ATT&CK coverage › Technique

Proxy: Internal Proxy `T1090.001`

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

Events covered

4 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	13	RegistryEvent (Value Set)
Security-Auditing	4688	A new process has been created.
Security-Auditing	5156	The Windows Filtering Platform has permitted a connection.

Authoring guide

Patterns shared across the 7 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (10 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`Image`	6	`ends_with` 6, `match` 1	`\cloudflared.exe`, `\cloudflared-windows-amd64.exe`, `\cloudflared-windows-386.exe`, `:\Program Files\cloudflared\`, `:\Program Files (x86)\cloudflared\`
`CommandLine`	3	`match` 3	`.exe -url`, `.exe --url`, `-url`, `exe client` , `exe server`
`Hashes`	2	`match` 2	`SHA256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e22...`, `SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf772226230...`, `SHA256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1...`
`Product`	1	`eq` 1	`SharpChisel`
`SourcePort`	1	`eq` 1	`3389`
`FilterOrigin`	1	`eq` 1	`AppContainer Loopback`
`src_ip`	1	`starts_with` 1, `eq` 1	`127.`, `::1`
`dest_ip`	1	`starts_with` 1, `eq` 1	`127.`, `::1`
`DestinationPort`	1	`eq` 1	`3389`
`registry_path`	1	`eq` 1	`"\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp"`

Top indicator values (77 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`Image`	`ends_with`	`\cloudflared.exe`	3	3
`Hashes`	`match`	`SHA256=cd81b2792f0739f473c31c9cb7cf2313154bfa28b839975802b90e8790bb5058`	2	2
`Hashes`	`match`	`SHA256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28`	2	2
`Hashes`	`match`	`SHA256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3`	2	2
`Hashes`	`match`	`SHA256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b`	2	2
`Hashes`	`match`	`SHA256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373`	2	2
`Hashes`	`match`	`SHA256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7`	2	2
`Hashes`	`match`	`SHA256=b3d21940a10fdef5e415ad70331ce257c24fe3bcf7722262302e0421791f87e8`	2	2
`Hashes`	`match`	`SHA256=ce95df7f69664c3df19b76028e115931919a71517b776da7b42d353e2ff4a670`	2	2
`Hashes`	`match`	`SHA256=f7848034e010d55f15e474ca998f96391e320ff29b00cfcc4c5e536529703e75`	2	2
`Image`	`ends_with`	`\cloudflared-windows-amd64.exe`	2	2
`CommandLine`	`match`	`tunnel`	2	3
`Hashes`	`match`	`SHA256=f5c5e962577e2293c4ad10603816dce7cc273585969615fbf4e4bfa9eaff1688`	2	2
`CommandLine`	`match`	`-url`	2	2
`Hashes`	`match`	`SHA256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77`	2	2
`Hashes`	`match`	`SHA256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c`	2	2
`Image`	`ends_with`	`\cloudflared-windows-386.exe`	2	2
`Hashes`	`match`	`SHA256=bb67c7623ba92fe64ffd9816b8d5b3b1ea3013960a30bd4cf6e295b3eb5b1bad`	2	2
`Hashes`	`match`	`SHA256=d14c52d9220b606f428a8fe9f7c108b0d6f14cf71e7384749e98e6a95962e68f`	2	2
`Hashes`	`match`	`SHA256=f49cde976e628012c9db73e1c8d76081944ecf2297cdafeb78bb13290da274c4`	2	2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 6 rules

Cloudflared Portable Execution severity medium, 2 events, 3 indicators, 0 exclusions
Cloudflared Quick Tunnel Execution severity medium, 1 event, 46 indicators, 0 exclusions
HackTool - SharpChisel Execution severity high, 1 event, 2 indicators, 0 exclusions
PUA - Chisel Tunneling Tool Execution severity high, 2 events, 9 indicators, 0 exclusions
RDP over Reverse SSH Tunnel WFP severity high, 1 event, 9 indicators, 0 exclusions
Renamed Cloudflared.EXE Execution severity high, 1 event, 51 indicators, 0 exclusions

Splunk 1 rule

Windows Proxy Via Registry 1 event, 1 indicator, 0 exclusions

Proxy: Internal Proxy T1090.001