Detect Proxy in IBM QRadar
Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server. This avoids direct connections to adversary infrastructure, provides resiliency, and may allow C2 traffic to blend with legitimate communications. Proxies may be implemented using standalone tools (HTRAN, FRP, Earthworm, Chisel), built into implants (SombRAT SOCKS proxy, ZxShell), or leveraged through cloud CDN infrastructure.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1090 Proxy
- Canonical reference
- https://attack.mitre.org/techniques/T1090/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
sourceip AS host_ip,
hostname,
username AS actor,
"Process Name" AS image_path,
"Command" AS command_line,
QIDNAME(qid) AS event_category,
logsourcename(logsourceid) AS log_source
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
AND (
"Process Name" ILIKE '%htran%'
OR "Process Name" ILIKE '%ew.exe%'
OR "Process Name" ILIKE '%earthworm%'
OR "Process Name" ILIKE '%frpc%'
OR "Process Name" ILIKE '%frps%'
OR "Process Name" ILIKE '%chisel%'
OR "Process Name" ILIKE '%revsocks%'
OR "Process Name" ILIKE '%ligolo%'
OR "Process Name" ILIKE '%proxychains%'
OR "Process Name" ILIKE '%3proxy%'
OR "Process Name" ILIKE '%ngrok%'
OR "Process Name" ILIKE '%gost%'
OR "Process Name" ILIKE '%npc.exe%'
OR "Process Name" ILIKE '%nps.exe%'
OR "Command" ILIKE '%-socks5%'
OR "Command" ILIKE '%-socks4%'
OR "Command" ILIKE '%socks5://%'
OR "Command" ILIKE '%socks4://%'
OR "Command" ILIKE '%proxychains%'
OR "Command" ILIKE '%proxytunnel%'
OR "Command" ILIKE '%invoke-ngrok%'
OR "Command" ILIKE '%connect-proxy%'
OR (
"Process Name" ILIKE '%plink.exe%'
AND (
"Command" ILIKE '% -r %'
OR "Command" ILIKE '% -l %'
OR "Command" ILIKE '% -d %'
)
)
OR (
"Process Name" ILIKE '%ssh.exe%'
AND (
"Command" ILIKE '% -r %'
OR "Command" ILIKE '% -l %'
OR "Command" ILIKE '% -d %'
)
AND "Command" NOT ILIKE '%scp%'
)
OR (
"Process Name" ILIKE '%netsh.exe%'
AND "Command" ILIKE '%portproxy%'
AND "Command" ILIKE '%add%'
)
OR (
"Command" ILIKE '%frpc%'
AND "Command" ILIKE '%.ini%'
)
)
ORDER BY starttime DESC
LAST 24 HOURSIBM QRadar AQL detection for T1090 Proxy. Queries Sysmon process creation events using ILIKE for case-insensitive matching against Process Name and Command fields. Covers known proxy binaries, SSH port forwarding flags, netsh portproxy add operations, FRP ini-based configs, and SOCKS protocol strings. Field names reflect standard QRadar Sysmon DSM mappings.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testers or red team operators running proxy tools during scheduled security assessments
- Developers and DevOps engineers using SSH local port forwarding to connect to internal databases through jump hosts
- SOC analysts executing proxy tool binaries in isolated sandboxes while analyzing malware samples
Other platforms for T1090
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Netsh PortProxy Tunnel Establishment
Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8888'. Security Event ID 4688 (with command line auditing enabled). Registry modification to HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/8888 visible via Sysmon Registry Events (Event ID 13).
- Test 2FRP Fast Reverse Proxy Client Execution
Expected signal: Sysmon Event ID 1: Process Create with Image path containing frpc.exe and CommandLine containing '-c' and 'frpc.ini'. Sysmon Event ID 11: File Create for frpc.exe in %TEMP%. Sysmon Event ID 3: Network Connection attempt to 192.0.2.1:7000 (will fail — non-routable IP). Sysmon Event ID 22: DNS query if domain-based address used.
- Test 3SSH Dynamic Port Forwarding SOCKS Proxy
Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe and CommandLine containing '-D' and '-N'. Sysmon Event ID 3: Network Connection to 127.0.0.1:22. Sysmon Event ID 3: Listening connection created on 127.0.0.1:1080 for the SOCKS proxy socket. Connection to localhost:22 will fail if SSH server is not running but the process creation event still fires.
- Test 4Proxychains Execution (Linux)
Expected signal: Linux auditd syscall event for execve of proxychains4 binary with arguments including '-f' and config file path. Syslog entry from proxychains preload showing SOCKS5 proxy connection attempt to 127.0.0.1:1080. Process tree shows proxychains4 as parent of curl. Connection to 192.0.2.1 will fail (non-routable) but process execution is logged.
- Test 5Chisel Reverse Proxy Tunnel (Windows)
Expected signal: If chisel.exe is present: Sysmon Event ID 1 with Image=chisel.exe and CommandLine containing 'client' and 'R:socks' indicating a reverse SOCKS tunnel request. Sysmon Event ID 3 for outbound connection attempt to 192.0.2.1:8080. File creation event (Sysmon Event ID 11) if binary is staged to disk. Without binary: PowerShell telemetry for the simulation step.
References (10)
- https://attack.mitre.org/techniques/T1090/
- https://github.com/fatedier/frp
- https://github.com/jpillora/chisel
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
- https://www.mandiant.com/resources/blog/cutting-edge-part-2
- https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
- https://learn.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090/T1090.md
- https://github.com/SigmaHQ/sigma/tree/master/rules/network
Unlock Pro Content
Get the full detection package for T1090 including response playbook, investigation guide, and atomic red team tests.