T1090.001

Internal Proxy

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic.

Microsoft Sentinel / Defender

kusto

let KnownProxyTools = dynamic([
  "htran", "zxproxy", "zxportmap", "lcx", "netcat", "nc.exe", "ncat",
  "socat", "chisel", "ligolo", "frpc", "frps", "earthworm", "ew.exe",
  "venom", "iox", "gost", "revsocks", "pivotnacci", "rpivot"
]);
let PortForwardingPatterns = dynamic([
  "portproxy", "netsh interface portproxy", "netsh int portproxy",
  "v4tov4", "listenport", "connectport", "connectaddress", "listenaddress",
  "-L ", "-R ", "-D ", "dynamic ", "localforward", "remoteforward"
]);
let SuspiciousListenPorts = dynamic(["4444", "8888", "9999", "1080", "3128", "8080", "8443", "6666", "7777", "5555"]);
// Detection 1: Known proxy tool execution
let ProxyToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownProxyTools) or ProcessCommandLine has_any (KnownProxyTools)
| extend DetectionType = "KnownProxyTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: netsh portproxy configuration
let NetshPortProxy = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "netsh.exe" and ProcessCommandLine has "portproxy" and ProcessCommandLine has "add")
| extend DetectionType = "NetshPortProxy"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 3: SSH tunneling / port forwarding flags
let SSHTunneling = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("ssh.exe", "ssh", "plink.exe")
| where ProcessCommandLine has_any ("-L ", "-R ", "-D ", "-w ", "GatewayPorts", "AllowTcpForwarding")
| extend DetectionType = "SSHTunneling"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 4: Named pipe creation for proxy (Cobalt Strike SMB beacon style)
let NamedPipeProxy = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "NamedPipeEvent"
| where AdditionalFields has_any ("msagent_", "postex_", "mojo.", "pipe\\status_", "\\hazel", "\\msse-")
| extend DetectionType = "NamedPipeProxy"
| extend AccountName = tostring(parse_json(AdditionalFields).SubjectUserName)
| project Timestamp, DeviceName, AccountName, ActionType, AdditionalFields, DetectionType,
          InitiatingProcessFileName = InitiatingProcessFileName,
          InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          ProcessCommandLine = "";
ProxyToolExecution
| union NetshPortProxy
| union SSHTunneling
| union NamedPipeProxy
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Network: Network Connection Named Pipe: Named Pipe Metadata Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceEvents DeviceNetworkEvents

False Positives

Legitimate use of netsh portproxy by IT/network teams to redirect traffic for lab or testing environments
SSH port forwarding by developers or DevOps teams for legitimate access to internal services (e.g., database tunneling)
Network monitoring or vulnerability scanning tools (Nmap, Metasploit auxiliary modules) run by authorized security teams
Reverse proxy or load balancer configuration tools executed during infrastructure provisioning
VPN or zero-trust network access clients that use SOCKS proxies internally (e.g., Tailscale, ZScaler)

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval IsProxyTool=if(match(ImageLower, "(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom)") OR match(CommandLineLower, "(htran|zxproxy|lcx|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot)"), 1, 0)
| eval IsNetshProxy=if(match(ImageLower, "netsh\.exe") AND match(CommandLineLower, "portproxy") AND match(CommandLineLower, "add"), 1, 0)
| eval IsSSHTunnel=if(match(ImageLower, "(ssh\.exe|plink\.exe)") AND match(CommandLineLower, "(\s-[lrd]\s|localforward|remoteforward|gatewayports|dynamicforward|-w \d)"), 1, 0)
| eval IsPortForwardCmd=if(match(CommandLineLower, "(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)"), 1, 0)
| eval SuspicionScore=IsProxyTool + IsNetshProxy + IsSSHTunnel + IsPortForwardCmd
| where SuspicionScore > 0
| eval DetectionType=case(
    IsProxyTool=1, "KnownProxyTool",
    IsNetshProxy=1, "NetshPortProxy",
    IsSSHTunnel=1, "SSHTunneling",
    IsPortForwardCmd=1, "PortForwardCommand",
    true(), "Unknown"
  )
| eval ParentProcess=coalesce(ParentImage, ParentCommandLine, "unknown")
| table _time, host, User, Image, CommandLine, ParentProcess, DetectionType, SuspicionScore, IsProxyTool, IsNetshProxy, IsSSHTunnel, IsPortForwardCmd
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate use of netsh portproxy by IT/network teams to redirect traffic for lab or testing environments
SSH port forwarding by developers or DevOps teams for legitimate access to internal services
Authorized penetration testing or red team exercises using proxy/pivoting tools
Network monitoring tools that use SOCKS proxies or port redirection for traffic analysis
VPN clients and zero-trust network access agents that establish internal proxy connections

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  "Process Name",
  "Command",
  CASE
    WHEN LOWER("Process Name") MATCHES '(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom)'
      OR LOWER("Command") MATCHES '(htran|zxproxy|lcx|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot)'
    THEN 'KnownProxyTool'
    WHEN LOWER("Process Name") MATCHES 'netsh\.exe'
      AND LOWER("Command") MATCHES 'portproxy'
      AND LOWER("Command") MATCHES 'add'
    THEN 'NetshPortProxy'
    WHEN LOWER("Process Name") MATCHES '(ssh\.exe|plink\.exe|ssh)'
      AND LOWER("Command") MATCHES '(\s-[lrd]\s|localforward|remoteforward|gatewayports|allowtcpforwarding|-w \d)'
    THEN 'SSHTunneling'
    WHEN LOWER("Command") MATCHES '(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)'
    THEN 'PortForwardCommand'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 314, 352)
  AND starttime > (NOW() - 86400000)
  AND (
    LOWER("Process Name") MATCHES '(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom)'
    OR LOWER("Command") MATCHES '(htran|zxproxy|lcx|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot|v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)'
    OR (
      LOWER("Process Name") MATCHES 'netsh\.exe'
      AND LOWER("Command") MATCHES 'portproxy'
      AND LOWER("Command") MATCHES 'add'
    )
    OR (
      LOWER("Process Name") MATCHES '(ssh\.exe|plink\.exe)'
      AND LOWER("Command") MATCHES '(\s-[lrld]\s|localforward|remoteforward|gatewayports|-w \d)'
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon Microsoft Sysmon for Linux

Required Tables

events

False Positives

Legitimate IT automation scripts that use netsh portproxy to redirect ports for application compatibility shims
Security tools or SIEM agents that use SSH with port forwarding flags for log collection or remote administration
Network monitoring software (e.g., SolarWinds, PRTG agents) that uses socat or netcat-like utilities for probe connectivity

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /(?i)(EventCode=1|EventID=1|EventCode=4688|EventID=4688)/
| parse regex field=_raw "(?i)(?:Image|NewProcessName)[>=: '"]+(?P<process_image>[^\s<'"]+)"
| parse regex field=_raw "(?i)(?:CommandLine|ProcessCommandLine)[>=: '"]+(?P<command_line>[^<'"]{1,500})"
| parse regex field=_raw "(?i)(?:ParentImage|ParentProcessName)[>=: '"]+(?P<parent_image>[^\s<'"]+)"
| parse regex field=_raw "(?i)(?:User|SubjectUserName)[>=: '"]+(?P<user>[^\s<'"]+)"
| parse regex field=_raw "(?i)(?:Computer|Hostname|ComputerName)[>=: '"]+(?P<host>[^\s<'"]+)"
| eval process_lower = toLowerCase(process_image)
| eval cmd_lower = toLowerCase(command_line)
| eval is_proxy_tool = if (process_lower matches "/(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom)/" OR cmd_lower matches "/(htran|zxproxy|lcx|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot)/", 1, 0)
| eval is_netsh_proxy = if (process_lower matches "/netsh\.exe/" AND cmd_lower matches "/portproxy/" AND cmd_lower matches "/\badd\b/", 1, 0)
| eval is_ssh_tunnel = if (process_lower matches "/(ssh\.exe|plink\.exe|^ssh$)/" AND cmd_lower matches "/(\s-[lrd]\s|localforward|remoteforward|gatewayports|allowtcpforwarding|-w \d)/", 1, 0)
| eval is_portfwd_cmd = if (cmd_lower matches "/(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)/", 1, 0)
| eval suspicion_score = is_proxy_tool + is_netsh_proxy + is_ssh_tunnel + is_portfwd_cmd
| where suspicion_score > 0
| eval detection_type = if (is_proxy_tool = 1, "KnownProxyTool", if (is_netsh_proxy = 1, "NetshPortProxy", if (is_ssh_tunnel = 1, "SSHTunneling", if (is_portfwd_cmd = 1, "PortForwardCommand", "Unknown"))))
| fields _messagetime, host, user, process_image, command_line, parent_image, detection_type, suspicion_score
| sort by _messagetime desc

high severity medium confidence

Data Sources

Windows Event Log Sysmon CrowdStrike Falcon Carbon Black

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*endpoint*

False Positives

Penetration testing teams running authorized red team exercises using chisel, ligolo-ng, or frpc for C2 channel simulation
IT support staff using plink.exe with SSH tunneling flags for legitimate remote desktop or application access through jump hosts
Network security appliance management tools that invoke netsh portproxy during configuration pushes or health check routines

Google Chronicle / SecOps

yaral

rule t1090_001_internal_proxy_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1090.001 Internal Proxy - known proxy tool execution, netsh portproxy configuration, SSH tunneling, and named pipe patterns consistent with Cobalt Strike SMB beacons"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1090.001"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        // Known proxy tool binaries
        re.regex($e.principal.process.file.full_path, `(?i)(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom|pivotnacci|rpivot)$`)
        or re.regex($e.target.process.command_line, `(?i)(htran|zxproxy|lcx[\s\.]|earthworm|chisel|ligolo|frpc|frps|gost[\s\.]|iox[\s\.]|revsocks|pivotnacci|rpivot)`)
        // netsh portproxy add
        or (
          re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)portproxy`)
          and re.regex($e.target.process.command_line, `(?i)\badd\b`)
        )
        // SSH tunneling flags
        or (
          re.regex($e.target.process.file.full_path, `(?i)(ssh\.exe|plink\.exe)$`)
          and re.regex($e.target.process.command_line, `(?i)(\s-[LRDw]\s|localforward|remoteforward|gatewayports|allowtcpforwarding)`)
        )
        // Port forwarding command patterns
        or re.regex($e.target.process.command_line, `(?i)(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)`)
      )
    )
    or
    (
      // Named pipe patterns consistent with Cobalt Strike SMB beacon
      $e.metadata.event_type = "RESOURCE_CREATION"
      and $e.target.resource.type = "NAMED_PIPE"
      and re.regex($e.target.resource.name, `(?i)(msagent_|postex_|mojo\.|pipe\\\\status_|\\\\hazel|\\\\msse-)`)
    )

  match:
    $e.principal.hostname over 1h

  outcome:
    $risk_score = max(
      if(
        re.regex($e.principal.process.file.full_path, `(?i)(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom|pivotnacci|rpivot)$`),
        85
      ) + if(
        re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`) and re.regex($e.target.process.command_line, `(?i)portproxy`) and re.regex($e.target.process.command_line, `(?i)\badd\b`),
        70
      ) + if(
        re.regex($e.target.resource.name, `(?i)(msagent_|postex_|mojo\.|pipe\\\\status_|\\\\hazel|\\\\msse-)`),
        90
      )
    )
    $detection_type = if(
      re.regex($e.principal.process.file.full_path, `(?i)(htran|zxproxy|lcx|socat|chisel|ligolo|frpc|frps|earthworm|gost|iox|revsocks|venom)`),
      "KnownProxyTool",
      if(
        re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`) and re.regex($e.target.process.command_line, `(?i)portproxy`),
        "NetshPortProxy",
        if(
          re.regex($e.target.process.file.full_path, `(?i)(ssh\.exe|plink\.exe)$`),
          "SSHTunneling",
          if(
            re.regex($e.target.resource.name, `(?i)(msagent_|postex_|mojo\.)`),
            "NamedPipeProxy",
            "PortForwardCommand"
          )
        )
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Windows Event Log via Chronicle ingestion EDR telemetry (CrowdStrike, SentinelOne, Carbon Black) Sysmon forwarded events

Required Tables

UDM Events (process_launch, resource_creation)

False Positives

Authorized red team or penetration test engagements using chisel or ligolo-ng for simulated adversary C2 channel testing
System administrators using SSH with dynamic port forwarding (-D) for SOCKS proxy access to internal management networks
Application delivery or ADC configuration scripts invoking netsh portproxy to redirect ports for web application load balancing

CrowdStrike LogScale (CQL)

cql

// T1090.001 Internal Proxy Detection — CrowdStrike LogScale (Falcon)
// Covers: proxy tool execution, netsh portproxy, SSH tunneling, named pipe proxy patterns

#event_simpleName = ProcessRollup2 OR #event_simpleName = SyntheticProcessRollup2
| eval ImageFileName = lower(ImageFileName)
| eval CommandLine = lower(CommandLine)
| eval ParentBaseFileName = lower(ParentBaseFileName)

// Flag known proxy tool binaries
| eval is_proxy_tool = if(
    match(field=ImageFileName, regex="(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom|pivotnacci|rpivot)") OR
    match(field=CommandLine, regex="(htran|zxproxy|lcx[\s\.]|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot)"),
    "1", "0"
  )

// Flag netsh portproxy configuration
| eval is_netsh_proxy = if(
    match(field=ImageFileName, regex="netsh\.exe") AND
    match(field=CommandLine, regex="portproxy") AND
    match(field=CommandLine, regex="\badd\b"),
    "1", "0"
  )

// Flag SSH tunneling with port forwarding flags
| eval is_ssh_tunnel = if(
    match(field=ImageFileName, regex="(ssh\.exe|plink\.exe)") AND
    match(field=CommandLine, regex="(\s-[lrd]\s|localforward|remoteforward|gatewayports|allowtcpforwarding|-w \d)"),
    "1", "0"
  )

// Flag port forwarding command-line patterns
| eval is_portfwd = if(
    match(field=CommandLine, regex="(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)"),
    "1", "0"
  )

| eval suspicion_score = toInt(is_proxy_tool) + toInt(is_netsh_proxy) + toInt(is_ssh_tunnel) + toInt(is_portfwd)
| where suspicion_score > 0

| eval detection_type = case(
    is_proxy_tool = "1", "KnownProxyTool",
    is_netsh_proxy = "1", "NetshPortProxy",
    is_ssh_tunnel = "1", "SSHTunneling",
    is_portfwd = "1", "PortForwardCommand",
    true(), "Unknown"
  )

| table
    _timeutc,
    ComputerName,
    UserName,
    ImageFileName,
    CommandLine,
    ParentBaseFileName,
    detection_type,
    suspicion_score,
    is_proxy_tool,
    is_netsh_proxy,
    is_ssh_tunnel,
    is_portfwd,
    TargetProcessId,
    ContextProcessId
| sort by _timeutc desc

high severity high confidence

Data Sources

CrowdStrike Falcon EDR Falcon ProcessRollup2 Falcon SyntheticProcessRollup2

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate use of frpc/frps by development teams for exposing local services during development and testing workflows
IT administrators running plink.exe with tunneling flags for automated remote maintenance tasks via SSH jump hosts
Incident response or forensic tools that create named pipes with patterns resembling Cobalt Strike artifacts during memory analysis or process injection testing

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1090.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Internal Proxy

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections