Detect Proxy in CrowdStrike LogScale
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server. This avoids direct connections to adversary infrastructure, provides resiliency, and may allow C2 traffic to blend with legitimate communications. Proxies may be implemented using standalone tools (HTRAN, FRP, Earthworm, Chisel), built into implants (SombRAT SOCKS proxy, ZxShell), or leveraged through cloud CDN infrastructure.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1090 Proxy
- Canonical reference
- https://attack.mitre.org/techniques/T1090/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageLower := lower(ImageFileName)
| CmdLower := lower(CommandLine)
| filter {
ImageLower = /(htran|ew\.exe|earthworm|frpc|frps|chisel|revsocks|ligolo|proxychains|3proxy|ngrok|iox\.exe|gost\.exe|npc\.exe|nps\.exe)/
OR CmdLower = /(-socks5|-socks4|-socks\s|socks5:\/\/|socks4:\/\/|proxychains|proxytunnel|portmap|invoke-ngrok|connect-proxy|corkscrew)/
OR (ImageLower = /plink\.exe/ AND CmdLower = /\s-(r|l|d)\s/)
OR (ImageLower = /ssh\.exe/ AND CmdLower = /\s-(r|l|d)\s/ AND NOT CmdLower = /scp/)
OR (ImageLower = /netsh\.exe/ AND CmdLower = /portproxy/ AND CmdLower = /\badd\b/)
OR (CmdLower = /\bfrpc\b/ AND CmdLower = /\.ini/)
}
| ToolCategory := case {
ImageLower = /(htran|earthworm|ew\.exe)/ => "Known Proxy Binary" ;
ImageLower = /(frpc|frps)/ => "Fast Reverse Proxy" ;
CmdLower = /\bfrpc\b/ AND CmdLower = /\.ini/ => "Fast Reverse Proxy" ;
ImageLower = /(plink\.exe|ssh\.exe)/ AND CmdLower = /\s-(r|l|d)\s/ => "SSH Port Forward" ;
ImageLower = /netsh\.exe/ AND CmdLower = /portproxy/ => "Netsh PortProxy" ;
ImageLower = /ngrok/ OR CmdLower = /invoke-ngrok/ => "Ngrok Tunnel" ;
ImageLower = /proxychains/ OR CmdLower = /proxychains/ => "Proxychains" ;
CmdLower = /(-socks5|-socks4|-socks)/ => "SOCKS Proxy Flag" ;
* => "Generic Proxy Pattern"
}
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ToolCategory], limit=1000)
| sort(timestamp, order=desc)CrowdStrike LogScale (Falcon) query targeting ProcessRollup2 process creation events to detect proxy tool executions and tunneling activity. Regex-matches lowercased ImageFileName and CommandLine for known proxy binaries, SSH port forwarding flags, netsh portproxy, FRP ini configs, and SOCKS indicators. Assigns ToolCategory via case expression for analyst triage prioritization.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing operations using proxy tools against designated test targets within agreed scope
- Software developers using ngrok or chisel for local tunnel testing during feature development and integration testing
- IT administrators using SSH port forwarding (-L/-R/-D) for authorized remote maintenance through corporate jump hosts
Other platforms for T1090
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Netsh PortProxy Tunnel Establishment
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8888'. Security Event ID 4688 (with command line auditing enabled). Registry modification to HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/8888 visible via Sysmon Registry Events (Event ID 13).
- Test 2FRP Fast Reverse Proxy Client Execution
Expected signal: Sysmon Event ID 1: Process Create with Image path containing frpc.exe and CommandLine containing '-c' and 'frpc.ini'. Sysmon Event ID 11: File Create for frpc.exe in %TEMP%. Sysmon Event ID 3: Network Connection attempt to 192.0.2.1:7000 (will fail — non-routable IP). Sysmon Event ID 22: DNS query if domain-based address used.
- Test 3SSH Dynamic Port Forwarding SOCKS Proxy
Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe and CommandLine containing '-D' and '-N'. Sysmon Event ID 3: Network Connection to 127.0.0.1:22. Sysmon Event ID 3: Listening connection created on 127.0.0.1:1080 for the SOCKS proxy socket. Connection to localhost:22 will fail if SSH server is not running but the process creation event still fires.
- Test 4Proxychains Execution (Linux)
Expected signal: Linux auditd syscall event for execve of proxychains4 binary with arguments including '-f' and config file path. Syslog entry from proxychains preload showing SOCKS5 proxy connection attempt to 127.0.0.1:1080. Process tree shows proxychains4 as parent of curl. Connection to 192.0.2.1 will fail (non-routable) but process execution is logged.
- Test 5Chisel Reverse Proxy Tunnel (Windows)
Expected signal: If chisel.exe is present: Sysmon Event ID 1 with Image=chisel.exe and CommandLine containing 'client' and 'R:socks' indicating a reverse SOCKS tunnel request. Sysmon Event ID 3 for outbound connection attempt to 192.0.2.1:8080. File creation event (Sysmon Event ID 11) if binary is staged to disk. Without binary: PowerShell telemetry for the simulation step.
References (10)
- https://attack.mitre.org/techniques/T1090/
- https://github.com/fatedier/frp
- https://github.com/jpillora/chisel
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.mandiant.com/resources/blog/cutting-edge-part-2
- https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock Pro Content
Get the full detection package for T1090 including response playbook, investigation guide, and atomic red team tests.