T1090.002

External Proxy

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Tools like HTRAN, ZXProxy, and ZXPortMap enable traffic redirection through proxies or port redirection. External connection proxies mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside the victim environment, cloud-based resources, or VPS infrastructure may be used. Victim systems communicate directly with the external proxy, which then forwards traffic to the actual C2 server.

Microsoft Sentinel / Defender

kusto

let KnownProxyTools = dynamic([
  "htran", "zxproxy", "zxportmap", "proxychains", "revsocks", "chisel",
  "frp", "frpc", "frps", "ncat", "socat", "3proxy", "shadowsocks",
  "ss-local", "privoxy", "stunnel", "iodine", "dns2tcp", "ptunnel"
]);
let SuspiciousProxyArgs = dynamic([
  "-socks", "-socks4", "-socks5", "-proxy", "socks5://", "socks4://",
  "-L ", "-R ", "-D ", "-w ", "--proxy", "-x ", "connect-proxy",
  "-N -D", "-fN -D", "-nNT -D"
]);
let SuspiciousPorts = dynamic([1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443]);
// Branch 1: Known proxy tool execution
let ProxyProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownProxyTools)
   or ProcessCommandLine has_any (KnownProxyTools)
   or ProcessCommandLine has_any (SuspiciousProxyArgs)
| extend DetectionReason = "Known proxy tool or argument detected"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionReason;
// Branch 2: Network connections to high proxy ports from unusual processes
let ProxyNetworkConns = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (SuspiciousPorts)
| where RemoteIPType == "Public"
| where not (InitiatingProcessFileName in~ ("chrome.exe", "firefox.exe", "msedge.exe",
             "iexplore.exe", "opera.exe", "brave.exe", "curl.exe", "wget.exe"))
| extend DetectionReason = strcat("Outbound connection to proxy port ", RemotePort, " from ", InitiatingProcessFileName)
| project Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          ProcessCommandLine = InitiatingProcessCommandLine,
          InitiatingProcessFileName = InitiatingProcessParentFileName,
          InitiatingProcessCommandLine = "",
          DetectionReason;
// Branch 3: SSH used as SOCKS proxy (-D flag dynamic port forwarding)
let SSHSocksProxy = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("ssh.exe", "ssh", "plink.exe")
| where ProcessCommandLine matches regex @"-[fNnqT]*D\s+\d+"
   or ProcessCommandLine has "-D " or ProcessCommandLine has "-nNT"
| extend DetectionReason = "SSH dynamic port forwarding (SOCKS proxy) detected"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionReason;
// Combine all branches
union ProxyProcesses, ProxyNetworkConns, SSHSocksProxy
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Legitimate SSH tunneling by administrators for database or management access via -D dynamic port forwarding
Security researchers or penetration testers using proxy tools in authorized assessments
Corporate proxy infrastructure where internal tools connect to a central proxy server on port 3128 or 8080
VPN clients or privacy tools (Tor Browser, Shadowsocks) used legitimately on endpoints where these are permitted
Development environments using tools like socat or chisel for local port forwarding during application testing

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=1 OR EventCode=3))
| eval process_lower=lower(Image)
| eval cmdline_lower=lower(CommandLine)
| eval DestPort=coalesce(DestinationPort, DestPort)
| eval DestIP=coalesce(DestinationIp, DestinationIP)
```-- Flag 1: Known proxy tool names in process image or command line --```
| eval KnownProxyTool=if(
    match(process_lower, "(htran|zxproxy|zxportmap|proxychains|revsocks|chisel|frpc|frps|\.\bfrp\b|3proxy|shadowsocks|ss-local|privoxy|stunnel|iodine|dns2tcp|ptunnel|socat)") OR
    match(cmdline_lower, "(htran|zxproxy|zxportmap|proxychains|revsocks|chisel|frpc|frps|3proxy|shadowsocks|ss-local|privoxy|stunnel|socat)"),
    1, 0)
```-- Flag 2: SSH dynamic port forwarding (SOCKS proxy) --```
| eval SSHSocksProxy=if(
    (match(process_lower, "(\\\\ssh\.exe|\\\\plink\.exe)") OR process_lower="ssh") AND
    match(cmdline_lower, "(-[fnqt]*d\s+\d+|-nn\s+-d|-nt\s+-d)"),
    1, 0)
```-- Flag 3: Generic SOCKS proxy arguments --```
| eval SocksArgs=if(
    match(cmdline_lower, "(socks5://|socks4://|-socks[45]?\s|--socks[45]?)"),
    1, 0)
```-- Flag 4: Outbound connection to proxy ports from non-browser --```
| eval ProxyPortConn=if(
    EventCode=3 AND
    (DestPort=1080 OR DestPort=3128 OR DestPort=8080 OR DestPort=8888 OR
     DestPort=9050 OR DestPort=9051 OR DestPort=4444 OR DestPort=1337 OR
     DestPort=31337 OR DestPort=8443 OR DestPort=4443) AND
    NOT match(process_lower, "(chrome|firefox|msedge|iexplore|opera|brave|curl|wget)") AND
    NOT match(DestIP, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)"),
    1, 0)
| eval SuspicionScore=KnownProxyTool + SSHSocksProxy + SocksArgs + ProxyPortConn
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DestinationIp, DestinationPort,
        KnownProxyTool, SSHSocksProxy, SocksArgs, ProxyPortConn, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate SSH tunneling by administrators for database or management access via -D dynamic port forwarding
Security researchers or penetration testers using proxy tools in authorized assessments
Corporate proxy infrastructure where internal tools connect to a central proxy server on port 3128 or 8080
VPN clients or privacy tools (Tor Browser, Shadowsocks) used legitimately on endpoints where these are permitted
Development environments using tools like socat or chisel for local port forwarding during application testing

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      process.name : ("htran*", "zxproxy*", "zxportmap*", "chisel*", "frpc*", "frps*",
                      "proxychains*", "revsocks*", "socat*", "stunnel*", "privoxy*",
                      "iodine*", "dns2tcp*", "ptunnel*", "3proxy*", "ss-local*",
                      "shadowsocks*") or
      process.command_line : ("*socks5://*", "*socks4://*", "*-socks5*", "*-socks4*",
                              "*--socks5*", "*--proxy*", "*connect-proxy*") or
      (
        process.name : ("ssh", "ssh.exe", "plink.exe") and
        process.command_line : ("* -D *", "*-nNT*", "*-fND*", "*-fNT*", "*-NnT*")
      )
    )
  ) or
  (
    event.category == "network" and event.type == "connection" and
    destination.port in (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443) and
    not process.name : ("chrome*", "firefox*", "msedge*", "iexplore*", "opera*",
                        "brave*", "curl*", "wget*", "python*", "node*") and
    not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12",
                  "192.168.0.0/16", "127.0.0.0/8")
  )

high severity medium confidence

Data Sources

Endpoint process telemetry (Elastic Endpoint, Auditbeat, Winlogbeat with Sysmon) Network connection telemetry (Packetbeat, Elastic Endpoint network events)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-* auditbeat-*

False Positives

Developers and DevOps engineers using SSH dynamic port forwarding (-D) to tunnel traffic through bastion hosts for legitimate access to internal resources.
Security teams running proxy tools such as Burp Suite, OWASP ZAP, or mitmproxy on non-standard ports during authorized penetration tests or web application assessments.
Corporate PAC-file or transparent proxy deployments where endpoint software routes traffic through ports such as 3128 or 8080 to a legitimate corporate proxy appliance.
Tor Browser or legitimate privacy tools (privacy-conscious users or journalists) that use ports 9050/9051 for local SOCKS proxy connections to the Tor daemon.
Docker or Kubernetes network management tools that open SOCKS listeners on high ports during container networking setup.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  CASE
    WHEN LOWER("Process Name") MATCHES '(htran|zxproxy|zxportmap|chisel|frpc|frps|proxychains|revsocks|socat|stunnel|privoxy|iodine|dns2tcp|ptunnel|3proxy|ss-local|shadowsocks)'
      OR LOWER("Command") MATCHES '(htran|zxproxy|chisel|frpc|proxychains|socat|socks5://|socks4://|-socks[45]|connect-proxy)'
    THEN 'KnownProxyTool'
    WHEN LOWER("Process Name") MATCHES '(\bssh\.exe$|\bssh$|plink\.exe$)'
      AND LOWER("Command") MATCHES '(-[fnqt]*d\s+\d+|-nnt|-fnd|-fnqd)'
    THEN 'SSHSocksProxy'
    WHEN destinationport IN (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443)
      AND NOT INCIDR(destinationip, '10.0.0.0/8')
      AND NOT INCIDR(destinationip, '172.16.0.0/12')
      AND NOT INCIDR(destinationip, '192.168.0.0/16')
      AND NOT INCIDR(destinationip, '127.0.0.0/8')
      AND NOT LOWER("Process Name") MATCHES '(chrome|firefox|msedge|iexplore|opera|brave|curl|wget)'
    THEN 'ProxyPortConnection'
    ELSE 'Unknown'
  END AS detection_reason
FROM events
WHERE (
  LOGSOURCETYPEID IN (12, 13, 143, 352, 383)
  AND (
    LOWER("Process Name") MATCHES '(htran|zxproxy|zxportmap|chisel|frpc|frps|proxychains|revsocks|socat|stunnel|privoxy|iodine|dns2tcp|ptunnel|3proxy|ss-local|shadowsocks)'
    OR LOWER("Command") MATCHES '(htran|zxproxy|chisel|frpc|proxychains|socat|socks5://|socks4://|-socks[45]|connect-proxy)'
    OR (
      LOWER("Process Name") MATCHES '(\bssh\.exe$|\bssh$|plink\.exe$)'
      AND LOWER("Command") MATCHES '(-[fnqt]*d\s+\d+|-nnt|-fnd)'
    )
    OR (
      destinationport IN (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443)
      AND NOT INCIDR(destinationip, '10.0.0.0/8')
      AND NOT INCIDR(destinationip, '172.16.0.0/12')
      AND NOT INCIDR(destinationip, '192.168.0.0/16')
      AND NOT INCIDR(destinationip, '127.0.0.0/8')
      AND NOT LOWER("Process Name") MATCHES '(chrome|firefox|msedge|iexplore|opera|brave|curl|wget)'
    )
  )
  AND STARTTIME > NOW() - 86400000
)
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Sysmon event log (Event IDs 1 and 3) via WinCollect or DSM Windows Security event log (Event ID 4688 with command-line auditing enabled) QRadar Network Activity flows for port-based detection

Required Tables

events (LOGSOURCETYPEID 12 WinCollect, 143 Sysmon, 352 Microsoft Windows Security Event Log) flows (for network connection visibility if endpoint DSM unavailable)

False Positives

Administrators using SSH dynamic port forwarding (-D flag) for legitimate tunnel-based access to isolated network segments or cloud environments.
IT operations teams deploying or testing web proxies (Squid, Privoxy, Nginx) on standard proxy ports (3128, 8080) that trigger the port-based detection branch.
Endpoint security or DLP products that proxy all outbound connections through a local SOCKS listener, causing every application to appear to connect to proxy ports.
Developers using tools like kubectl port-forward, ngrok, or cloudflared that establish local proxy listeners and may invoke socat or stunnel as dependencies.

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*wineventlog*)
| where EventCode in ("1", "3") or event_id in ("1", "3")
| eval process_lower = toLowerCase(if(!isNull(Image), Image, process_name))
| eval cmdline_lower = toLowerCase(if(!isNull(CommandLine), CommandLine, command_line))
| eval dest_port = toInt(if(!isNull(DestinationPort), DestinationPort,
                    if(!isNull(destination_port), destination_port, "0")))
| eval dest_ip = if(!isNull(DestinationIp), DestinationIp,
                 if(!isNull(destination_ip), destination_ip, ""))
| eval is_known_proxy_tool = if(
    matches(process_lower, "(htran|zxproxy|zxportmap|chisel|frpc|frps|proxychains|revsocks|socat|stunnel|privoxy|iodine|dns2tcp|ptunnel|3proxy|ss-local|shadowsocks)") or
    matches(cmdline_lower, "(htran|zxproxy|chisel|frpc|proxychains|socat|socks5://|socks4://|-socks[45]|connect-proxy)"),
    1, 0)
| eval is_ssh_socks = if(
    matches(process_lower, "(\\bssh\\.exe|\\bssh$|plink\\.exe)") and
    matches(cmdline_lower, "(-[fnqt]*d\\s+\\d+|-nnt\\s*-d|-nt\\s*-d|-fnd|-fnqd)"),
    1, 0)
| eval is_proxy_port_conn = if(
    dest_port in (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443) and
    !matches(process_lower, "(chrome|firefox|msedge|iexplore|opera|brave|curl|wget)") and
    !matches(dest_ip, "^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\\.168\\.|127\\.)"),
    1, 0)
| eval suspicion_score = is_known_proxy_tool + is_ssh_socks + is_proxy_port_conn
| where suspicion_score > 0
| fields _messageTime, host, User, process_lower, cmdline_lower, ParentImage,
         dest_ip, dest_port, is_known_proxy_tool, is_ssh_socks, is_proxy_port_conn,
         suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon operational event log (Event IDs 1 and 3) forwarded to Sumo Logic Sumo Logic Cloud SIEM Enterprise normalized endpoint process and network events

Required Tables

_sourceCategory matching Windows Sysmon or endpoint process/network data Sumo Logic CSE normalized schema: process_name, command_line, destination_ip, destination_port

False Positives

Security engineers using socat or stunnel for legitimate TLS termination, port translation, or certificate testing in development and staging environments.
Privacy-focused users or journalists running Tor Browser locally, which connects via SOCKS to port 9050 by default and will reliably trigger the proxy port branch.
Penetration testers or red team operators using Chisel, FRP, or revsocks under an authorized engagement scope where process names will exactly match known proxy tool indicators.
System administrators using proxychains to route maintenance scripts or patch management tools through an internal hop proxy, which is common in air-gapped or segmented networks.

Google Chronicle / SecOps

yaral

rule external_proxy_t1090_002 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1090.002 - External Proxy via known proxy tools, SSH dynamic port forwarding, and outbound connections to proxy ports from non-browser processes."
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1090.002"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2024-01-01"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.principal.process.file.full_path,
          `(?i)(htran|zxproxy|zxportmap|chisel|frpc|frps|proxychains|revsocks|socat|stunnel|privoxy|iodine|dns2tcp|ptunnel|3proxy|ss-local|shadowsocks)`) or
        re.regex($e.principal.process.command_line,
          `(?i)(socks5://|socks4://|-socks[45]\s|--socks[45]|connect-proxy|htran|zxproxy|chisel|frpc|proxychains)`) or
        (
          re.regex($e.principal.process.file.full_path, `(?i)(\bssh\.exe$|\bssh$|plink\.exe$)`) and
          re.regex($e.principal.process.command_line, `(?i)(-[fnqt]*D\s+\d+|-nNT|-fND|-fnqD)`)
        )
      )
    ) or
    (
      $e.metadata.event_type = "NETWORK_CONNECTION"
      and $e.target.port in (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443)
      and not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
      and not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
      and not re.regex($e.principal.process.file.full_path,
        `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|curl\.exe|wget\.exe)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle UDM via Cortex XDR, CrowdStrike Falcon, Carbon Black, or Windows Event forwarding ingestion Chronicle SIEM with endpoint process and network event normalization to UDM

Required Tables

UDM event stream with metadata.event_type PROCESS_LAUNCH and NETWORK_CONNECTION principal.process.file.full_path, principal.process.command_line, target.ip, target.port UDM fields populated by endpoint telemetry

False Positives

DevOps pipelines that use frpc or frps for legitimate ingress-controller tunneling to expose development services; these will match the known proxy tool name pattern.
macOS or Linux administrators using SSH -D for routine bastion-host tunneling patterns; the PROCESS_LAUNCH branch will fire on all such connections regardless of legitimacy.
Enterprise web filtering solutions that intercept and proxy all HTTP/HTTPS traffic through ports 8080 or 8443; this may produce NETWORK_CONNECTION matches for any process making web requests.
Docker networking components and CNI plugins that create local SOCKS proxies on high ephemeral ports during container bridge network initialization.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|NetworkConnectIP4)$/
| ImageFileName = /(?i)(htran|zxproxy|zxportmap|chisel|frpc|frps|proxychains|revsocks|socat|stunnel|privoxy|iodine|dns2tcp|ptunnel|3proxy|ss-local|shadowsocks)/ OR
  CommandLine = /(?i)(htran|zxproxy|zxportmap|chisel|frpc|proxychains|socat|socks5:\/\/|socks4:\/\/|-socks[45]\s|--socks[45]|connect-proxy)/ OR
  (
    ImageFileName = /(?i)(\bssh\.exe$|\bssh$|plink\.exe$)/ AND
    CommandLine = /(?i)(-[fnqt]*D\s+\d+|-nNT|-fND|-fnqD)\/
  ) OR
  (
    #event_simpleName = "NetworkConnectIP4" AND
    RemotePort in (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443) AND
    NOT ImageFileName = /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|opera\.exe|brave\.exe|curl\.exe|wget\.exe)/ AND
    NOT RemoteAddressIP4 = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
  )
| eval detection_type = case(
    ImageFileName = /(?i)(htran|zxproxy|zxportmap|chisel|frpc|frps|proxychains|revsocks|socat|stunnel|privoxy|iodine|dns2tcp|ptunnel|3proxy|ss-local|shadowsocks)/,
    "KnownProxyToolExecution",
    ImageFileName = /(?i)(\bssh\.exe$|\bssh$|plink\.exe$)/ AND CommandLine = /(?i)(-[fnqt]*D\s+\d+|-nNT|-fND)/,
    "SSHDynamicForwarding",
    CommandLine = /(?i)(socks5:\/\/|socks4:\/\/|-socks[45]|connect-proxy)/,
    "SocksProxyArgument",
    #event_simpleName = "NetworkConnectIP4",
    "ProxyPortConnection",
    "Other"
  )
| table [@timestamp, ComputerName, UserName, ImageFileName, CommandLine,
         ParentProcessImageFileName, RemoteAddressIP4, RemotePort, detection_type]
| sort @timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon sensor endpoint telemetry: ProcessRollup2 (process execution) and NetworkConnectIP4 (outbound network connections) Falcon Event Stream via Falcon Data Replicator (FDR) or Humio/LogScale direct ingestion

Required Tables

Falcon event stream: #event_simpleName ProcessRollup2 and NetworkConnectIP4 Required fields: ImageFileName, CommandLine, ParentProcessImageFileName, RemoteAddressIP4, RemotePort, ComputerName, UserName

False Positives

Red team or penetration testing operators using Chisel, FRP, or revsocks under authorized rules of engagement; Falcon will reliably detect these by image name.
Legitimate socat or stunnel usage by system administrators for TLS wrapping, serial-over-TCP bridges, or debugging network services in enterprise environments.
Corporate outbound proxy infrastructure where all workstations connect to a centralized proxy on port 8080 or 3128; the NetworkConnectIP4 branch will match if the proxy IP is public-facing.
Tor Browser or I2P router processes connecting to local SOCKS daemon on ports 9050 or 9060 during normal privacy-tool usage on unmanaged or BYOD endpoints.

Last updated: 2026-04-17 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1090.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

External Proxy

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections