T1090.001 Google Chronicle · YARA-L

Detect Internal Proxy in Google Chronicle

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Sub-technique
T1090.001 Internal Proxy
Canonical reference
https://attack.mitre.org/techniques/T1090/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1090_001_internal_proxy_detection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1090.001 Internal Proxy - known proxy tool execution, netsh portproxy configuration, SSH tunneling, and named pipe patterns consistent with Cobalt Strike SMB beacons"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1090.001"
    severity = "HIGH"
    priority = "HIGH"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        // Known proxy tool binaries
        re.regex($e.principal.process.file.full_path, `(?i)(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom|pivotnacci|rpivot)$`)
        or re.regex($e.target.process.command_line, `(?i)(htran|zxproxy|lcx[\s\.]|earthworm|chisel|ligolo|frpc|frps|gost[\s\.]|iox[\s\.]|revsocks|pivotnacci|rpivot)`)
        // netsh portproxy add
        or (
          re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`)
          and re.regex($e.target.process.command_line, `(?i)portproxy`)
          and re.regex($e.target.process.command_line, `(?i)\badd\b`)
        )
        // SSH tunneling flags
        or (
          re.regex($e.target.process.file.full_path, `(?i)(ssh\.exe|plink\.exe)$`)
          and re.regex($e.target.process.command_line, `(?i)(\s-[LRDw]\s|localforward|remoteforward|gatewayports|allowtcpforwarding)`)
        )
        // Port forwarding command patterns
        or re.regex($e.target.process.command_line, `(?i)(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)`)
      )
    )
    or
    (
      // Named pipe patterns consistent with Cobalt Strike SMB beacon
      $e.metadata.event_type = "RESOURCE_CREATION"
      and $e.target.resource.type = "NAMED_PIPE"
      and re.regex($e.target.resource.name, `(?i)(msagent_|postex_|mojo\.|pipe\\\\status_|\\\\hazel|\\\\msse-)`)
    )

  match:
    $e.principal.hostname over 1h

  outcome:
    $risk_score = max(
      if(
        re.regex($e.principal.process.file.full_path, `(?i)(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom|pivotnacci|rpivot)$`),
        85
      ) + if(
        re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`) and re.regex($e.target.process.command_line, `(?i)portproxy`) and re.regex($e.target.process.command_line, `(?i)\badd\b`),
        70
      ) + if(
        re.regex($e.target.resource.name, `(?i)(msagent_|postex_|mojo\.|pipe\\\\status_|\\\\hazel|\\\\msse-)`),
        90
      )
    )
    $detection_type = if(
      re.regex($e.principal.process.file.full_path, `(?i)(htran|zxproxy|lcx|socat|chisel|ligolo|frpc|frps|earthworm|gost|iox|revsocks|venom)`),
      "KnownProxyTool",
      if(
        re.regex($e.target.process.file.full_path, `(?i)netsh\.exe$`) and re.regex($e.target.process.command_line, `(?i)portproxy`),
        "NetshPortProxy",
        if(
          re.regex($e.target.process.file.full_path, `(?i)(ssh\.exe|plink\.exe)$`),
          "SSHTunneling",
          if(
            re.regex($e.target.resource.name, `(?i)(msagent_|postex_|mojo\.)`),
            "NamedPipeProxy",
            "PortForwardCommand"
          )
        )
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1090.001 Internal Proxy activity. Matches against UDM process launch events for known proxy binaries and command-line patterns, netsh portproxy configuration, SSH tunneling, port forwarding directives, and named pipe creation patterns consistent with Cobalt Strike SMB beacons.

Data Sources

Windows Event Log via Chronicle ingestionEDR telemetry (CrowdStrike, SentinelOne, Carbon Black)Sysmon forwarded events

Required Tables

UDM Events (process_launch, resource_creation)

False Positives & Tuning

  • Authorized red team or penetration test engagements using chisel or ligolo-ng for simulated adversary C2 channel testing
  • System administrators using SSH with dynamic port forwarding (-D) for SOCKS proxy access to internal management networks
  • Application delivery or ADC configuration scripts invoking netsh portproxy to redirect ports for web application load balancing
Download portable Sigma rule (.yml)

Other platforms for T1090.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netsh PortProxy Rule Creation for Internal Traffic Forwarding

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8080'. Security Event ID 4688 (with command line auditing). Sysmon Event ID 13: Registry value set in HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp. Windows Firewall may log new listening port.

  2. Test 2SSH Local Port Forwarding for Internal Proxy Pivot

    Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe, CommandLine containing '-L 9090:192.168.1.50:445'. Sysmon Event ID 3: Network Connection attempt from ssh.exe to 10.0.0.1:22. Security Event ID 4688 if command line auditing is enabled.

  3. Test 3Chisel Reverse Proxy Tool Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=chisel.exe (or renamed binary), CommandLine containing 'client' and 'R:socks' or 'socks'. Sysmon Event ID 3: Network Connection attempt from chisel.exe to 10.0.0.99:8443. File hash of chisel.exe will match known threat intelligence indicators.

  4. Test 4HTRAN-Style Port Forwarding with Netcat

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning nc.exe with '-l -p 4444 -e cmd.exe'. Sysmon Event ID 3: Network Connection showing nc.exe listening on 0.0.0.0:4444. Windows Firewall event for new inbound rule exception (if UAC prompt accepted).

  5. Test 5Linux SOCKS Proxy via SSH Dynamic Forwarding

    Expected signal: Auditd syscall logs showing execve for ssh with -D 1080 arguments. Syslog entry for ssh process. Network connection attempt to 192.168.1.10:22. Process listing shows ssh with -D flag in /proc/<pid>/cmdline.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1090.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1090Proxy

Related Sub-techniques

T1090.002External ProxyT1090.003Multi-hop ProxyT1090.004Domain Fronting

Related Techniques

T1090ProxyT1090.002External ProxyT1090.003Multi-hop ProxyT1021.002SMB/Windows Admin SharesT1572Protocol TunnelingT1071Application Layer ProtocolT1563Remote Service Session HijackingT1570Lateral Tool TransferT1505.005Terminal Services DLLT1053.005Scheduled Task

Same Tactic: Command and Control

Popular Detections