Detect Internal Proxy in Elastic Security
Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1090 Proxy
- Sub-technique
- T1090.001 Internal Proxy
- Canonical reference
- https://attack.mitre.org/techniques/T1090/001/
Elastic Detection Query
sequence by host.name with maxspan=5m
[process where event.type == "start" and (
process.name : ("htran", "zxproxy", "lcx.exe", "socat", "chisel", "ligolo", "frpc", "frps", "earthworm", "ew.exe", "gost", "iox", "revsocks", "venom", "pivotnacci", "rpivot", "nc.exe", "ncat") or
process.args : ("htran", "zxproxy", "lcx", "earthworm", "chisel", "ligolo", "frpc", "frps", "gost", "iox", "revsocks", "pivotnacci", "rpivot") or
(process.name : "netsh.exe" and process.args : "portproxy" and process.args : "add") or
(process.name : ("ssh.exe", "ssh", "plink.exe") and process.args : ("-L", "-R", "-D", "-w", "GatewayPorts", "AllowTcpForwarding", "localforward", "remoteforward")) or
process.command_line : ("*v4tov4*", "*listenport=*", "*connectport=*", "*connectaddress=*", "*listenaddress=*")
)]
not sequence by host.name
[process where process.parent.name : ("msiexec.exe", "setup.exe", "installer.exe") and process.name : ("netsh.exe")]Detects internal proxy tool execution and port forwarding configuration activity associated with T1090.001. Identifies known proxy binaries (HTRAN, chisel, ligolo, frpc, socat, etc.), netsh portproxy commands, SSH tunneling flags, and named pipe patterns indicative of Cobalt Strike SMB beacons.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate SSH tunnel usage by administrators for remote database access or bastion host connections using -L or -D flags
- Network engineers using netsh portproxy for legitimate load balancing or application testing scenarios
- DevOps teams using socat or chisel for legitimate service proxying in containerized or microservices environments
Other platforms for T1090.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Netsh PortProxy Rule Creation for Internal Traffic Forwarding
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8080'. Security Event ID 4688 (with command line auditing). Sysmon Event ID 13: Registry value set in HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp. Windows Firewall may log new listening port.
- Test 2SSH Local Port Forwarding for Internal Proxy Pivot
Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe, CommandLine containing '-L 9090:192.168.1.50:445'. Sysmon Event ID 3: Network Connection attempt from ssh.exe to 10.0.0.1:22. Security Event ID 4688 if command line auditing is enabled.
- Test 3Chisel Reverse Proxy Tool Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=chisel.exe (or renamed binary), CommandLine containing 'client' and 'R:socks' or 'socks'. Sysmon Event ID 3: Network Connection attempt from chisel.exe to 10.0.0.99:8443. File hash of chisel.exe will match known threat intelligence indicators.
- Test 4HTRAN-Style Port Forwarding with Netcat
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning nc.exe with '-l -p 4444 -e cmd.exe'. Sysmon Event ID 3: Network Connection showing nc.exe listening on 0.0.0.0:4444. Windows Firewall event for new inbound rule exception (if UAC prompt accepted).
- Test 5Linux SOCKS Proxy via SSH Dynamic Forwarding
Expected signal: Auditd syscall logs showing execve for ssh with -D 1080 arguments. Syslog entry for ssh process. Network connection attempt to 192.168.1.10:22. Process listing shows ssh with -D flag in /proc/<pid>/cmdline.
References (13)
- https://attack.mitre.org/techniques/T1090/001/
- http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
- https://sygnia.co/blog/velvet-ant-espionage-campaign/
- https://research.checkpoint.com/2020/pay2key-ransomware-a-new-campaign-by-fox-kitten/
- https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
- https://www.cobaltstrike.com/blog/cobalt-strike-peer-to-peer-c2/
- https://github.com/jpillora/chisel
- https://github.com/fatedier/frp
- https://github.com/nicocha30/ligolo-ng
- https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy
- https://www.ired.team/offensive-security/lateral-movement/ssh-tunnelling-port-forwarding
- https://sygnia.co/blog/elephant-beetle-uncovering-a-years-long-espionage-campaign/
- https://www.secureworks.com/research/htran
Unlock Pro Content
Get the full detection package for T1090.001 including response playbook, investigation guide, and atomic red team tests.