T1090

Proxy

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server. This avoids direct connections to adversary infrastructure, provides resiliency, and may allow C2 traffic to blend with legitimate communications. Proxies may be implemented using standalone tools (HTRAN, FRP, Earthworm, Chisel), built into implants (SombRAT SOCKS proxy, ZxShell), or leveraged through cloud CDN infrastructure.

Microsoft Sentinel / Defender

kusto

let KnownProxyTools = dynamic([
  "htran", "ew.exe", "earthworm", "frpc", "frps", "frp",
  "chisel", "revsocks", "ligolo", "proxychains",
  "3proxy", "socks5", "ngrok", "iox", "gost",
  "npc.exe", "nps.exe", "invoke-ngrok"
]);
let ProxyCommandPatterns = dynamic([
  "-socks", "-socks5", "-socks4",
  "lcx", "htran", "portmap",
  "-L ", "-R ", "-D ",
  "proxytunnel", "proxychains",
  "connect-proxy", "corkscrew"
]);
let SuspiciousListenerPatterns = dynamic([
  "0.0.0.0", "*:4444", "*:1080", "*:8080", "*:9050", "*:10080"
]);
let ProxyResults = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownProxyTools)
   or ProcessCommandLine has_any (ProxyCommandPatterns)
   or (FileName =~ "plink.exe" and ProcessCommandLine has_any ("-R", "-L", "-D"))
   or (FileName =~ "ssh.exe" and ProcessCommandLine has_any ("-R", "-L", "-D") and ProcessCommandLine !has "scp")
   or (FileName =~ "netsh.exe" and ProcessCommandLine has "portproxy")
   or (ProcessCommandLine has "frpc" and ProcessCommandLine has "ini")
| extend ToolType = case(
    FileName has_any ("htran", "ew.exe", "earthworm"), "Known Proxy Tool",
    FileName has_any ("frpc", "frps", "frp"), "Fast Reverse Proxy (FRP)",
    FileName has_any ("chisel", "revsocks", "ligolo"), "Tunneling Tool",
    FileName has_any ("ngrok", "invoke-ngrok"), "Ngrok Tunnel",
    FileName =~ "netsh.exe" and ProcessCommandLine has "portproxy", "Netsh Port Proxy",
    FileName has_any ("plink.exe", "ssh.exe"), "SSH Tunnel",
    "Generic Proxy Pattern"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, FolderPath, ToolType;
let NetshPortProxy = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "netsh.exe"
| where ProcessCommandLine has_all ("portproxy", "add")
| extend ToolType = "Netsh Port Proxy"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         InitiatingProcessAccountName, FolderPath, ToolType;
union ProxyResults, NetshPortProxy
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

SSH tunneling by developers and sysadmins for legitimate port forwarding (database access, jump hosts, VS Code Remote)
Ngrok or similar tools used by developers to expose local web services during testing or demos
Corporate proxy clients (Zscaler, Netskope agents) that implement local SOCKS listeners
Netsh portproxy rules created by network administrators for legitimate service redirection
Penetration testing tools and authorized red team activity using proxychains or Chisel

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), CommandLine=lower(CommandLine)
| eval KnownProxyTool=if(
    match(Image, "(htran|earthworm|\.exe)") AND match(Image, "(htran|ew\.exe|earthworm|frpc|frps|chisel|revsocks|ligolo|3proxy|ngrok|iox|gost|npc\.exe|nps\.exe)"),
    1, 0)
| eval FRPTool=if(match(Image, "(frpc|frps)") OR (match(CommandLine, "frpc") AND match(CommandLine, "\.ini")), 1, 0)
| eval SSHTunnel=if(
    (match(Image, "(plink\.exe|ssh\.exe)") AND match(CommandLine, "(-r\s|-l\s|-d\s)")),
    1, 0)
| eval NetshProxy=if(
    match(Image, "netsh\.exe") AND match(CommandLine, "portproxy") AND match(CommandLine, "add"),
    1, 0)
| eval ProxychainsTool=if(match(Image, "proxychains") OR match(CommandLine, "proxychains"), 1, 0)
| eval NgrokTool=if(match(Image, "ngrok") OR match(CommandLine, "ngrok") OR match(CommandLine, "invoke-ngrok"), 1, 0)
| eval SocksFlag=if(match(CommandLine, "(-socks5|-socks4|-socks\s|socks5://|socks4://)"), 1, 0)
| eval ProxyScore=KnownProxyTool + FRPTool + SSHTunnel + NetshProxy + ProxychainsTool + NgrokTool + SocksFlag
| where ProxyScore > 0
| eval ToolCategory=case(
    KnownProxyTool=1, "Known Proxy Binary",
    FRPTool=1, "Fast Reverse Proxy",
    SSHTunnel=1, "SSH Port Forward",
    NetshProxy=1, "Netsh PortProxy",
    NgrokTool=1, "Ngrok Tunnel",
    ProxychainsTool=1, "Proxychains",
    SocksFlag=1, "SOCKS Proxy Flag",
    true(), "Generic Proxy Pattern")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ToolCategory, ProxyScore
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

SSH tunneling by developers and sysadmins for legitimate port forwarding (database access, jump hosts, VS Code Remote)
Ngrok or similar tools used by developers to expose local web services during testing or demos
Corporate proxy clients (Zscaler, Netskope agents) that implement local SOCKS listeners
Netsh portproxy rules created by network administrators for legitimate service redirection
Penetration testing tools and authorized red team activity using proxychains or Chisel

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip AS host_ip,
  hostname,
  username AS actor,
  "Process Name" AS image_path,
  "Command" AS command_line,
  QIDNAME(qid) AS event_category,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
  AND (
    "Process Name" ILIKE '%htran%'
    OR "Process Name" ILIKE '%ew.exe%'
    OR "Process Name" ILIKE '%earthworm%'
    OR "Process Name" ILIKE '%frpc%'
    OR "Process Name" ILIKE '%frps%'
    OR "Process Name" ILIKE '%chisel%'
    OR "Process Name" ILIKE '%revsocks%'
    OR "Process Name" ILIKE '%ligolo%'
    OR "Process Name" ILIKE '%proxychains%'
    OR "Process Name" ILIKE '%3proxy%'
    OR "Process Name" ILIKE '%ngrok%'
    OR "Process Name" ILIKE '%gost%'
    OR "Process Name" ILIKE '%npc.exe%'
    OR "Process Name" ILIKE '%nps.exe%'
    OR "Command" ILIKE '%-socks5%'
    OR "Command" ILIKE '%-socks4%'
    OR "Command" ILIKE '%socks5://%'
    OR "Command" ILIKE '%socks4://%'
    OR "Command" ILIKE '%proxychains%'
    OR "Command" ILIKE '%proxytunnel%'
    OR "Command" ILIKE '%invoke-ngrok%'
    OR "Command" ILIKE '%connect-proxy%'
    OR (
      "Process Name" ILIKE '%plink.exe%'
      AND (
        "Command" ILIKE '% -r %'
        OR "Command" ILIKE '% -l %'
        OR "Command" ILIKE '% -d %'
      )
    )
    OR (
      "Process Name" ILIKE '%ssh.exe%'
      AND (
        "Command" ILIKE '% -r %'
        OR "Command" ILIKE '% -l %'
        OR "Command" ILIKE '% -d %'
      )
      AND "Command" NOT ILIKE '%scp%'
    )
    OR (
      "Process Name" ILIKE '%netsh.exe%'
      AND "Command" ILIKE '%portproxy%'
      AND "Command" ILIKE '%add%'
    )
    OR (
      "Command" ILIKE '%frpc%'
      AND "Command" ILIKE '%.ini%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM Microsoft Windows Sysmon DSM Windows Security Event Log DSM

Required Tables

events

False Positives

Authorized penetration testers or red team operators running proxy tools during scheduled security assessments
Developers and DevOps engineers using SSH local port forwarding to connect to internal databases through jump hosts
SOC analysts executing proxy tool binaries in isolated sandboxes while analyzing malware samples

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventID="1" OR EventCode="1"
| eval image_lower=toLowerCase(Image)
| eval cmd_lower=toLowerCase(CommandLine)
| where (image_lower matches "*htran*" OR image_lower matches "*ew.exe*" OR image_lower matches "*earthworm*" OR image_lower matches "*frpc*" OR image_lower matches "*frps*" OR image_lower matches "*chisel*" OR image_lower matches "*revsocks*" OR image_lower matches "*ligolo*" OR image_lower matches "*proxychains*" OR image_lower matches "*3proxy*" OR image_lower matches "*ngrok*" OR image_lower matches "*gost*" OR image_lower matches "*npc.exe*" OR image_lower matches "*nps.exe*")
  OR (cmd_lower matches "*-socks5*" OR cmd_lower matches "*-socks4*" OR cmd_lower matches "*socks5://*" OR cmd_lower matches "*socks4://*" OR cmd_lower matches "*proxychains*" OR cmd_lower matches "*proxytunnel*" OR cmd_lower matches "*portproxy*" OR cmd_lower matches "*invoke-ngrok*" OR cmd_lower matches "*connect-proxy*" OR cmd_lower matches "*corkscrew*")
  OR (image_lower matches "*plink.exe*" AND (cmd_lower matches "* -r *" OR cmd_lower matches "* -l *" OR cmd_lower matches "* -d *"))
  OR (image_lower matches "*ssh.exe*" AND (cmd_lower matches "* -r *" OR cmd_lower matches "* -l *" OR cmd_lower matches "* -d *") AND !(cmd_lower matches "*scp*"))
  OR (image_lower matches "*netsh.exe*" AND cmd_lower matches "*portproxy*" AND cmd_lower matches "*add*")
  OR (cmd_lower matches "*frpc*" AND cmd_lower matches "*.ini*")
| eval ToolCategory = if(image_lower matches "*htran*" OR image_lower matches "*earthworm*" OR image_lower matches "*ew.exe*", "Known Proxy Binary",
    if(image_lower matches "*frpc*" OR image_lower matches "*frps*" OR (cmd_lower matches "*frpc*" AND cmd_lower matches "*.ini*"), "Fast Reverse Proxy",
    if((image_lower matches "*plink.exe*" OR image_lower matches "*ssh.exe*") AND (cmd_lower matches "* -r *" OR cmd_lower matches "* -l *" OR cmd_lower matches "* -d *"), "SSH Port Forward",
    if(image_lower matches "*netsh.exe*" AND cmd_lower matches "*portproxy*", "Netsh PortProxy",
    if(image_lower matches "*ngrok*" OR cmd_lower matches "*invoke-ngrok*", "Ngrok Tunnel",
    if(image_lower matches "*proxychains*" OR cmd_lower matches "*proxychains*", "Proxychains",
    if(cmd_lower matches "*-socks5*" OR cmd_lower matches "*-socks4*", "SOCKS Proxy Flag",
    "Generic Proxy Pattern")))))))
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, ToolCategory
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon via Sumo Logic Installed Collector Windows Event Logs via Sumo Logic Universal Forwarder

Required Tables

_sourceCategory (Sysmon or Windows endpoint logs)

False Positives

Developers using ngrok or localtunnel to expose local web servers for client demos or webhook integration testing
System administrators using SSH dynamic port forwarding (-D) to create SOCKS proxies for secure browsing through bastion hosts
CI/CD pipelines invoking SSH port forwarding in automated deployment scripts to reach isolated environments

