title: External Proxy (T1090.002)
id: df00tech-t1090-002
status: experimental
description: "Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Tools like HTRAN, ZXProxy, and ZXPortMap enable traffic redirection through proxies or port redirection. External connection proxies mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside the victim environment, cloud-based resources, or VPS infrastructure may be used. Victim systems communicate directly with the external proxy, which then forwards traffic to the actual C2 server."
references:
  - https://attack.mitre.org/techniques/T1090/002/
  - https://df00tech.com/detections/T1090.002
author: df00tech
date: 2026/04/17
tags:
  - attack.t1090.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate SSH tunneling by administrators for database or management access via -D dynamic port forwarding
  - Security researchers or penetration testers using proxy tools in authorized assessments
  - Corporate proxy infrastructure where internal tools connect to a central proxy server on port 3128 or 8080
  - "VPN clients or privacy tools (Tor Browser, Shadowsocks) used legitimately on endpoints where these are permitted"
  - Development environments using tools like socat or chisel for local port forwarding during application testing
level: high