T1090.002 IBM QRadar · QRadar

Detect External Proxy in IBM QRadar

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Tools like HTRAN, ZXProxy, and ZXPortMap enable traffic redirection through proxies or port redirection. External connection proxies mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside the victim environment, cloud-based resources, or VPS infrastructure may be used. Victim systems communicate directly with the external proxy, which then forwards traffic to the actual C2 server.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Sub-technique
T1090.002 External Proxy
Canonical reference
https://attack.mitre.org/techniques/T1090/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "Parent Process Name" AS parent_process,
  QIDNAME(qid) AS event_name,
  LOGSOURCETYPENAME(logsourcetypeid) AS log_source_type,
  CASE
    WHEN LOWER("Process Name") MATCHES '(htran|zxproxy|zxportmap|chisel|frpc|frps|proxychains|revsocks|socat|stunnel|privoxy|iodine|dns2tcp|ptunnel|3proxy|ss-local|shadowsocks)'
      OR LOWER("Command") MATCHES '(htran|zxproxy|chisel|frpc|proxychains|socat|socks5://|socks4://|-socks[45]|connect-proxy)'
    THEN 'KnownProxyTool'
    WHEN LOWER("Process Name") MATCHES '(\bssh\.exe$|\bssh$|plink\.exe$)'
      AND LOWER("Command") MATCHES '(-[fnqt]*d\s+\d+|-nnt|-fnd|-fnqd)'
    THEN 'SSHSocksProxy'
    WHEN destinationport IN (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443)
      AND NOT INCIDR(destinationip, '10.0.0.0/8')
      AND NOT INCIDR(destinationip, '172.16.0.0/12')
      AND NOT INCIDR(destinationip, '192.168.0.0/16')
      AND NOT INCIDR(destinationip, '127.0.0.0/8')
      AND NOT LOWER("Process Name") MATCHES '(chrome|firefox|msedge|iexplore|opera|brave|curl|wget)'
    THEN 'ProxyPortConnection'
    ELSE 'Unknown'
  END AS detection_reason
FROM events
WHERE (
  LOGSOURCETYPEID IN (12, 13, 143, 352, 383)
  AND (
    LOWER("Process Name") MATCHES '(htran|zxproxy|zxportmap|chisel|frpc|frps|proxychains|revsocks|socat|stunnel|privoxy|iodine|dns2tcp|ptunnel|3proxy|ss-local|shadowsocks)'
    OR LOWER("Command") MATCHES '(htran|zxproxy|chisel|frpc|proxychains|socat|socks5://|socks4://|-socks[45]|connect-proxy)'
    OR (
      LOWER("Process Name") MATCHES '(\bssh\.exe$|\bssh$|plink\.exe$)'
      AND LOWER("Command") MATCHES '(-[fnqt]*d\s+\d+|-nnt|-fnd)'
    )
    OR (
      destinationport IN (1080, 3128, 8080, 8888, 9050, 9051, 4444, 1337, 31337, 8443, 4443)
      AND NOT INCIDR(destinationip, '10.0.0.0/8')
      AND NOT INCIDR(destinationip, '172.16.0.0/12')
      AND NOT INCIDR(destinationip, '192.168.0.0/16')
      AND NOT INCIDR(destinationip, '127.0.0.0/8')
      AND NOT LOWER("Process Name") MATCHES '(chrome|firefox|msedge|iexplore|opera|brave|curl|wget)'
    )
  )
  AND STARTTIME > NOW() - 86400000
)
ORDER BY starttime DESC
high severity medium confidence

Detects T1090.002 External Proxy activity using IBM QRadar AQL against Windows Sysmon (event types 1 and 3), Windows Security event logs, and endpoint agent logs. Three detection branches: (1) process execution matching known proxy relay tool names or SOCKS-related command-line arguments; (2) SSH process with dynamic port-forwarding flags (-D) indicating SOCKS proxy setup; (3) network flow events to known proxy ports from non-browser initiating processes destined for public IP space. Uses INCIDR for RFC1918 exclusion and a CASE expression to label the detection reason.

Data Sources

Windows Sysmon event log (Event IDs 1 and 3) via WinCollect or DSMWindows Security event log (Event ID 4688 with command-line auditing enabled)QRadar Network Activity flows for port-based detection

Required Tables

events (LOGSOURCETYPEID 12 WinCollect, 143 Sysmon, 352 Microsoft Windows Security Event Log)flows (for network connection visibility if endpoint DSM unavailable)

False Positives & Tuning

  • Administrators using SSH dynamic port forwarding (-D flag) for legitimate tunnel-based access to isolated network segments or cloud environments.
  • IT operations teams deploying or testing web proxies (Squid, Privoxy, Nginx) on standard proxy ports (3128, 8080) that trigger the port-based detection branch.
  • Endpoint security or DLP products that proxy all outbound connections through a local SOCKS listener, causing every application to appear to connect to proxy ports.
  • Developers using tools like kubectl port-forward, ngrok, or cloudflared that establish local proxy listeners and may invoke socat or stunnel as dependencies.
Download portable Sigma rule (.yml)

Other platforms for T1090.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1SOCKS5 Proxy via SSH Dynamic Port Forwarding

    Expected signal: Sysmon for Linux or auditd: Process creation for ssh with command line containing '-D 1080'. Network connection event showing TCP bind on 127.0.0.1:1080. If Sysmon EID 3 is available, outbound TCP connection to the target SSH server on port 2222.

  2. Test 2TCP Port Forwarding via Chisel Proxy Tool

    Expected signal: Sysmon Event ID 1: Process Create for chisel.exe with command line containing 'client' and 'socks'. Sysmon Event ID 3: Network connection from chisel.exe to 127.0.0.1:8080. Sysmon Event ID 11: File creation of chisel.exe in %TEMP%. Security Event ID 4688 (if command line auditing enabled).

  3. Test 3HTRAN Port Redirector Execution

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'htran'. If actual HTRAN binary is used in an authorized test environment: direct process creation event with '-listen' argument and IP:port parameters. Security Event ID 4688 with htran.exe image path.

  4. Test 4FRP (Fast Reverse Proxy) Client Configuration and Execution

    Expected signal: Sysmon Event ID 11: File creation of frpc.ini in %TEMP% with content showing server_addr, server_port, and plugin=socks5. Sysmon Event ID 1: PowerShell process creation with command containing 'frpc.ini'. The configuration file content reveals the external C2 relay address (192.0.2.1).

  5. Test 5SOCKS Proxy via Netcat-style Listener (socat)

    Expected signal: Linux auditd/Sysmon for Linux: Process creation for socat with arguments 'TCP4-LISTEN:1080' and 'TCP4:192.0.2.1:4444'. Network socket creation binding to local port 1080. If Sysmon EID 3 available: outbound connection attempt to 192.0.2.1:4444.

Last updated: 2026-04-17 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1090.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1090Proxy

Related Sub-techniques

T1090.001Internal ProxyT1090.003Multi-hop ProxyT1090.004Domain Fronting

Related Techniques

T1090ProxyT1090.001Internal ProxyT1090.003Multi-hop ProxyT1090.004Domain FrontingT1071Application Layer ProtocolT1572Protocol TunnelingT1219Remote Access ToolsT1021.004SSHT1105Ingress Tool TransferT1571Non-Standard Port

Same Tactic: Command and Control

Popular Detections