.wiki

Proxy: External Proxy T1090.002

Tactic: Command & Control

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.

Events covered

4 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
Security-AuditingEvent ID 4688A new process has been created.
Security-AuditingEvent ID 5156The Windows Filtering Platform has permitted a connection.

Authoring guide

Patterns shared across the 7 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (22 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
process_name4eq 2, is_not_null 2cloudflared.exe, curl
EventType2eq 2ConnectionEvent, exec
dns.question.name2is_not_null 2, wildcard 2*.2miners.com, *.4shared.com, *.antpool.com, *.blob.core.windows.net, *.blob.storage.azure.net
event.type2eq 2start
host.os.type2eq 2
process.args2eq 2, wildcard 1--preproxy, --proxy, --socks5-hostname, tunnel
DestinationHostname1ends_with 1.portmap.io
DestinationPort1eq 13389
FilterOrigin1eq 1AppContainer Loopback
Image1ends_with 1\thor.exe, \thor64.exe
Initiated1eq 1true
OriginalFileName1eq 1cloudflared.exe
ParentImage1starts_with 1/boot/, /dev/shm/, /home/
SourcePort1eq 13389
action1in 1Allow, Trust, allowed

Top indicator values (316 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
dns.question.namewildcard
*.blob.core.windows.net
22
dns.question.namewildcard
*.blob.storage.azure.net
22
dns.question.namewildcard
*.blogspot.com
22
dns.question.namewildcard
*.cloud.es.io
22
dns.question.namewildcard
*.devtunnels.ms
22
dns.question.namewildcard
*.elastic-cloud.com
22
dns.question.namewildcard
*.ngrok.io
22
dns.question.namewildcard
*.onedrive.org
22
dns.question.namewildcard
*.portmap.*
22
dns.question.namewildcard
*.publicvm.com
22
dns.question.namewildcard
*.sharepoint.com
22
dns.question.namewildcard
*.supabase.co
22
dns.question.namewildcard
*.zulipchat.com
22
dns.question.namewildcard
*files.1drv.com
22
dns.question.namewildcard
*googleapis.com
22
dns.question.namewildcard
*hosting-profi.de
22
dns.question.namewildcard
*icp0.io
22
dns.question.namewildcard
*localtunnel.me
22
dns.question.namewildcard
*pagekite.me
22
dns.question.namewildcard
*up.freeo*.space
22
dns.question.namewildcard
?.top4top.io
22
dns.question.namewildcard
api.anonfile.com
22
dns.question.namewildcard
api.github.com
22
dns.question.namewildcard
api.mylnikov.org
22
dns.question.namewildcard
api.onedrive.com
22
dns.question.namewildcard
api.telegram.org
22
dns.question.namewildcard
apis.azureedge.net
22
dns.question.namewildcard
cdn.discordapp.com
22
dns.question.namewildcard
controlc.com
22
dns.question.namewildcard
discord.com
22

Exclusions (90 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
FilterOrigineq
AppContainer Loopback
1
Imageends_with
\thor.exe
1
Imageends_with
\thor64.exe
1
Imagewildcard
/opt/elastic/agent/data/elastic-agent-*/components/elastic-otel-collector
1
Imagewildcard
/opt/google-cloud-ops-agent/subagents/fluent-bit/bin/fluent-bit
1
Imagewildcard
/opt/google-cloud-ops-agent/subagents/opentelemetry-collector/otelopscol
1
Imagewildcard
/opt/google/chrome/chrome
1
Imagewildcard
/snap/chromium/*/usr/lib/chromium-browser/chrome
1
Imagewildcard
/snap/firefox/*/usr/lib/firefox/firefox
1
Imagewildcard
/usr/bin/dockerd
1
Imagewildcard
/usr/bin/google_osconfig_agent
1
Imagewildcard
/usr/bin/pihole-ftl
1
Imagewildcard
/usr/bin/warp-svc
1
Imagewildcard
/usr/lib/systemd/systemd-resolved
1
Imagewildcard
/usr/local/bin/rclone
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 2 rules

Elastic 4 rules

Splunk 1 rule