Detect Proxy in Google Chronicle
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server. This avoids direct connections to adversary infrastructure, provides resiliency, and may allow C2 traffic to blend with legitimate communications. Proxies may be implemented using standalone tools (HTRAN, FRP, Earthworm, Chisel), built into implants (SombRAT SOCKS proxy, ZxShell), or leveraged through cloud CDN infrastructure.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1090 Proxy
- Canonical reference
- https://attack.mitre.org/techniques/T1090/
YARA-L Detection Query
rule detect_proxy_tool_execution_t1090 {
meta:
author = "Detection Engineering"
description = "Detects execution of known proxy and tunneling tools (T1090 - Proxy)"
severity = "HIGH"
mitre_attack_tactic = "Command and Control"
mitre_attack_technique = "T1090"
confidence = "high"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)(htran|ew\.exe|earthworm|frpc\.exe|frps\.exe|chisel\.exe|revsocks|ligolo|proxychains|3proxy|ngrok|iox\.exe|gost\.exe|npc\.exe|nps\.exe)`) or
re.regex($e.target.process.command_line, `(?i)(-socks5|-socks4|-socks\s|socks5://|socks4://|proxychains|proxytunnel|portmap|invoke-ngrok|connect-proxy|corkscrew|lcx)`) or
(
re.regex($e.target.process.file.full_path, `(?i)plink\.exe`) and
re.regex($e.target.process.command_line, `(?i)\s-(R|L|D)\s`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)ssh\.exe`) and
re.regex($e.target.process.command_line, `(?i)\s-(R|L|D)\s`) and
not re.regex($e.target.process.command_line, `(?i)\bscp\b`)
) or
(
re.regex($e.target.process.file.full_path, `(?i)netsh\.exe`) and
re.regex($e.target.process.command_line, `(?i)portproxy`) and
re.regex($e.target.process.command_line, `(?i)\badd\b`)
) or
(
re.regex($e.target.process.command_line, `(?i)\bfrpc\b`) and
re.regex($e.target.process.command_line, `(?i)\.ini`)
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule for T1090 Proxy. Matches PROCESS_LAUNCH UDM events where the target process file path or command line contains known proxy tool names, SSH port forwarding flags, netsh portproxy add commands, FRP ini config references, or SOCKS indicators. Uses re.regex() with case-insensitive (?i) flag throughout.
Data Sources
Required Tables
False Positives & Tuning
- Developers legitimately using ngrok or similar SaaS tunneling services during development or demo workflows
- System administrators using SSH -L, -R, or -D flags for authorized remote access through bastion or jump hosts
- DevOps automation invoking SSH port forwarding in deployment scripts for secure connectivity to isolated environments
Other platforms for T1090
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Netsh PortProxy Tunnel Establishment
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8888'. Security Event ID 4688 (with command line auditing enabled). Registry modification to HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/8888 visible via Sysmon Registry Events (Event ID 13).
- Test 2FRP Fast Reverse Proxy Client Execution
Expected signal: Sysmon Event ID 1: Process Create with Image path containing frpc.exe and CommandLine containing '-c' and 'frpc.ini'. Sysmon Event ID 11: File Create for frpc.exe in %TEMP%. Sysmon Event ID 3: Network Connection attempt to 192.0.2.1:7000 (will fail — non-routable IP). Sysmon Event ID 22: DNS query if domain-based address used.
- Test 3SSH Dynamic Port Forwarding SOCKS Proxy
Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe and CommandLine containing '-D' and '-N'. Sysmon Event ID 3: Network Connection to 127.0.0.1:22. Sysmon Event ID 3: Listening connection created on 127.0.0.1:1080 for the SOCKS proxy socket. Connection to localhost:22 will fail if SSH server is not running but the process creation event still fires.
- Test 4Proxychains Execution (Linux)
Expected signal: Linux auditd syscall event for execve of proxychains4 binary with arguments including '-f' and config file path. Syslog entry from proxychains preload showing SOCKS5 proxy connection attempt to 127.0.0.1:1080. Process tree shows proxychains4 as parent of curl. Connection to 192.0.2.1 will fail (non-routable) but process execution is logged.
- Test 5Chisel Reverse Proxy Tunnel (Windows)
Expected signal: If chisel.exe is present: Sysmon Event ID 1 with Image=chisel.exe and CommandLine containing 'client' and 'R:socks' indicating a reverse SOCKS tunnel request. Sysmon Event ID 3 for outbound connection attempt to 192.0.2.1:8080. File creation event (Sysmon Event ID 11) if binary is staged to disk. Without binary: PowerShell telemetry for the simulation step.
References (10)
- https://attack.mitre.org/techniques/T1090/
- https://github.com/fatedier/frp
- https://github.com/jpillora/chisel
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.mandiant.com/resources/blog/cutting-edge-part-2
- https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock Pro Content
Get the full detection package for T1090 including response playbook, investigation guide, and atomic red team tests.