T1090.003

Multi-hop Proxy

Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Techniques include Tor onion routing, ProxyChains, SOCKS proxy chaining, operational relay box (ORB) networks, and peer-to-peer routing to make attribution difficult. Defenders can typically only see the last hop before their network boundary.

Microsoft Sentinel / Defender

kusto

let TorPorts = dynamic([9001, 9030, 9040, 9050, 9051, 9150, 9151]);
let KnownProxyTools = dynamic(["tor.exe", "tor2web", "proxychains", "proxifier.exe", "3proxy.exe", "srelay.exe", "microsocks", "redsocks"]);
let SuspiciousProxyArgs = dynamic(["proxychains", "socks5", "socks4", "tor2web", "-D ", "DynamicForward", "ProxyJump", "-o ProxyCommand"]);
// Detection 1: Known proxy tool process creation
let ProxyProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownProxyTools)
    or ProcessCommandLine has_any (SuspiciousProxyArgs)
| extend DetectionType = "ProxyToolLaunch"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Detection 2: Network connections to Tor ports
let TorConnections = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (TorPorts)
| where RemoteIPType == "Public"
| extend DetectionType = "TorPortConnection"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine,
          RemoteIP, RemotePort, RemoteUrl, DetectionType;
// Detection 3: SSH used as multi-hop proxy (dynamic forwarding / ProxyJump)
let SSHProxyChain = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("ssh.exe", "ssh", "plink.exe")
| where ProcessCommandLine has_any ("-D ", "-w ", "ProxyJump", "-J ", "-o ProxyCommand", "DynamicForward")
| extend DetectionType = "SSHMultiHopProxy"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Union all detections
ProxyProcesses
| union TorConnections
| union SSHProxyChain
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Security researchers or penetration testers legitimately running Tor or proxy tools in authorized lab environments
Privacy-conscious employees using Tor Browser for legitimate personal browsing on non-managed devices that surface telemetry
SSH administrators using dynamic port forwarding (-D) or ProxyJump (-J) for legitimate bastion-host access patterns
VPN client software that internally routes through SOCKS5 on ports overlapping with Tor defaults (e.g., 9050)
Developer environments running local proxy tools (Proxifier, Privoxy) for testing API calls through corporate proxies

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
(
  (EventCode=1 OR EventCode=4688)
  AND (
    match(ImageLower, "(tor\.exe|proxifier|3proxy|srelay|microsocks|proxychains|redsocks|plink)")
    OR match(CommandLineLower, "(proxychains|socks5|socks4|tor2web|-d \d+|proxyjump|-j \s|proxycommand|dynamicforward)")
    OR (match(ImageLower, "(ssh|ssh\.exe)$") AND match(CommandLineLower, "(-d |-w |proxyjump|-j |proxycommand)"))
  )
)
| eval DetectionType=case(
    match(ImageLower, "(tor\.exe|proxifier|3proxy|srelay|microsocks|proxychains|redsocks)"), "KnownProxyTool",
    match(ImageLower, "(ssh|plink)") AND match(CommandLineLower, "(-d |-j |proxyjump|proxycommand)"), "SSHMultiHopProxy",
    match(CommandLineLower, "proxychains"), "ProxyChainsUsage",
    true(), "SuspiciousProxyArg"
  )
| eval TorConnection=if(match(CommandLineLower, "(9050|9051|9150|9001|9030)"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, TorConnection
| sort - _time

| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
      (DestinationPort=9001 OR DestinationPort=9030 OR DestinationPort=9050 OR DestinationPort=9051 OR DestinationPort=9150 OR DestinationPort=9151)
      NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    | eval DetectionType="TorPortNetworkConnection"
    | eval TorConnection=1
    | table _time, host, User, Image, DestinationIp, DestinationPort, DestinationHostname, DetectionType, TorConnection
    | sort - _time
  ]
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation Sysmon Event ID 1 Sysmon Event ID 3 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Security researchers or penetration testers legitimately running Tor or proxy tools in authorized lab environments
Privacy-conscious employees using Tor Browser for legitimate personal browsing on non-managed devices that surface telemetry
SSH administrators using dynamic port forwarding (-D) or ProxyJump (-J) for legitimate bastion-host access patterns
VPN client software that internally routes through SOCKS5 on ports overlapping with Tor defaults (e.g., 9050)
Developer environments running local proxy tools (Proxifier, Privoxy) for testing API calls through corporate proxies

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip,
  destinationip,
  LONG(destinationport) AS destination_port,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(highlevelcategory) AS high_category,
  LOGSOURCENAME(logsourceid) AS log_source,
  "EventID",
  UTF8(payload) AS raw_log
FROM events
WHERE
  (
    "EventID" IN ('1', '4688')
    AND (
      UTF8(payload) ILIKE '%tor.exe%'
      OR UTF8(payload) ILIKE '%proxychains%'
      OR UTF8(payload) ILIKE '%proxifier%'
      OR UTF8(payload) ILIKE '%3proxy.exe%'
      OR UTF8(payload) ILIKE '%srelay.exe%'
      OR UTF8(payload) ILIKE '%microsocks%'
      OR UTF8(payload) ILIKE '%redsocks%'
      OR UTF8(payload) ILIKE '%plink.exe%'
      OR UTF8(payload) ILIKE '%socks5%'
      OR UTF8(payload) ILIKE '%socks4%'
      OR UTF8(payload) ILIKE '%tor2web%'
      OR UTF8(payload) ILIKE '%ProxyJump%'
      OR UTF8(payload) ILIKE '%ProxyCommand%'
      OR UTF8(payload) ILIKE '%DynamicForward%'
    )
  )
  OR (
    "EventID" = '3'
    AND LONG(destinationport) IN (9001, 9030, 9040, 9050, 9051, 9150, 9151)
    AND NOT (
      destinationip INCIDR '10.0.0.0/8'
      OR destinationip INCIDR '172.16.0.0/12'
      OR destinationip INCIDR '192.168.0.0/16'
      OR destinationip INCIDR '127.0.0.0/8'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Sysmon via QRadar DSM (EventID 1, 3) Windows Security Event Log via QRadar DSM (EventID 4688) IBM QRadar SIEM event pipeline

Required Tables

events

False Positives

Legitimate SSH dynamic port forwarding sessions established by system administrators tunneling traffic through jump hosts for routine privileged access management
Privacy or anonymization tools (Tor Browser, Proxifier configured for corporate proxy bypass) sanctioned by the organization and installed on managed endpoints
Security assessment tooling such as ProxyChains or plink executed by authorized penetration testers on devices included in the scope of a documented red team exercise

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*)
| parse regex "(?:EventID|EventCode)[=\"\s>]+(?<EventID>\d+)" nodrop
| parse regex "(?:Image|NewProcessName)[=\"\s>]+(?<Image>[^\r\n<]+)" nodrop
| parse regex "(?:CommandLine|ProcessCommandLine)[=\"\s>]+(?<CommandLine>[^\r\n<]+)" nodrop
| parse regex "(?:DestinationIp|DestAddress)[=\"\s>]+(?<DestIP>[^\r\n<]+)" nodrop
| parse regex "(?:DestinationPort|DestPort)[=\"\s>]+(?<DestPort>\d+)" nodrop
| parse regex "(?:User|SubjectUserName|TargetUserName)[=\"\s>]+(?<User>[^\r\n<]+)" nodrop
| where (
    EventID in ("1", "4688") and (
      matches(Image, "(?i)(tor\.exe|proxychains|proxifier|3proxy\.exe|srelay\.exe|microsocks|redsocks|plink\.exe)")
      or matches(CommandLine, "(?i)(proxychains|socks5|socks4|tor2web|proxyjump|proxycommand|dynamicforward)")
      or (matches(Image, "(?i)(ssh(\.exe)?$|plink\.exe$)") and matches(CommandLine, "(?i)(\s-[DJw]\s|proxyjump|proxycommand)"))
    )
  )
  or (
    EventID = "3"
    and DestPort in ("9001", "9030", "9040", "9050", "9051", "9150", "9151")
    and !matches(DestIP, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
  )
| eval DetectionType = if(EventID = "3", "TorPortConnection",
    if(matches(Image, "(?i)(tor\.exe|proxychains|proxifier|3proxy|srelay|microsocks|redsocks)"), "KnownProxyTool",
    if(matches(Image, "(?i)(ssh|plink)") and matches(CommandLine, "(?i)(-D |-J |proxyjump|proxycommand)"), "SSHMultiHopProxy",
    "SuspiciousProxyArg")))
| fields _time, _sourceHost, User, Image, CommandLine, DestIP, DestPort, DetectionType
| sort by _time desc

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector Windows Security Event Log via Sumo Logic Windows Event Log Source Sumo Logic Cloud SIEM Enterprise normalized endpoint records

