title: Multi-hop Proxy (T1090.003)
id: df00tech-t1090-003
status: experimental
description: "Adversaries may chain together multiple proxies to disguise the source of malicious traffic. Techniques include Tor onion routing, ProxyChains, SOCKS proxy chaining, operational relay box (ORB) networks, and peer-to-peer routing to make attribution difficult. Defenders can typically only see the last hop before their network boundary."
references:
  - https://attack.mitre.org/techniques/T1090/003/
  - https://df00tech.com/detections/T1090.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1090.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Security researchers or penetration testers legitimately running Tor or proxy tools in authorized lab environments
  - Privacy-conscious employees using Tor Browser for legitimate personal browsing on non-managed devices that surface telemetry
  - SSH administrators using dynamic port forwarding (-D) or ProxyJump (-J) for legitimate bastion-host access patterns
  - "VPN client software that internally routes through SOCKS5 on ports overlapping with Tor defaults (e.g., 9050)"
  - "Developer environments running local proxy tools (Proxifier, Privoxy) for testing API calls through corporate proxies"
level: high