Which SIEM platforms have a T1090.001 detection rule?

df00tech provides T1090.001 (Internal Proxy) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Internal Proxy (T1090.001)?

Detecting Internal Proxy requires the following data sources: Process: Process Creation, Command: Command Execution, Network: Network Connection, Named Pipe: Named Pipe Metadata, Microsoft Defender for Endpoint.

What severity and confidence is the T1090.001 detection?

The T1090.001 detection is rated high severity with medium confidence.

What are common false positives for T1090.001?

Common false positives for T1090.001 include: Legitimate use of netsh portproxy by IT/network teams to redirect traffic for lab or testing environments; SSH port forwarding by developers or DevOps teams for legitimate access to internal services (e.g., database tunneling); Network monitoring or vulnerability scanning tools (Nmap, Metasploit auxiliary modules) run by authorized security teams.

T1090.001 IBM QRadar · QRadar

Detect Internal Proxy in IBM QRadar

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1090 Proxy
Sub-technique: T1090.001 Internal Proxy
Canonical reference: https://attack.mitre.org/techniques/T1090/001/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS category_name,
  "Process Name",
  "Command",
  CASE
    WHEN LOWER("Process Name") MATCHES '(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom)'
      OR LOWER("Command") MATCHES '(htran|zxproxy|lcx|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot)'
    THEN 'KnownProxyTool'
    WHEN LOWER("Process Name") MATCHES 'netsh\.exe'
      AND LOWER("Command") MATCHES 'portproxy'
      AND LOWER("Command") MATCHES 'add'
    THEN 'NetshPortProxy'
    WHEN LOWER("Process Name") MATCHES '(ssh\.exe|plink\.exe|ssh)'
      AND LOWER("Command") MATCHES '(\s-[lrd]\s|localforward|remoteforward|gatewayports|allowtcpforwarding|-w \d)'
    THEN 'SSHTunneling'
    WHEN LOWER("Command") MATCHES '(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)'
    THEN 'PortForwardCommand'
    ELSE 'Unknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 314, 352)
  AND starttime > (NOW() - 86400000)
  AND (
    LOWER("Process Name") MATCHES '(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom)'
    OR LOWER("Command") MATCHES '(htran|zxproxy|lcx|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot|v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)'
    OR (
      LOWER("Process Name") MATCHES 'netsh\.exe'
      AND LOWER("Command") MATCHES 'portproxy'
      AND LOWER("Command") MATCHES 'add'
    )
    OR (
      LOWER("Process Name") MATCHES '(ssh\.exe|plink\.exe)'
      AND LOWER("Command") MATCHES '(\s-[lrld]\s|localforward|remoteforward|gatewayports|-w \d)'
    )
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

AQL detection for internal proxy tool execution and port forwarding. Queries Windows Security (4688) and Sysmon (Event ID 1) log sources for known proxy binaries, netsh portproxy configuration, SSH tunneling flags, and port forwarding command-line parameters.

Data Sources

Windows Security Event LogSysmonMicrosoft Sysmon for Linux

Required Tables

events

False Positives & Tuning

Legitimate IT automation scripts that use netsh portproxy to redirect ports for application compatibility shims
Security tools or SIEM agents that use SSH with port forwarding flags for log collection or remote administration
Network monitoring software (e.g., SolarWinds, PRTG agents) that uses socat or netcat-like utilities for probe connectivity

Download portable Sigma rule (.yml)

Other platforms for T1090.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Netsh PortProxy Rule Creation for Internal Traffic Forwarding
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8080'. Security Event ID 4688 (with command line auditing). Sysmon Event ID 13: Registry value set in HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp. Windows Firewall may log new listening port.
Test 2SSH Local Port Forwarding for Internal Proxy Pivot
Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe, CommandLine containing '-L 9090:192.168.1.50:445'. Sysmon Event ID 3: Network Connection attempt from ssh.exe to 10.0.0.1:22. Security Event ID 4688 if command line auditing is enabled.
Test 3Chisel Reverse Proxy Tool Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=chisel.exe (or renamed binary), CommandLine containing 'client' and 'R:socks' or 'socks'. Sysmon Event ID 3: Network Connection attempt from chisel.exe to 10.0.0.99:8443. File hash of chisel.exe will match known threat intelligence indicators.
Test 4HTRAN-Style Port Forwarding with Netcat
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning nc.exe with '-l -p 4444 -e cmd.exe'. Sysmon Event ID 3: Network Connection showing nc.exe listening on 0.0.0.0:4444. Windows Firewall event for new inbound rule exception (if UAC prompt accepted).
Test 5Linux SOCKS Proxy via SSH Dynamic Forwarding
Expected signal: Auditd syscall logs showing execve for ssh with -D 1080 arguments. Syslog entry for ssh process. Network connection attempt to 192.168.1.10:22. Process listing shows ssh with -D flag in /proc/<pid>/cmdline.

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1090.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Internal Proxy in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1090.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1090.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox