Detect External Proxy in Elastic Security
Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Tools like HTRAN, ZXProxy, and ZXPortMap enable traffic redirection through proxies or port redirection. External connection proxies mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside the victim environment, cloud-based resources, or VPS infrastructure may be used. Victim systems communicate directly with the external proxy, which then forwards traffic to the actual C2 server.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1090 Proxy
- Sub-technique
- T1090.002 External Proxy
- Canonical reference
- https://attack.mitre.org/techniques/T1090/002/
Elastic Detection Query
any where
(
event.category == "process" and event.type == "start" and
(
process.name : ("htran*", "zxproxy*", "zxportmap*", "chisel*", "frpc*", "frps*",
"proxychains*", "revsocks*", "socat*", "stunnel*", "privoxy*",
"iodine*", "dns2tcp*", "ptunnel*", "3proxy*", "ss-local*",
"shadowsocks*") or
process.command_line : ("*socks5://*", "*socks4://*", "*-socks5*", "*-socks4*",
"*--socks5*", "*--proxy*", "*connect-proxy*") or
(
process.name : ("ssh", "ssh.exe", "plink.exe") and
process.command_line : ("* -D *", "*-nNT*", "*-fND*", "*-fNT*", "*-NnT*")
)
)
) or
(
event.category == "network" and event.type == "connection" and
destination.port in (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443) and
not process.name : ("chrome*", "firefox*", "msedge*", "iexplore*", "opera*",
"brave*", "curl*", "wget*", "python*", "node*") and
not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12",
"192.168.0.0/16", "127.0.0.0/8")
)Detects T1090.002 External Proxy usage via three vectors: (1) execution of known proxy relay tools such as chisel, frp, socat, and stunnel; (2) SSH dynamic port forwarding using -D flag creating a local SOCKS proxy; (3) outbound network connections from non-browser processes to well-known proxy ports on public IP addresses. Covers both Windows and Linux endpoints using Elastic Common Schema fields.
Data Sources
Required Tables
False Positives & Tuning
- Developers and DevOps engineers using SSH dynamic port forwarding (-D) to tunnel traffic through bastion hosts for legitimate access to internal resources.
- Security teams running proxy tools such as Burp Suite, OWASP ZAP, or mitmproxy on non-standard ports during authorized penetration tests or web application assessments.
- Corporate PAC-file or transparent proxy deployments where endpoint software routes traffic through ports such as 3128 or 8080 to a legitimate corporate proxy appliance.
- Tor Browser or legitimate privacy tools (privacy-conscious users or journalists) that use ports 9050/9051 for local SOCKS proxy connections to the Tor daemon.
- Docker or Kubernetes network management tools that open SOCKS listeners on high ports during container networking setup.
Other platforms for T1090.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SOCKS5 Proxy via SSH Dynamic Port Forwarding
Expected signal: Sysmon for Linux or auditd: Process creation for ssh with command line containing '-D 1080'. Network connection event showing TCP bind on 127.0.0.1:1080. If Sysmon EID 3 is available, outbound TCP connection to the target SSH server on port 2222.
- Test 2TCP Port Forwarding via Chisel Proxy Tool
Expected signal: Sysmon Event ID 1: Process Create for chisel.exe with command line containing 'client' and 'socks'. Sysmon Event ID 3: Network connection from chisel.exe to 127.0.0.1:8080. Sysmon Event ID 11: File creation of chisel.exe in %TEMP%. Security Event ID 4688 (if command line auditing enabled).
- Test 3HTRAN Port Redirector Execution
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'htran'. If actual HTRAN binary is used in an authorized test environment: direct process creation event with '-listen' argument and IP:port parameters. Security Event ID 4688 with htran.exe image path.
- Test 4FRP (Fast Reverse Proxy) Client Configuration and Execution
Expected signal: Sysmon Event ID 11: File creation of frpc.ini in %TEMP% with content showing server_addr, server_port, and plugin=socks5. Sysmon Event ID 1: PowerShell process creation with command containing 'frpc.ini'. The configuration file content reveals the external C2 relay address (192.0.2.1).
- Test 5SOCKS Proxy via Netcat-style Listener (socat)
Expected signal: Linux auditd/Sysmon for Linux: Process creation for socat with arguments 'TCP4-LISTEN:1080' and 'TCP4:192.0.2.1:4444'. Network socket creation binding to local port 1080. If Sysmon EID 3 available: outbound connection attempt to 192.0.2.1:4444.
References (12)
- https://attack.mitre.org/techniques/T1090/002/
- https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf
- http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
- https://www.mandiant.com/resources/blog/apt29-eye-spy-email
- https://github.com/jpillora/chisel
- https://github.com/fatedier/frp
- https://www.varonis.com/blog/what-is-htran
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-277a
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.002/T1090.002.md
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/CommonStatsFunctions
Unlock Pro Content
Get the full detection package for T1090.002 including response playbook, investigation guide, and atomic red team tests.