T1090.001 CrowdStrike LogScale · LogScale

Detect Internal Proxy in CrowdStrike LogScale

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Sub-technique
T1090.001 Internal Proxy
Canonical reference
https://attack.mitre.org/techniques/T1090/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1090.001 Internal Proxy Detection — CrowdStrike LogScale (Falcon)
// Covers: proxy tool execution, netsh portproxy, SSH tunneling, named pipe proxy patterns

#event_simpleName = ProcessRollup2 OR #event_simpleName = SyntheticProcessRollup2
| eval ImageFileName = lower(ImageFileName)
| eval CommandLine = lower(CommandLine)
| eval ParentBaseFileName = lower(ParentBaseFileName)

// Flag known proxy tool binaries
| eval is_proxy_tool = if(
    match(field=ImageFileName, regex="(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom|pivotnacci|rpivot)") OR
    match(field=CommandLine, regex="(htran|zxproxy|lcx[\s\.]|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot)"),
    "1", "0"
  )

// Flag netsh portproxy configuration
| eval is_netsh_proxy = if(
    match(field=ImageFileName, regex="netsh\.exe") AND
    match(field=CommandLine, regex="portproxy") AND
    match(field=CommandLine, regex="\badd\b"),
    "1", "0"
  )

// Flag SSH tunneling with port forwarding flags
| eval is_ssh_tunnel = if(
    match(field=ImageFileName, regex="(ssh\.exe|plink\.exe)") AND
    match(field=CommandLine, regex="(\s-[lrd]\s|localforward|remoteforward|gatewayports|allowtcpforwarding|-w \d)"),
    "1", "0"
  )

// Flag port forwarding command-line patterns
| eval is_portfwd = if(
    match(field=CommandLine, regex="(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)"),
    "1", "0"
  )

| eval suspicion_score = toInt(is_proxy_tool) + toInt(is_netsh_proxy) + toInt(is_ssh_tunnel) + toInt(is_portfwd)
| where suspicion_score > 0

| eval detection_type = case(
    is_proxy_tool = "1", "KnownProxyTool",
    is_netsh_proxy = "1", "NetshPortProxy",
    is_ssh_tunnel = "1", "SSHTunneling",
    is_portfwd = "1", "PortForwardCommand",
    true(), "Unknown"
  )

| table
    _timeutc,
    ComputerName,
    UserName,
    ImageFileName,
    CommandLine,
    ParentBaseFileName,
    detection_type,
    suspicion_score,
    is_proxy_tool,
    is_netsh_proxy,
    is_ssh_tunnel,
    is_portfwd,
    TargetProcessId,
    ContextProcessId
| sort by _timeutc desc
high severity high confidence

CrowdStrike LogScale (CQL) detection for T1090.001 Internal Proxy. Queries Falcon ProcessRollup2 telemetry to identify proxy tool execution (HTRAN, chisel, ligolo, frpc, socat, etc.), netsh portproxy add commands, SSH with port forwarding flags, and generic port forwarding command-line patterns. Assigns a suspicion score for analyst triage prioritization.

Data Sources

CrowdStrike Falcon EDRFalcon ProcessRollup2Falcon SyntheticProcessRollup2

Required Tables

ProcessRollup2SyntheticProcessRollup2

False Positives & Tuning

  • Legitimate use of frpc/frps by development teams for exposing local services during development and testing workflows
  • IT administrators running plink.exe with tunneling flags for automated remote maintenance tasks via SSH jump hosts
  • Incident response or forensic tools that create named pipes with patterns resembling Cobalt Strike artifacts during memory analysis or process injection testing
Download portable Sigma rule (.yml)

Other platforms for T1090.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netsh PortProxy Rule Creation for Internal Traffic Forwarding

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8080'. Security Event ID 4688 (with command line auditing). Sysmon Event ID 13: Registry value set in HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp. Windows Firewall may log new listening port.

  2. Test 2SSH Local Port Forwarding for Internal Proxy Pivot

    Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe, CommandLine containing '-L 9090:192.168.1.50:445'. Sysmon Event ID 3: Network Connection attempt from ssh.exe to 10.0.0.1:22. Security Event ID 4688 if command line auditing is enabled.

  3. Test 3Chisel Reverse Proxy Tool Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=chisel.exe (or renamed binary), CommandLine containing 'client' and 'R:socks' or 'socks'. Sysmon Event ID 3: Network Connection attempt from chisel.exe to 10.0.0.99:8443. File hash of chisel.exe will match known threat intelligence indicators.

  4. Test 4HTRAN-Style Port Forwarding with Netcat

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning nc.exe with '-l -p 4444 -e cmd.exe'. Sysmon Event ID 3: Network Connection showing nc.exe listening on 0.0.0.0:4444. Windows Firewall event for new inbound rule exception (if UAC prompt accepted).

  5. Test 5Linux SOCKS Proxy via SSH Dynamic Forwarding

    Expected signal: Auditd syscall logs showing execve for ssh with -D 1080 arguments. Syslog entry for ssh process. Network connection attempt to 192.168.1.10:22. Process listing shows ssh with -D flag in /proc/<pid>/cmdline.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1090.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1090Proxy

Related Sub-techniques

T1090.002External ProxyT1090.003Multi-hop ProxyT1090.004Domain Fronting

Related Techniques

T1090ProxyT1090.002External ProxyT1090.003Multi-hop ProxyT1021.002SMB/Windows Admin SharesT1572Protocol TunnelingT1071Application Layer ProtocolT1563Remote Service Session HijackingT1570Lateral Tool TransferT1505.005Terminal Services DLLT1053.005Scheduled Task

Same Tactic: Command and Control

Popular Detections