title: Proxy (T1090)
id: df00tech-t1090
status: experimental
description: "Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server. This avoids direct connections to adversary infrastructure, provides resiliency, and may allow C2 traffic to blend with legitimate communications. Proxies may be implemented using standalone tools (HTRAN, FRP, Earthworm, Chisel), built into implants (SombRAT SOCKS proxy, ZxShell), or leveraged through cloud CDN infrastructure."
references:
  - https://attack.mitre.org/techniques/T1090/
  - https://df00tech.com/detections/T1090
author: df00tech
date: 2026/04/13
tags:
  - attack.t1090
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "SSH tunneling by developers and sysadmins for legitimate port forwarding (database access, jump hosts, VS Code Remote)"
  - Ngrok or similar tools used by developers to expose local web services during testing or demos
  - "Corporate proxy clients (Zscaler, Netskope agents) that implement local SOCKS listeners"
  - Netsh portproxy rules created by network administrators for legitimate service redirection
  - Penetration testing tools and authorized red team activity using proxychains or Chisel
level: high