T1090.003 Splunk · SPL

Detect Multi-hop Proxy in Splunk

Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Techniques include Tor onion routing, ProxyChains, SOCKS proxy chaining, operational relay box (ORB) networks, and peer-to-peer routing to make attribution difficult. Defenders can typically only see the last hop before their network boundary.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Sub-technique
T1090.003 Multi-hop Proxy
Canonical reference
https://attack.mitre.org/techniques/T1090/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval EventCode=coalesce(EventCode, event_id)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine)
| eval CommandLineLower=lower(CommandLine)
| eval ImageLower=lower(Image)
(
  (EventCode=1 OR EventCode=4688)
  AND (
    match(ImageLower, "(tor\.exe|proxifier|3proxy|srelay|microsocks|proxychains|redsocks|plink)")
    OR match(CommandLineLower, "(proxychains|socks5|socks4|tor2web|-d \d+|proxyjump|-j \s|proxycommand|dynamicforward)")
    OR (match(ImageLower, "(ssh|ssh\.exe)$") AND match(CommandLineLower, "(-d |-w |proxyjump|-j |proxycommand)"))
  )
)
| eval DetectionType=case(
    match(ImageLower, "(tor\.exe|proxifier|3proxy|srelay|microsocks|proxychains|redsocks)"), "KnownProxyTool",
    match(ImageLower, "(ssh|plink)") AND match(CommandLineLower, "(-d |-j |proxyjump|proxycommand)"), "SSHMultiHopProxy",
    match(CommandLineLower, "proxychains"), "ProxyChainsUsage",
    true(), "SuspiciousProxyArg"
  )
| eval TorConnection=if(match(CommandLineLower, "(9050|9051|9150|9001|9030)"), 1, 0)
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, TorConnection
| sort - _time

| append [
    search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
      (DestinationPort=9001 OR DestinationPort=9030 OR DestinationPort=9050 OR DestinationPort=9051 OR DestinationPort=9150 OR DestinationPort=9151)
      NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
    | eval DetectionType="TorPortNetworkConnection"
    | eval TorConnection=1
    | table _time, host, User, Image, DestinationIp, DestinationPort, DestinationHostname, DetectionType, TorConnection
    | sort - _time
  ]
| sort - _time
high severity medium confidence

Detects multi-hop proxy activity using Sysmon and Security event logs across two detection branches: (1) Process creation events (Sysmon EventCode=1 or Security EventCode=4688) matching known proxy tool names or suspicious command-line arguments including ProxyChains, SOCKS4/5 flags, SSH dynamic forwarding, and ProxyJump; (2) Sysmon network connection events (EventCode=3) to known Tor ports on public IP addresses. Results are tagged with a DetectionType field and unioned for unified analyst review.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationSysmon Event ID 1Sysmon Event ID 3Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Security researchers or penetration testers legitimately running Tor or proxy tools in authorized lab environments
  • Privacy-conscious employees using Tor Browser for legitimate personal browsing on non-managed devices that surface telemetry
  • SSH administrators using dynamic port forwarding (-D) or ProxyJump (-J) for legitimate bastion-host access patterns
  • VPN client software that internally routes through SOCKS5 on ports overlapping with Tor defaults (e.g., 9050)
  • Developer environments running local proxy tools (Proxifier, Privoxy) for testing API calls through corporate proxies
Download portable Sigma rule (.yml)

Other platforms for T1090.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Launch Tor Process as SOCKS Proxy

    Expected signal: Sysmon Event ID 1: Process Create with Image path in %TEMP%\tortest\tor\tor.exe and CommandLine containing --SocksPort 9050. Sysmon Event ID 3: Multiple outbound TCP connections to public IPs on ports 9001 and 9030 (Tor directory and guard connections). Sysmon Event ID 11: File creation events for tor.exe and torrc in non-standard temp path.

  2. Test 2ProxyChains Multi-hop Configuration and Execution

    Expected signal: Linux auditd/syslog: Process creation for proxychains4 with command line referencing the config file. Sysmon for Linux (if deployed) Event ID 1: Process Create for proxychains4 with full command line. Network connection attempts through the configured SOCKS chain. File creation event for /tmp/test_proxychains.conf.

  3. Test 3SSH Dynamic Port Forwarding (Multi-hop SOCKS Proxy)

    Expected signal: Sysmon Event ID 1 (Linux) or Security Event ID 4688 (Windows with OpenSSH): Process Create for ssh with CommandLine containing '-D 1080' or '-J jumphost.example.com'. Sysmon Event ID 3: Outbound TCP connection to 192.0.2.1:22 and jumphost.example.com:22. The -D flag creates a listening socket on local port 1080 visible in netstat/socket monitoring.

  4. Test 4SOCKS Proxy via Netcat/Ncat Relay Chain Simulation

    Expected signal: Sysmon Event ID 1: Multiple ncat.exe or nc.exe process creation events with -l (listen) and -c (command/forward) flags. Sysmon Event ID 3: Network listen and connection events on ports 18080 and 18081. Security Event ID 4688 (if command line auditing enabled): ncat.exe process creation with forwarding arguments.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1090.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1090Proxy

Related Sub-techniques

T1090.001Internal ProxyT1090.002External ProxyT1090.004Domain Fronting

Related Techniques

T1090ProxyT1090.001Internal ProxyT1090.002External ProxyT1090.004Domain FrontingT1572Protocol TunnelingT1071.001Web ProtocolsT1573Encrypted ChannelT1021.004SSHT1584.008Network DevicesT1599Network Boundary BridgingT1027Obfuscated Files or Information

Same Tactic: Command and Control

Popular Detections