Which SIEM platforms have a T1090.001 detection rule?

df00tech provides T1090.001 (Internal Proxy) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Internal Proxy (T1090.001)?

Detecting Internal Proxy requires the following data sources: Process: Process Creation, Command: Command Execution, Network: Network Connection, Named Pipe: Named Pipe Metadata, Microsoft Defender for Endpoint.

What severity and confidence is the T1090.001 detection?

The T1090.001 detection is rated high severity with medium confidence.

What are common false positives for T1090.001?

Common false positives for T1090.001 include: Legitimate use of netsh portproxy by IT/network teams to redirect traffic for lab or testing environments; SSH port forwarding by developers or DevOps teams for legitimate access to internal services (e.g., database tunneling); Network monitoring or vulnerability scanning tools (Nmap, Metasploit auxiliary modules) run by authorized security teams.

T1090.001 Splunk · SPL

Detect Internal Proxy in Splunk

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic.

MITRE ATT&CK

Tactic: Command and Control
Technique: T1090 Proxy
Sub-technique: T1090.001 Internal Proxy
Canonical reference: https://attack.mitre.org/techniques/T1090/001/

SPL Detection Query

Splunk (SPL)

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
| eval IsProxyTool=if(match(ImageLower, "(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom)") OR match(CommandLineLower, "(htran|zxproxy|lcx|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot)"), 1, 0)
| eval IsNetshProxy=if(match(ImageLower, "netsh\.exe") AND match(CommandLineLower, "portproxy") AND match(CommandLineLower, "add"), 1, 0)
| eval IsSSHTunnel=if(match(ImageLower, "(ssh\.exe|plink\.exe)") AND match(CommandLineLower, "(\s-[lrd]\s|localforward|remoteforward|gatewayports|dynamicforward|-w \d)"), 1, 0)
| eval IsPortForwardCmd=if(match(CommandLineLower, "(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)"), 1, 0)
| eval SuspicionScore=IsProxyTool + IsNetshProxy + IsSSHTunnel + IsPortForwardCmd
| where SuspicionScore > 0
| eval DetectionType=case(
    IsProxyTool=1, "KnownProxyTool",
    IsNetshProxy=1, "NetshPortProxy",
    IsSSHTunnel=1, "SSHTunneling",
    IsPortForwardCmd=1, "PortForwardCommand",
    true(), "Unknown"
  )
| eval ParentProcess=coalesce(ParentImage, ParentCommandLine, "unknown")
| table _time, host, User, Image, CommandLine, ParentProcess, DetectionType, SuspicionScore, IsProxyTool, IsNetshProxy, IsSSHTunnel, IsPortForwardCmd
| sort - _time

high severity medium confidence

Detects internal proxy and traffic pivoting activity using Sysmon Event ID 1 (Process Create) and Security Event ID 4688. Evaluates process names and command lines against known proxy tool names, netsh portproxy add commands, SSH tunneling flags, and explicit port-forwarding parameter patterns. Assigns a suspicion score across four detection categories. Supports both Sysmon and native Windows Security auditing log sources via coalesce.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

Legitimate use of netsh portproxy by IT/network teams to redirect traffic for lab or testing environments
SSH port forwarding by developers or DevOps teams for legitimate access to internal services
Authorized penetration testing or red team exercises using proxy/pivoting tools
Network monitoring tools that use SOCKS proxies or port redirection for traffic analysis
VPN clients and zero-trust network access agents that establish internal proxy connections

Download portable Sigma rule (.yml)

Other platforms for T1090.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Netsh PortProxy Rule Creation for Internal Traffic Forwarding
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8080'. Security Event ID 4688 (with command line auditing). Sysmon Event ID 13: Registry value set in HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp. Windows Firewall may log new listening port.
Test 2SSH Local Port Forwarding for Internal Proxy Pivot
Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe, CommandLine containing '-L 9090:192.168.1.50:445'. Sysmon Event ID 3: Network Connection attempt from ssh.exe to 10.0.0.1:22. Security Event ID 4688 if command line auditing is enabled.
Test 3Chisel Reverse Proxy Tool Execution
Expected signal: Sysmon Event ID 1: Process Create with Image=chisel.exe (or renamed binary), CommandLine containing 'client' and 'R:socks' or 'socks'. Sysmon Event ID 3: Network Connection attempt from chisel.exe to 10.0.0.99:8443. File hash of chisel.exe will match known threat intelligence indicators.
Test 4HTRAN-Style Port Forwarding with Netcat
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning nc.exe with '-l -p 4444 -e cmd.exe'. Sysmon Event ID 3: Network Connection showing nc.exe listening on 0.0.0.0:4444. Windows Firewall event for new inbound rule exception (if UAC prompt accepted).
Test 5Linux SOCKS Proxy via SSH Dynamic Forwarding
Expected signal: Auditd syscall logs showing execve for ssh with -D 1080 arguments. Syslog entry for ssh process. Network connection attempt to 192.168.1.10:22. Process listing shows ssh with -D flag in /proc/<pid>/cmdline.

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1090.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Internal Proxy in Splunk

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1090.001

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

MITRE ATT&CK

SPL Detection Query

Data Sources

Required Sourcetypes

False Positives & Tuning

Other platforms for T1090.001

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox