Detect Multi-hop Proxy in Sumo Logic CSE
Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Techniques include Tor onion routing, ProxyChains, SOCKS proxy chaining, operational relay box (ORB) networks, and peer-to-peer routing to make attribution difficult. Defenders can typically only see the last hop before their network boundary.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1090 Proxy
- Sub-technique
- T1090.003 Multi-hop Proxy
- Canonical reference
- https://attack.mitre.org/techniques/T1090/003/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winevent*)
| parse regex "(?:EventID|EventCode)[=\"\s>]+(?<EventID>\d+)" nodrop
| parse regex "(?:Image|NewProcessName)[=\"\s>]+(?<Image>[^\r\n<]+)" nodrop
| parse regex "(?:CommandLine|ProcessCommandLine)[=\"\s>]+(?<CommandLine>[^\r\n<]+)" nodrop
| parse regex "(?:DestinationIp|DestAddress)[=\"\s>]+(?<DestIP>[^\r\n<]+)" nodrop
| parse regex "(?:DestinationPort|DestPort)[=\"\s>]+(?<DestPort>\d+)" nodrop
| parse regex "(?:User|SubjectUserName|TargetUserName)[=\"\s>]+(?<User>[^\r\n<]+)" nodrop
| where (
EventID in ("1", "4688") and (
matches(Image, "(?i)(tor\.exe|proxychains|proxifier|3proxy\.exe|srelay\.exe|microsocks|redsocks|plink\.exe)")
or matches(CommandLine, "(?i)(proxychains|socks5|socks4|tor2web|proxyjump|proxycommand|dynamicforward)")
or (matches(Image, "(?i)(ssh(\.exe)?$|plink\.exe$)") and matches(CommandLine, "(?i)(\s-[DJw]\s|proxyjump|proxycommand)"))
)
)
or (
EventID = "3"
and DestPort in ("9001", "9030", "9040", "9050", "9051", "9150", "9151")
and !matches(DestIP, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
)
| eval DetectionType = if(EventID = "3", "TorPortConnection",
if(matches(Image, "(?i)(tor\.exe|proxychains|proxifier|3proxy|srelay|microsocks|redsocks)"), "KnownProxyTool",
if(matches(Image, "(?i)(ssh|plink)") and matches(CommandLine, "(?i)(-D |-J |proxyjump|proxycommand)"), "SSHMultiHopProxy",
"SuspiciousProxyArg")))
| fields _time, _sourceHost, User, Image, CommandLine, DestIP, DestPort, DetectionType
| sort by _time descDetects T1090.003 multi-hop proxy activity by parsing Windows Sysmon and Security event logs collected via Sumo Logic Installed Collectors. Uses regex-based field extraction to parse Image, CommandLine, DestinationIp, and DestinationPort from raw log payloads. Identifies process creation events (EventID 1/4688) matching known proxy tool filenames or suspicious command-line patterns, and Sysmon network events (EventID 3) connecting to Tor relay ports on public IP space. Classifies results by DetectionType for analyst triage.
Data Sources
Required Tables
False Positives & Tuning
- SSH administrators using ProxyJump (-J) or dynamic forwarding (-D) in multi-hop bastion host access workflows for privileged remote administration of segmented environments
- IT security teams executing Tor, ProxyChains, or plink during authorized red team operations or network penetration testing on scoped, enrolled devices
- Corporate-approved VPN or anonymizing proxy clients that listen on or connect to Tor-adjacent ports as part of their normal operation, generating benign but policy-relevant alerts
Other platforms for T1090.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Launch Tor Process as SOCKS Proxy
Expected signal: Sysmon Event ID 1: Process Create with Image path in %TEMP%\tortest\tor\tor.exe and CommandLine containing --SocksPort 9050. Sysmon Event ID 3: Multiple outbound TCP connections to public IPs on ports 9001 and 9030 (Tor directory and guard connections). Sysmon Event ID 11: File creation events for tor.exe and torrc in non-standard temp path.
- Test 2ProxyChains Multi-hop Configuration and Execution
Expected signal: Linux auditd/syslog: Process creation for proxychains4 with command line referencing the config file. Sysmon for Linux (if deployed) Event ID 1: Process Create for proxychains4 with full command line. Network connection attempts through the configured SOCKS chain. File creation event for /tmp/test_proxychains.conf.
- Test 3SSH Dynamic Port Forwarding (Multi-hop SOCKS Proxy)
Expected signal: Sysmon Event ID 1 (Linux) or Security Event ID 4688 (Windows with OpenSSH): Process Create for ssh with CommandLine containing '-D 1080' or '-J jumphost.example.com'. Sysmon Event ID 3: Outbound TCP connection to 192.0.2.1:22 and jumphost.example.com:22. The -D flag creates a listening socket on local port 1080 visible in netstat/socket monitoring.
- Test 4SOCKS Proxy via Netcat/Ncat Relay Chain Simulation
Expected signal: Sysmon Event ID 1: Multiple ncat.exe or nc.exe process creation events with -l (listen) and -c (command/forward) flags. Sysmon Event ID 3: Network listen and connection events on ports 18080 and 18081. Security Event ID 4688 (if command line auditing enabled): ncat.exe process creation with forwarding arguments.
References (12)
- https://attack.mitre.org/techniques/T1090/003/
- https://en.wikipedia.org/wiki/Onion_routing
- https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks
- https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
- https://www.welivesecurity.com/2018/10/17/greyenergy-updated-arsenal-dangerous-threat-actors/
- https://www.torproject.org/about/history/
- https://github.com/rofl0r/proxychains-ng
- https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.003/T1090.003.md
Unlock Pro Content
Get the full detection package for T1090.003 including response playbook, investigation guide, and atomic red team tests.