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*winevent*

False Positives

SSH administrators using ProxyJump (-J) or dynamic forwarding (-D) in multi-hop bastion host access workflows for privileged remote administration of segmented environments
IT security teams executing Tor, ProxyChains, or plink during authorized red team operations or network penetration testing on scoped, enrolled devices
Corporate-approved VPN or anonymizing proxy clients that listen on or connect to Tor-adjacent ports as part of their normal operation, generating benign but policy-relevant alerts

Google Chronicle / SecOps

yaral

rule t1090_003_multi_hop_proxy_process_launch {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1090.003 - Multi-hop proxy via known proxy tool execution and SSH dynamic forwarding"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1090.003"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(tor\.exe|proxychains|proxifier\.exe|3proxy\.exe|srelay\.exe|microsocks|redsocks|plink\.exe)`)
      or re.regex($e.target.process.command_line, `(?i)(proxychains|socks5|socks4a?|tor2web|proxyjump|proxycommand|dynamicforward)`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)[\\/]ssh(\.exe)?$|plink\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(\s-[DJw]\s|proxyjump|proxycommand)`)
      )
    )

  condition:
    $e
}

rule t1090_003_tor_port_network_connection {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1090.003 - Outbound network connection to Tor relay ports on public IP addresses"
    mitre_attack_tactic = "Command and Control"
    mitre_attack_technique = "T1090.003"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (9001, 9030, 9040, 9050, 9051, 9150, 9151)
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM PROCESS_LAUNCH events from endpoint telemetry Chronicle UDM NETWORK_CONNECTION events from network sensors or EDR Google Cloud Chronicle Forwarder ingesting Sysmon or CrowdStrike data

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH UDM events with metadata.event_type = NETWORK_CONNECTION

False Positives

Authorized red team or penetration testing personnel running Tor, plink, or ProxyChains on Chronicle-enrolled endpoints during documented, scoped engagements
DevOps or SRE teams establishing SSH dynamic port forwarding (-D) or multi-hop ProxyJump chains to reach services in isolated network segments as part of standard access procedures
OSINT analysts or threat intelligence researchers using Tor Browser on corporate devices to access dark web resources under an approved, policy-documented research exception

CrowdStrike LogScale (CQL)

cql

// Branch 1: Known proxy tool process creation (ProcessRollup2)
#event_simpleName = ProcessRollup2
| FileName = /(?i)(tor\.exe|proxychains|proxifier\.exe|3proxy\.exe|srelay\.exe|microsocks|redsocks|plink\.exe)/
  OR CommandLine = /(?i)(proxychains|socks5|socks4a?|tor2web|proxyjump|proxycommand|dynamicforward)/
  OR (FileName = /(?i)^ssh(\.exe)?$|plink\.exe$/ AND CommandLine = /(?i)(\s-[DJw]\s|proxyjump|proxycommand)/)
| eval DetectionType = case(
    FileName = /(?i)(tor\.exe|proxychains|proxifier|3proxy|srelay|microsocks|redsocks)/, "KnownProxyTool",
    FileName = /(?i)(ssh(\.exe)?$|plink)/ AND CommandLine = /(?i)(-D |-J |proxyjump|proxycommand)/, "SSHMultiHopProxy",
    CommandLine = /(?i)(socks5|socks4|tor2web|proxyjump|proxycommand|dynamicforward)/, "SuspiciousProxyArg",
    "SuspiciousProxy")
| table(@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionType)

| union {
    // Branch 2: Network connections to Tor relay ports (NetworkConnectIP4)
    #event_simpleName = NetworkConnectIP4
    | RemotePort in [9001, 9030, 9040, 9050, 9051, 9150, 9151]
    | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
    | eval DetectionType = "TorPortConnection"
    | table(@timestamp, ComputerName, UserName, LocalAddressIP4, RemoteAddressIP4, RemotePort, DetectionType)
  }

| sort(@timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR (ProcessRollup2 events) CrowdStrike Falcon Insight EDR (NetworkConnectIP4 events) CrowdStrike Falcon LogScale (formerly Humio) SIEM integration

Required Tables

#event_simpleName=ProcessRollup2 #event_simpleName=NetworkConnectIP4

False Positives

IT security engineers or red team operators running Tor-based C2 simulations or ProxyChains pivoting on Falcon-enrolled endpoints during authorized, time-boxed penetration test exercises
System administrators establishing SSH dynamic port forwarding tunnels or plink-based multi-hop sessions to reach isolated network segments through authorized jump hosts
Tor Browser installed by employees for personal anonymity use on BYOD or lightly managed endpoints, producing repeated Tor port connection events that are policy violations but not adversarial activity

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1090.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Multi-hop Proxy

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Command and Control

Popular Detections