T1090.001 Sumo Logic CSE · Sumo

Detect Internal Proxy in Sumo Logic CSE

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Sub-technique
T1090.001 Internal Proxy
Canonical reference
https://attack.mitre.org/techniques/T1090/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| where _raw matches /(?i)(EventCode=1|EventID=1|EventCode=4688|EventID=4688)/
| parse regex field=_raw "(?i)(?:Image|NewProcessName)[>=: '"]+(?P<process_image>[^\s<'"]+)"
| parse regex field=_raw "(?i)(?:CommandLine|ProcessCommandLine)[>=: '"]+(?P<command_line>[^<'"]{1,500})"
| parse regex field=_raw "(?i)(?:ParentImage|ParentProcessName)[>=: '"]+(?P<parent_image>[^\s<'"]+)"
| parse regex field=_raw "(?i)(?:User|SubjectUserName)[>=: '"]+(?P<user>[^\s<'"]+)"
| parse regex field=_raw "(?i)(?:Computer|Hostname|ComputerName)[>=: '"]+(?P<host>[^\s<'"]+)"
| eval process_lower = toLowerCase(process_image)
| eval cmd_lower = toLowerCase(command_line)
| eval is_proxy_tool = if (process_lower matches "/(htran|zxproxy|lcx\.exe|socat|chisel|ligolo|frpc|frps|earthworm|ew\.exe|gost|iox|revsocks|venom)/" OR cmd_lower matches "/(htran|zxproxy|lcx|earthworm|chisel|ligolo|frpc|frps|gost|iox|revsocks|pivotnacci|rpivot)/", 1, 0)
| eval is_netsh_proxy = if (process_lower matches "/netsh\.exe/" AND cmd_lower matches "/portproxy/" AND cmd_lower matches "/\badd\b/", 1, 0)
| eval is_ssh_tunnel = if (process_lower matches "/(ssh\.exe|plink\.exe|^ssh$)/" AND cmd_lower matches "/(\s-[lrd]\s|localforward|remoteforward|gatewayports|allowtcpforwarding|-w \d)/", 1, 0)
| eval is_portfwd_cmd = if (cmd_lower matches "/(v4tov4|listenport=|connectport=|connectaddress=|listenaddress=)/", 1, 0)
| eval suspicion_score = is_proxy_tool + is_netsh_proxy + is_ssh_tunnel + is_portfwd_cmd
| where suspicion_score > 0
| eval detection_type = if (is_proxy_tool = 1, "KnownProxyTool", if (is_netsh_proxy = 1, "NetshPortProxy", if (is_ssh_tunnel = 1, "SSHTunneling", if (is_portfwd_cmd = 1, "PortForwardCommand", "Unknown"))))
| fields _messagetime, host, user, process_image, command_line, parent_image, detection_type, suspicion_score
| sort by _messagetime desc
high severity medium confidence

Sumo Logic detection for T1090.001 Internal Proxy. Parses Windows Security Event 4688 and Sysmon Event 1 logs to identify proxy tool execution, netsh portproxy configuration, SSH tunneling, and port forwarding commands. Assigns a suspicion score for prioritization.

Data Sources

Windows Event LogSysmonCrowdStrike FalconCarbon Black

Required Tables

_sourceCategory=*windows*_sourceCategory=*sysmon*_sourceCategory=*endpoint*

False Positives & Tuning

  • Penetration testing teams running authorized red team exercises using chisel, ligolo-ng, or frpc for C2 channel simulation
  • IT support staff using plink.exe with SSH tunneling flags for legitimate remote desktop or application access through jump hosts
  • Network security appliance management tools that invoke netsh portproxy during configuration pushes or health check routines
Download portable Sigma rule (.yml)

Other platforms for T1090.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netsh PortProxy Rule Creation for Internal Traffic Forwarding

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8080'. Security Event ID 4688 (with command line auditing). Sysmon Event ID 13: Registry value set in HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp. Windows Firewall may log new listening port.

  2. Test 2SSH Local Port Forwarding for Internal Proxy Pivot

    Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe, CommandLine containing '-L 9090:192.168.1.50:445'. Sysmon Event ID 3: Network Connection attempt from ssh.exe to 10.0.0.1:22. Security Event ID 4688 if command line auditing is enabled.

  3. Test 3Chisel Reverse Proxy Tool Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image=chisel.exe (or renamed binary), CommandLine containing 'client' and 'R:socks' or 'socks'. Sysmon Event ID 3: Network Connection attempt from chisel.exe to 10.0.0.99:8443. File hash of chisel.exe will match known threat intelligence indicators.

  4. Test 4HTRAN-Style Port Forwarding with Netcat

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe spawning nc.exe with '-l -p 4444 -e cmd.exe'. Sysmon Event ID 3: Network Connection showing nc.exe listening on 0.0.0.0:4444. Windows Firewall event for new inbound rule exception (if UAC prompt accepted).

  5. Test 5Linux SOCKS Proxy via SSH Dynamic Forwarding

    Expected signal: Auditd syscall logs showing execve for ssh with -D 1080 arguments. Syslog entry for ssh process. Network connection attempt to 192.168.1.10:22. Process listing shows ssh with -D flag in /proc/<pid>/cmdline.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1090.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1090Proxy

Related Sub-techniques

T1090.002External ProxyT1090.003Multi-hop ProxyT1090.004Domain Fronting

Related Techniques

T1090ProxyT1090.002External ProxyT1090.003Multi-hop ProxyT1021.002SMB/Windows Admin SharesT1572Protocol TunnelingT1071Application Layer ProtocolT1563Remote Service Session HijackingT1570Lateral Tool TransferT1505.005Terminal Services DLLT1053.005Scheduled Task

Same Tactic: Command and Control

Popular Detections