ATT&CK coverage › Technique

Proxy `T1090`

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Events covered

9 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	3	Network connection
Sysmon	12	RegistryEvent (Object create and delete)
Sysmon	13	RegistryEvent (Value Set)
Sysmon	14	RegistryEvent (Key and Value Rename)
Sysmon	22	DNSEvent (DNS query)
Security-Auditing	4688	A new process has been created.
PowerShell	4104	Creating Scriptblock text (MessageNumber of MessageTotal).
TerminalServices-LocalSessionManager	21	Remote Desktop Services: Session logon succeeded.

Authoring guide

Patterns shared across the 16 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (11 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`CommandLine`	9	`match` 9	`tunnel` , `cleanup` , `-connector-id` , `run` , `-credentials-contents`
`Image`	6	`ends_with` 6	`\netsh.exe`, `\htran.exe`, `\lcx.exe`, `\frps.exe`, `\frpc.exe`
`Hashes`	3	`match` 3	`MD5=7D9C233B8C9E3F0EA290D2B84593C842`, `SHA256=57B0936B8D336D8E981C169466A15A5FD21A7D5A2C7DAF62D5...`, `SHA1=06DDC9280E1F1810677935A2477012960905942F`, `SHA256=5A456283392FFCEEEACA3D3426C306EB470304637520D72FED...`, `MD5=AE8ACF66BFE3A44148964048B826D005`
`DestinationHostname`	2	`ends_with` 1, `match` 1	`.localto.net`, `.localtonet.com`, `tunnel.in.ngrok.com`, `tunnel.sa.ngrok.com`, `tunnel.au.ngrok.com`
`OriginalFileName`	2	`eq` 2	`netsh.exe`
`DnsQuery`	1	`is_not_null` 1, `match` 1	`NgrokDomains`
`Initiated`	1	`eq` 1	`true`
`TargetObject`	1	`match` 1	`\Services\PortProxy\v4tov4\tcp\`
`Address`	1	`match` 1	`16777216`
`ScriptBlockText`	1	`match` 1	`[System.Net.HttpWebRequest]`, `AcceptTcpClient`, `System.Net.Sockets.TcpListener`
`dns.question.name`	1	`in` 1	`".ngrok.io"`, `".ngrok.com"`, `"korgn.*.lennut.com"`

Top indicator values (81 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`CommandLine`	`match`	`-config`	2	3
`CommandLine`	`match`	`tunnel`	2	3
`Image`	`ends_with`	`\netsh.exe`	2	16
`OriginalFileName`	`eq`	`netsh.exe`	2	14
`DnsQuery`	`match`	`NgrokDomains`	1
`CommandLine`	`match`	`cleanup`	1	2
`CommandLine`	`match`	`-connector-id`	1	2
`CommandLine`	`match`	`-credentials-contents`	1	2
`CommandLine`	`match`	`-credentials-file`	1	2
`CommandLine`	`match`	`-token`	1	2
`CommandLine`	`match`	`run`	1	2
`Initiated`	`eq`	`true`	1	40
`DestinationHostname`	`ends_with`	`.localtonet.com`	1
`DestinationHostname`	`ends_with`	`.localto.net`	1
`DestinationHostname`	`match`	`tunnel.au.ngrok.com`	1
`DestinationHostname`	`match`	`tunnel.us.ngrok.com`	1
`DestinationHostname`	`match`	`tunnel.eu.ngrok.com`	1
`DestinationHostname`	`match`	`tunnel.jp.ngrok.com`	1
`DestinationHostname`	`match`	`tunnel.sa.ngrok.com`	1
`DestinationHostname`	`match`	`tunnel.ap.ngrok.com`	1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 14 rules

Cloudflared Tunnel Connections Cleanup severity medium, 2 events, 4 indicators, 0 exclusions
Cloudflared Tunnel Execution severity medium, 2 events, 6 indicators, 0 exclusions
Communication To LocaltoNet Tunneling Service Initiated severity high, 1 event, 3 indicators, 0 exclusions
Communication To Ngrok Tunneling Service Initiated severity high, 1 event, 7 indicators, 0 exclusions
HackTool - Htran/NATBypass Execution severity high, 2 events, 4 indicators, 0 exclusions
New Port Forwarding Rule Added Via Netsh.EXE severity medium, 1 event, 13 indicators, 0 exclusions
New PortProxy Registry Entry Added severity medium, 3 events, 1 indicator, 0 exclusions
Ngrok Usage with Remote Desktop Service severity high, 1 event, 1 indicator, 0 exclusions
Potentially Suspicious Usage Of Qemu severity medium, 2 events, 10 indicators, 0 exclusions
PUA - Fast Reverse Proxy (FRP) Execution severity high, 1 event, 6 indicators, 0 exclusions
PUA - NPS Tunneling Tool Execution severity high, 1 event, 8 indicators, 0 exclusions
PUA- IOX Tunneling Tool Execution severity high, 1 event, 8 indicators, 0 exclusions
RDP Port Forwarding Rule Added Via Netsh.EXE severity high, 1 event, 6 indicators, 0 exclusions
Suspicious TCP Tunnel Via PowerShell Script severity medium, 1 event, 3 indicators, 0 exclusions

Splunk 1 rule

Ngrok Reverse Proxy on Network 1 event, 4 indicators, 0 exclusions

Kusto Query Language 1 rule

Ngrok Reverse Proxy on Network (ASIM DNS Solution) 1 event, 1 indicator, 0 exclusions

Proxy T1090