title: Internal Proxy (T1090.001)
id: df00tech-t1090-001
status: experimental
description: "Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Tools such as HTRAN, ZXProxy, ZXPortMap, and Cobalt Strike's peer-to-peer beacon mode enable traffic redirection through proxies or port forwarding. Adversaries use internal proxies to manage C2 communications inside a compromised environment, reduce the number of simultaneous outbound connections, provide resiliency, or ride over existing trusted communications paths between infected systems. Internal proxy connections may use common protocols such as SMB to blend in with normal traffic."
references:
  - https://attack.mitre.org/techniques/T1090/001/
  - https://df00tech.com/detections/T1090.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1090.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate use of netsh portproxy by IT/network teams to redirect traffic for lab or testing environments
  - "SSH port forwarding by developers or DevOps teams for legitimate access to internal services (e.g., database tunneling)"
  - "Network monitoring or vulnerability scanning tools (Nmap, Metasploit auxiliary modules) run by authorized security teams"
  - Reverse proxy or load balancer configuration tools executed during infrastructure provisioning
  - "VPN or zero-trust network access clients that use SOCKS proxies internally (e.g., Tailscale, ZScaler)"
level: high