T1090 Sumo Logic CSE · Sumo

Detect Proxy in Sumo Logic CSE

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server. This avoids direct connections to adversary infrastructure, provides resiliency, and may allow C2 traffic to blend with legitimate communications. Proxies may be implemented using standalone tools (HTRAN, FRP, Earthworm, Chisel), built into implants (SombRAT SOCKS proxy, ZxShell), or leveraged through cloud CDN infrastructure.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1090 Proxy
Canonical reference
https://attack.mitre.org/techniques/T1090/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventID="1" OR EventCode="1"
| eval image_lower=toLowerCase(Image)
| eval cmd_lower=toLowerCase(CommandLine)
| where (image_lower matches "*htran*" OR image_lower matches "*ew.exe*" OR image_lower matches "*earthworm*" OR image_lower matches "*frpc*" OR image_lower matches "*frps*" OR image_lower matches "*chisel*" OR image_lower matches "*revsocks*" OR image_lower matches "*ligolo*" OR image_lower matches "*proxychains*" OR image_lower matches "*3proxy*" OR image_lower matches "*ngrok*" OR image_lower matches "*gost*" OR image_lower matches "*npc.exe*" OR image_lower matches "*nps.exe*")
  OR (cmd_lower matches "*-socks5*" OR cmd_lower matches "*-socks4*" OR cmd_lower matches "*socks5://*" OR cmd_lower matches "*socks4://*" OR cmd_lower matches "*proxychains*" OR cmd_lower matches "*proxytunnel*" OR cmd_lower matches "*portproxy*" OR cmd_lower matches "*invoke-ngrok*" OR cmd_lower matches "*connect-proxy*" OR cmd_lower matches "*corkscrew*")
  OR (image_lower matches "*plink.exe*" AND (cmd_lower matches "* -r *" OR cmd_lower matches "* -l *" OR cmd_lower matches "* -d *"))
  OR (image_lower matches "*ssh.exe*" AND (cmd_lower matches "* -r *" OR cmd_lower matches "* -l *" OR cmd_lower matches "* -d *") AND !(cmd_lower matches "*scp*"))
  OR (image_lower matches "*netsh.exe*" AND cmd_lower matches "*portproxy*" AND cmd_lower matches "*add*")
  OR (cmd_lower matches "*frpc*" AND cmd_lower matches "*.ini*")
| eval ToolCategory = if(image_lower matches "*htran*" OR image_lower matches "*earthworm*" OR image_lower matches "*ew.exe*", "Known Proxy Binary",
    if(image_lower matches "*frpc*" OR image_lower matches "*frps*" OR (cmd_lower matches "*frpc*" AND cmd_lower matches "*.ini*"), "Fast Reverse Proxy",
    if((image_lower matches "*plink.exe*" OR image_lower matches "*ssh.exe*") AND (cmd_lower matches "* -r *" OR cmd_lower matches "* -l *" OR cmd_lower matches "* -d *"), "SSH Port Forward",
    if(image_lower matches "*netsh.exe*" AND cmd_lower matches "*portproxy*", "Netsh PortProxy",
    if(image_lower matches "*ngrok*" OR cmd_lower matches "*invoke-ngrok*", "Ngrok Tunnel",
    if(image_lower matches "*proxychains*" OR cmd_lower matches "*proxychains*", "Proxychains",
    if(cmd_lower matches "*-socks5*" OR cmd_lower matches "*-socks4*", "SOCKS Proxy Flag",
    "Generic Proxy Pattern")))))))
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, ToolCategory
| sort by _time desc
high severity high confidence

Sumo Logic search detecting proxy tool executions from Sysmon EventID 1 process creation logs. Uses glob pattern matching on lowercased Image and CommandLine fields to identify known proxy binaries, SSH port forwarding flags, netsh portproxy additions, FRP configs, and SOCKS indicators. Classifies results by ToolCategory for analyst triage.

Data Sources

Sumo Logic Cloud SIEMSysmon via Sumo Logic Installed CollectorWindows Event Logs via Sumo Logic Universal Forwarder

Required Tables

_sourceCategory (Sysmon or Windows endpoint logs)

False Positives & Tuning

  • Developers using ngrok or localtunnel to expose local web servers for client demos or webhook integration testing
  • System administrators using SSH dynamic port forwarding (-D) to create SOCKS proxies for secure browsing through bastion hosts
  • CI/CD pipelines invoking SSH port forwarding in automated deployment scripts to reach isolated environments
Download portable Sigma rule (.yml)

Other platforms for T1090

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Netsh PortProxy Tunnel Establishment

    Expected signal: Sysmon Event ID 1: Process Create with Image=netsh.exe, CommandLine containing 'portproxy add v4tov4 listenport=8888'. Security Event ID 4688 (with command line auditing enabled). Registry modification to HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/8888 visible via Sysmon Registry Events (Event ID 13).

  2. Test 2FRP Fast Reverse Proxy Client Execution

    Expected signal: Sysmon Event ID 1: Process Create with Image path containing frpc.exe and CommandLine containing '-c' and 'frpc.ini'. Sysmon Event ID 11: File Create for frpc.exe in %TEMP%. Sysmon Event ID 3: Network Connection attempt to 192.0.2.1:7000 (will fail — non-routable IP). Sysmon Event ID 22: DNS query if domain-based address used.

  3. Test 3SSH Dynamic Port Forwarding SOCKS Proxy

    Expected signal: Sysmon Event ID 1: Process Create with Image=ssh.exe and CommandLine containing '-D' and '-N'. Sysmon Event ID 3: Network Connection to 127.0.0.1:22. Sysmon Event ID 3: Listening connection created on 127.0.0.1:1080 for the SOCKS proxy socket. Connection to localhost:22 will fail if SSH server is not running but the process creation event still fires.

  4. Test 4Proxychains Execution (Linux)

    Expected signal: Linux auditd syscall event for execve of proxychains4 binary with arguments including '-f' and config file path. Syslog entry from proxychains preload showing SOCKS5 proxy connection attempt to 127.0.0.1:1080. Process tree shows proxychains4 as parent of curl. Connection to 192.0.2.1 will fail (non-routable) but process execution is logged.

  5. Test 5Chisel Reverse Proxy Tunnel (Windows)

    Expected signal: If chisel.exe is present: Sysmon Event ID 1 with Image=chisel.exe and CommandLine containing 'client' and 'R:socks' indicating a reverse SOCKS tunnel request. Sysmon Event ID 3 for outbound connection attempt to 192.0.2.1:8080. File creation event (Sysmon Event ID 11) if binary is staged to disk. Without binary: PowerShell telemetry for the simulation step.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1090 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (4)

Related Techniques

T1090.001Internal ProxyT1090.002External ProxyT1090.003Multi-hop ProxyT1090.004Domain FrontingT1021.001Remote Desktop ProtocolT1021.002SMB/Windows Admin SharesT1071.001Web ProtocolsT1572Protocol TunnelingT1105Ingress Tool TransferT1043Commonly Used PortT1205.002Socket Filters

Same Tactic: Command and Control

Popular Detections