T1090.001 Microsoft Sentinel · KQL

Detect Internal Proxy in Microsoft Sentinel

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Sub-technique
T1090.001 Internal Proxy
Canonical reference
https://attack.mitre.org/techniques/T1090/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let KnownProxyTools = dynamic([
  "htran", "zxproxy", "zxportmap", "lcx", "netcat", "nc.exe", "ncat",
  "socat", "chisel", "ligolo", "frpc", "frps", "earthworm", "ew.exe",
  "venom", "iox", "gost", "revsocks", "pivotnacci", "rpivot"
]);
let PortForwardingPatterns = dynamic([
  "portproxy", "netsh interface portproxy", "netsh int portproxy",
  "v4tov4", "listenport", "connectport", "connectaddress", "listenaddress",
  "-L ", "-R ", "-D ", "dynamic ", "localforward", "remoteforward"
]);
let SuspiciousListenPorts = dynamic(["4444", "8888", "9999", "1080", "3128", "8080", "8443", "6666", "7777", "5555"]);
// Detection 1: Known proxy tool execution
let ProxyToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownProxyTools) or ProcessCommandLine has_any (KnownProxyTools)
| extend DetectionType = "KnownProxyTool"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: netsh portproxy configuration
let NetshPortProxy = DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "netsh.exe" and ProcessCommandLine has "portproxy" and ProcessCommandLine has "add")
| extend DetectionType = "NetshPortProxy"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 3: SSH tunneling / port forwarding flags
let SSHTunneling = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("ssh.exe", "ssh", "plink.exe")
| where ProcessCommandLine has_any ("-L ", "-R ", "-D ", "-w ", "GatewayPorts", "AllowTcpForwarding")
| extend DetectionType = "SSHTunneling"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 4: Named pipe creation for proxy (Cobalt Strike SMB beacon style)
let NamedPipeProxy = DeviceEvents
| where Timestamp > ago(24h)
| where ActionType == "NamedPipeEvent"
| where AdditionalFields has_any ("msagent_", "postex_", "mojo.", "pipe\\status_", "\\hazel", "\\msse-")
| extend DetectionType = "NamedPipeProxy"
| extend AccountName = tostring(parse_json(AdditionalFields).SubjectUserName)
| project Timestamp, DeviceName, AccountName, ActionType, AdditionalFields, DetectionType,
          InitiatingProcessFileName = InitiatingProcessFileName,
          InitiatingProcessCommandLine = InitiatingProcessCommandLine,
          ProcessCommandLine = "";
ProxyToolExecution
| union NetshPortProxy
| union SSHTunneling
| union NamedPipeProxy
| sort by Timestamp desc
high severity medium confidence

Detects internal proxy usage via four detection angles: (1) execution of known proxy/pivoting tools such as HTRAN, chisel, frp, ligolo, socat, and EarthWorm; (2) netsh portproxy rule additions used to forward traffic between internal hosts; (3) SSH client invocations with port-forwarding flags (-L, -R, -D) indicative of tunneling; (4) suspicious named pipe creation patterns associated with Cobalt Strike SMB beacon peer-to-peer C2. Results are unioned and sorted by time for analyst review.

Data Sources

Process: Process CreationCommand: Command ExecutionNetwork: Network ConnectionNamed Pipe: Named Pipe MetadataMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceEventsDeviceNetworkEvents

False Positives & Tuning

  • Legitimate use of netsh portproxy by IT/network teams to redirect traffic for lab or testing environments
  • SSH port forwarding by developers or DevOps teams for legitimate access to internal services (e.g., database tunneling)
  • Network monitoring or vulnerability scanning tools (Nmap, Metasploit auxiliary modules) run by authorized security teams
  • Reverse proxy or load balancer configuration tools executed during infrastructure provisioning
  • VPN or zero-trust network access clients that use SOCKS proxies internally (e.g., Tailscale, ZScaler)
Download portable Sigma rule (.yml)

Other platforms for T1090.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netsh PortProxy Rule Creation for Internal Traffic Forwarding

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8080'. Security Event ID 4688 (with command line auditing). Sysmon Event ID 13: Registry value set in HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp. Windows Firewall may log new listening port.

  2. Test 2SSH Local Port Forwarding for Internal Proxy Pivot

    Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe, CommandLine containing '-L 9090:192.168.1.50:445'. Sysmon Event ID 3: Network Connection attempt from ssh.exe to 10.0.0.1:22. Security Event ID 4688 if command line auditing is enabled.

  3. Test 3Chisel Reverse Proxy Tool Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=chisel.exe (or renamed binary), CommandLine containing 'client' and 'R:socks' or 'socks'. Sysmon Event ID 3: Network Connection attempt from chisel.exe to 10.0.0.99:8443. File hash of chisel.exe will match known threat intelligence indicators.

  4. Test 4HTRAN-Style Port Forwarding with Netcat

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning nc.exe with '-l -p 4444 -e cmd.exe'. Sysmon Event ID 3: Network Connection showing nc.exe listening on 0.0.0.0:4444. Windows Firewall event for new inbound rule exception (if UAC prompt accepted).

  5. Test 5Linux SOCKS Proxy via SSH Dynamic Forwarding

    Expected signal: Auditd syscall logs showing execve for ssh with -D 1080 arguments. Syslog entry for ssh process. Network connection attempt to 192.168.1.10:22. Process listing shows ssh with -D flag in /proc/<pid>/cmdline.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1090.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1090Proxy

Related Sub-techniques

T1090.002External ProxyT1090.003Multi-hop ProxyT1090.004Domain Fronting

Related Techniques

T1090ProxyT1090.002External ProxyT1090.003Multi-hop ProxyT1021.002SMB/Windows Admin SharesT1572Protocol TunnelingT1071Application Layer ProtocolT1563Remote Service Session HijackingT1570Lateral Tool TransferT1505.005Terminal Services DLLT1053.005Scheduled Task

Same Tactic: Command and Control

Popular Detections