Google Chronicle / SecOps

yaral

rule detect_proxy_tool_execution_t1090 {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of known proxy and tunneling tools (T1090 - Proxy)"
    severity = "HIGH"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1090"
    confidence = "high"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(htran|ew\.exe|earthworm|frpc\.exe|frps\.exe|chisel\.exe|revsocks|ligolo|proxychains|3proxy|ngrok|iox\.exe|gost\.exe|npc\.exe|nps\.exe)`) or
      re.regex($e.target.process.command_line, `(?i)(-socks5|-socks4|-socks\s|socks5://|socks4://|proxychains|proxytunnel|portmap|invoke-ngrok|connect-proxy|corkscrew|lcx)`) or
      (
        re.regex($e.target.process.file.full_path, `(?i)plink\.exe`) and
        re.regex($e.target.process.command_line, `(?i)\s-(R|L|D)\s`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)ssh\.exe`) and
        re.regex($e.target.process.command_line, `(?i)\s-(R|L|D)\s`) and
        not re.regex($e.target.process.command_line, `(?i)\bscp\b`)
      ) or
      (
        re.regex($e.target.process.file.full_path, `(?i)netsh\.exe`) and
        re.regex($e.target.process.command_line, `(?i)portproxy`) and
        re.regex($e.target.process.command_line, `(?i)\badd\b`)
      ) or
      (
        re.regex($e.target.process.command_line, `(?i)\bfrpc\b`) and
        re.regex($e.target.process.command_line, `(?i)\.ini`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Windows endpoint telemetry via Chronicle forwarder or Bindplane Sysmon events normalized to Chronicle UDM

Required Tables

PROCESS_LAUNCH (UDM event type)

False Positives

Developers legitimately using ngrok or similar SaaS tunneling services during development or demo workflows
System administrators using SSH -L, -R, or -D flags for authorized remote access through bastion or jump hosts
DevOps automation invoking SSH port forwarding in deployment scripts for secure connectivity to isolated environments

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageLower := lower(ImageFileName)
| CmdLower := lower(CommandLine)
| filter {
    ImageLower = /(htran|ew\.exe|earthworm|frpc|frps|chisel|revsocks|ligolo|proxychains|3proxy|ngrok|iox\.exe|gost\.exe|npc\.exe|nps\.exe)/
    OR CmdLower = /(-socks5|-socks4|-socks\s|socks5:\/\/|socks4:\/\/|proxychains|proxytunnel|portmap|invoke-ngrok|connect-proxy|corkscrew)/
    OR (ImageLower = /plink\.exe/ AND CmdLower = /\s-(r|l|d)\s/)
    OR (ImageLower = /ssh\.exe/ AND CmdLower = /\s-(r|l|d)\s/ AND NOT CmdLower = /scp/)
    OR (ImageLower = /netsh\.exe/ AND CmdLower = /portproxy/ AND CmdLower = /\badd\b/)
    OR (CmdLower = /\bfrpc\b/ AND CmdLower = /\.ini/)
  }
| ToolCategory := case {
    ImageLower = /(htran|earthworm|ew\.exe)/ => "Known Proxy Binary" ;
    ImageLower = /(frpc|frps)/ => "Fast Reverse Proxy" ;
    CmdLower = /\bfrpc\b/ AND CmdLower = /\.ini/ => "Fast Reverse Proxy" ;
    ImageLower = /(plink\.exe|ssh\.exe)/ AND CmdLower = /\s-(r|l|d)\s/ => "SSH Port Forward" ;
    ImageLower = /netsh\.exe/ AND CmdLower = /portproxy/ => "Netsh PortProxy" ;
    ImageLower = /ngrok/ OR CmdLower = /invoke-ngrok/ => "Ngrok Tunnel" ;
    ImageLower = /proxychains/ OR CmdLower = /proxychains/ => "Proxychains" ;
    CmdLower = /(-socks5|-socks4|-socks)/ => "SOCKS Proxy Flag" ;
    * => "Generic Proxy Pattern"
  }
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ToolCategory], limit=1000)
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR platform Falcon sensor process telemetry (ProcessRollup2 events) CrowdStrike LogScale data repository

Required Tables

ProcessRollup2

False Positives

Authorized red team or penetration testing operations using proxy tools against designated test targets within agreed scope
Software developers using ngrok or chisel for local tunnel testing during feature development and integration testing
IT administrators using SSH port forwarding (-L/-R/-D) for authorized remote maintenance through corporate jump hosts

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1090 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Proxy

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Command and Control

Popular Detections