T1090 Splunk · SPL

Detect Proxy in Splunk

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server. This avoids direct connections to adversary infrastructure, provides resiliency, and may allow C2 traffic to blend with legitimate communications. Proxies may be implemented using standalone tools (HTRAN, FRP, Earthworm, Chisel), built into implants (SombRAT SOCKS proxy, ZxShell), or leveraged through cloud CDN infrastructure.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Canonical reference
https://attack.mitre.org/techniques/T1090/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image), CommandLine=lower(CommandLine)
| eval KnownProxyTool=if(
    match(Image, "(htran|earthworm|\.exe)") AND match(Image, "(htran|ew\.exe|earthworm|frpc|frps|chisel|revsocks|ligolo|3proxy|ngrok|iox|gost|npc\.exe|nps\.exe)"),
    1, 0)
| eval FRPTool=if(match(Image, "(frpc|frps)") OR (match(CommandLine, "frpc") AND match(CommandLine, "\.ini")), 1, 0)
| eval SSHTunnel=if(
    (match(Image, "(plink\.exe|ssh\.exe)") AND match(CommandLine, "(-r\s|-l\s|-d\s)")),
    1, 0)
| eval NetshProxy=if(
    match(Image, "netsh\.exe") AND match(CommandLine, "portproxy") AND match(CommandLine, "add"),
    1, 0)
| eval ProxychainsTool=if(match(Image, "proxychains") OR match(CommandLine, "proxychains"), 1, 0)
| eval NgrokTool=if(match(Image, "ngrok") OR match(CommandLine, "ngrok") OR match(CommandLine, "invoke-ngrok"), 1, 0)
| eval SocksFlag=if(match(CommandLine, "(-socks5|-socks4|-socks\s|socks5://|socks4://)"), 1, 0)
| eval ProxyScore=KnownProxyTool + FRPTool + SSHTunnel + NetshProxy + ProxychainsTool + NgrokTool + SocksFlag
| where ProxyScore > 0
| eval ToolCategory=case(
    KnownProxyTool=1, "Known Proxy Binary",
    FRPTool=1, "Fast Reverse Proxy",
    SSHTunnel=1, "SSH Port Forward",
    NetshProxy=1, "Netsh PortProxy",
    NgrokTool=1, "Ngrok Tunnel",
    ProxychainsTool=1, "Proxychains",
    SocksFlag=1, "SOCKS Proxy Flag",
    true(), "Generic Proxy Pattern")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ToolCategory, ProxyScore
| sort - _time
high severity medium confidence

Detects proxy and tunneling tool execution using Sysmon Event ID 1 (Process Creation). Evaluates process image names and command lines for known proxy binaries (FRP, HTRAN, Chisel, Ngrok), SSH tunnel flags (-R/-L/-D), netsh portproxy additions, proxychains invocation, and SOCKS protocol flags. The ToolCategory field identifies the proxy variant and ProxyScore indicates multi-indicator matches for prioritization.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • SSH tunneling by developers and sysadmins for legitimate port forwarding (database access, jump hosts, VS Code Remote)
  • Ngrok or similar tools used by developers to expose local web services during testing or demos
  • Corporate proxy clients (Zscaler, Netskope agents) that implement local SOCKS listeners
  • Netsh portproxy rules created by network administrators for legitimate service redirection
  • Penetration testing tools and authorized red team activity using proxychains or Chisel
Download portable Sigma rule (.yml)

Other platforms for T1090

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netsh PortProxy Tunnel Establishment

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8888'. Security Event ID 4688 (with command line auditing enabled). Registry modification to HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/8888 visible via Sysmon Registry Events (Event ID 13).

  2. Test 2FRP Fast Reverse Proxy Client Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image path containing frpc.exe and CommandLine containing '-c' and 'frpc.ini'. Sysmon Event ID 11: File Create for frpc.exe in %TEMP%. Sysmon Event ID 3: Network Connection attempt to 192.0.2.1:7000 (will fail — non-routable IP). Sysmon Event ID 22: DNS query if domain-based address used.

  3. Test 3SSH Dynamic Port Forwarding SOCKS Proxy

    Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe and CommandLine containing '-D' and '-N'. Sysmon Event ID 3: Network Connection to 127.0.0.1:22. Sysmon Event ID 3: Listening connection created on 127.0.0.1:1080 for the SOCKS proxy socket. Connection to localhost:22 will fail if SSH server is not running but the process creation event still fires.

  4. Test 4Proxychains Execution (Linux)

    Expected signal: Linux auditd syscall event for execve of proxychains4 binary with arguments including '-f' and config file path. Syslog entry from proxychains preload showing SOCKS5 proxy connection attempt to 127.0.0.1:1080. Process tree shows proxychains4 as parent of curl. Connection to 192.0.2.1 will fail (non-routable) but process execution is logged.

  5. Test 5Chisel Reverse Proxy Tunnel (Windows)

    Expected signal: If chisel.exe is present: Sysmon Event ID 1 with Image=chisel.exe and CommandLine containing 'client' and 'R:socks' indicating a reverse SOCKS tunnel request. Sysmon Event ID 3 for outbound connection attempt to 192.0.2.1:8080. File creation event (Sysmon Event ID 11) if binary is staged to disk. Without binary: PowerShell telemetry for the simulation step.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1090 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1090.001Internal ProxyT1090.002External ProxyT1090.003Multi-hop ProxyT1090.004Domain FrontingT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1071.001Web ProtocolsT1572Protocol TunnelingT1105Ingress Tool TransferT1043Commonly Used PortT1205.002Socket Filters

Same Tactic: Command and Control

Popular Detections