Proxy T1090

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Events covered

14 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 39 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (27 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine16contains 14, in 1, regex_match 1 tunnel , -config , run , -blockdev , -cdrom
Image16ends_with 15, contains 2\cloudflared.exe, \cloudflared-windows-386.exe, \cloudflared-windows-amd64.exe, \netsh.exe, :\program files (x86)\cloudflared\
process_name6eq 6cloudflared.exe, devtunnel.exe, netsh.exe, ngrok.exe, rundll32.exe
Hashes5contains 5sha256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681..., sha256=083150724b49604c8765c1ba19541fa260b133be0acb0647fc..., sha256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b..., md5=7d9c233b8c9e3f0ea290d2b84593c842, md5=9db2d314dd3f704a02051ef5ea210993
OriginalFileName5eq 5netsh.exe, cloudflared.exe, devtunnel.dll
DestinationHostname4contains 2, ends_with 2.localto.net, .localtonet.com, .portmap.io, afdxtest.z01.azurefd.net, azurefd.net
QueryName3ends_with 2, contains 1, is_not_null 1.hiddenservice.net, .onion, .onion.ca, korgn, lennut.com
TargetObject3contains 1, eq 1, wildcard 1*\system\*controlset*\services\portproxy\v4tov4\*, \services\portproxy\v4tov4\tcp\, hklm\\system\\currentcontrolset\\services\\portproxy\\v4tov4
event.type3eq 3start, change
Initiated2eq 2true
Product2eq 2SharpChisel, Tor Browser
dns.question.name2in 1, wildcard 1*.blob.core.windows.net, *.blob.storage.azure.net, *.blogspot.com, *.ngrok.com, *.ngrok.io
process.args2eq 2-c, -l, -s, tunnel
Address1contains 116777216
Description1eq 1Tor Browser

Top indicator values (347 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
CommandLinecontains
tunnel
33
CommandLinecontains
-config
33
CommandLinecontains
run
22
CommandLinecontains
-connector-id
22
CommandLinecontains
-credentials-contents
22
CommandLinecontains
-credentials-file
22
CommandLinecontains
-token
22
CommandLinecontains
-url
22
CommandLinecontains
cleanup
22
CommandLinecontains
tunnel
24
Imageends_with
\cloudflared.exe
33
OriginalFileNameeq
netsh.exe
323
Hashescontains
sha256=0409c9b12f9d0eda86e461ed9bdabeefb00172b26322079681a0bdf48e68dc28
22
Hashescontains
sha256=083150724b49604c8765c1ba19541fa260b133be0acb0647fcd936d81f054499
22
Hashescontains
sha256=1293525a19cfe3bc8296b62fbfe19f083632ed644a1c18c10b045a1d3030d81a
22
Hashescontains
sha256=19074674c6fbdaa573b3081745e5e26144fdf7a086d14e0e220d1814f1f13078
22
Hashescontains
sha256=1fbd8362b2d2d2e6a5750ae3db69cd1815e6c1d31da48a98b796450971a8e039
22
Hashescontains
sha256=2fb6c04c4f95fb8d158af94c137f90ac820716deaf88d8ebec956254e046cb29
22
Hashescontains
sha256=2fbbfc8299537ff80cadf9d0e27c223fe0ccb9052bf9d8763ad717bbfa521c77
22
Hashescontains
sha256=3153d2baa462978dd22ab33d1c2274ecc88c200225d6a3327f98d5b752d08f5c
22
Hashescontains
sha256=39ddceb56a15798826a5fc4892fa2b474c444bb4d7a8bf2fa95e41cab10fa7a1
22
Hashescontains
sha256=44303d6572956f28a0f2e4b188934fb9874f2584f5c81fa431a463cfbf28083b
22
Hashescontains
sha256=53f8adbd76c0eb16f5e43cadde422474d8a06f9c8f959389c1930042ad8beaa5
22
Hashescontains
sha256=5b3c2d846ab162dc6bc595cce3a49de5731afde5d6060be7066d21b013a28373
22
Hashescontains
sha256=5d38c46032a58e28ae5f7d174d8761ec3d64d186677f3ec53af5f51afb9bfd2f
22
Hashescontains
sha256=648c8d2f8001c113d2986dd00b7bbd181593d462bef73522cee212c4f71f95b3
22
Hashescontains
sha256=7cfb411d04bac42ef93d1f0c93c0a481e38c6f4612b97ae89d4702595988edc7
22
Hashescontains
sha256=9ec7e6c8e1bfd883663d8d9d62c9e4f9ae373b731407181e32491b27a7218a2c
22
Hashescontains
sha256=ae047e2095e46c3f9c518b2be67ec753f4f0aad23b261a361fcb6144dcdb63b4
22
Hashescontains
sha256=af2b9161cfcb654b16408cd6b098afe9d1fb61a037d18d7090a119d4c0c8e0f0
22

Exclusions (98 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
-blockdev
1
CommandLinecontains
-cdrom
1
CommandLinecontains
type=virt
1
DestinationHostnamecontains
afdxtest.z01.azurefd.net
1
DestinationHostnamecontains
fp-afd.azurefd.net
1
DestinationHostnamecontains
fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net
1
DestinationHostnamecontains
graph.azurefd.net
1
DestinationHostnamecontains
powershellinfraartifacts-gkhedzdeaghdezhr.z01.azurefd.net
1
DestinationHostnamecontains
roxy.azurefd.net
1
DestinationHostnamecontains
storage-explorer-publishing-feapcgfgbzc2cjek.b01.azurefd.net
1
FilterOrigineq
AppContainer Loopback
1
Imagecontains
:\program files (x86)\cloudflared\
1
Imagecontains
:\program files\cloudflared\
1
Imageends_with
\cloudflared-windows-386.exe
1
Imageends_with
\cloudflared-windows-amd64.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 26 rules

Elastic 4 rules

Splunk 7 rules

Kusto 1 rule

YARA-L 1 rule