Proxy T1090
Tactic: Command & Control
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Events covered
17 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 82 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (80 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (842 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (170 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 34 rules
- Cloudflared Portable Execution
- Cloudflared Quick Tunnel Execution
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution
- Communication To LocaltoNet Tunneling Service Initiated
- Communication To LocaltoNet Tunneling Service Initiated - Linux
- Communication To Ngrok Tunneling Service - Linux
- Communication To Ngrok Tunneling Service Initiated
- Connection Proxy
- DNS Query Tor .Onion Address - Sysmon
- HackTool - Htran/NATBypass Execution
- HackTool - SharpChisel Execution
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- Malicious IP Address Sign-In Failure Rate
- Malicious IP Address Sign-In Suspicious
- Network Communication Initiated To Portmap.IO Domain
- Network proxy configuration changed
- New Port Forwarding Rule Added Via Netsh.EXE
- New PortProxy Registry Entry Added
- Ngrok Usage with Remote Desktop Service
- OpenCanary - HTTPPROXY Login Attempt
- Potentially Suspicious Azure Front Door Connection
- Potentially Suspicious Usage Of Qemu
- PUA - Chisel Tunneling Tool Execution
- PUA - Fast Reverse Proxy (FRP) Execution
- PUA - NPS Tunneling Tool Execution
- PUA- IOX Tunneling Tool Execution
- Query Tor Onion Address - DNS Client
- RDP over Reverse SSH Tunnel WFP
- RDP Port Forwarding Rule Added Via Netsh.EXE
- Renamed Cloudflared.EXE Execution
- Sign-In From Malware Infected IP
- Suspicious TCP Tunnel Via PowerShell Script
- Tor Client/Browser Execution
Elastic 19 rules
- Connection to Commonly Abused Web Services
- Curl SOCKS Proxy Activity from Unusual Parent
- Curl SOCKS Proxy Detected via Defend for Containers
- DNS to Commonly Abused Web Services
- FortiGate SOCKS Traffic from an Unusual Process
- IPv4/IPv6 Forwarding Activity
- Kubectl Network Configuration Modification
- Port Forwarding Rule Addition
- Potential Linux Tunneling and/or Port Forwarding
- Potential Linux Tunneling and/or Port Forwarding via Command Line
- Potential Linux Tunneling and/or Port Forwarding via SSH Option
- Potential Protocol Tunneling via Chisel Client
- Potential Protocol Tunneling via Cloudflared
- Potential Protocol Tunneling via EarthWorm
- Potential Protocol Tunneling via Yuze
- Potential Traffic Tunneling using QEMU
- ProxyChains Activity
- Suspicious Utility Launched via ProxyChains
- Tunneling and/or Port Forwarding Detected via Defend for Containers
Splunk 14 rules
- Cisco IOS XE Tunnel Interface Configuration
- Cisco SA - Access to Anonymizer Services
- Cisco Secure Firewall - Connection to File Sharing Domain
- Linux Ngrok Reverse Proxy Usage
- Linux Proxy Socks Curl
- Ngrok Reverse Proxy on Network
- Okta Non-Standard VPN Usage
- TOR Traffic
- Windows Devtunnels Execution
- Windows Devtunnels Image Loaded
- Windows Ngrok Reverse Proxy Usage
- Windows Proxy Via Netsh
- Windows Proxy Via Registry
- Windows TOR Client Execution
Kusto 7 rules
- BitSight - drop in company ratings
- BitSight - drop in the headline rating
- Corelight - External Proxy Detected
- Excessive Denied Proxy Traffic
- Ngrok Reverse Proxy on Network (ASIM DNS Solution)
- Squid proxy events for ToR proxies
- Ubiquiti - Unusual DNS connection
YARA-L 6 rules
- AWS GuardDuty Tor Network Activity Detected
- GCTI Benign Binaries Contacts Tor Exit Node
- GCTI Tor Exit Nodes
- Google Safebrowsing File Contacts Tor Exit Node
- MITRE ATT&CK T1090 Port Proxy Forwarding CISA Report
- VT Relationships File Contacts Tor IP