DET0445 Detection of Proxy Infrastructure Setup and Traffic Bridging

Item	Value
ID	DET0445
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1090 (Proxy)

Analytics

Windows

AN1229

Suspicious process spawning (e.g., rundll32, svchost, powershell, or netsh) followed by network connection creation to internal hosts or uncommon external endpoints on high or non-standard ports.

Log Sources

Data Component	Name	Channel
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Network Traffic Flow (DC0078)	NSM:Connections	Outbound Connection

Mutable Elements

Field	Description
ParentProcessName	Legitimate system processes that may rarely spawn network-capable child processes (e.g., `rundll32`, `svchost`).
DestinationPort	Watch for high-numbered ports or well-known proxy ports like 1080, 8080, 4444.
TimeWindow	Capture unusual spikes in outbound connections over a short period.

Linux

AN1230

User-space tools (e.g., socat, ncat, iptables, ssh) used in non-standard ways to establish reverse shells, port-forwarding, or inter-host connections. Often chained with uncommon outbound destinations or SSH tunnels.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	auditd:SYSCALL	execve
Network Traffic Flow (DC0078)	NSM:Flow	Connection Tracking

Mutable Elements

Field	Description
CommandLinePattern	Shell piping into tools like `socat`, `ncat`, or `openssl` for tunnel creation.
OutboundPortRange	Flag connections made from internal systems to uncommon high ports externally.
ProcessUserContext	Capture low-privilege or unexpected users executing system-level network tools.

macOS

AN1231

AppleScript, LaunchAgents, or remote login services (ssh, networksetup) establishing proxy tunnels or dynamic port forwards to external IPs or alternate local hosts.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	macos:unifiedlog	None
Network Traffic Flow (DC0078)	NSM:Firewall	pf firewall logs
Network Connection Creation (DC0082)	NSM:Flow	connection attempts

Mutable Elements

Field	Description
TargetDomain	Identify suspicious domains often associated with CDN-routed or anonymized endpoints (e.g., Cloudflare, Fastly).
AppleScriptUsage	Alert when AppleScript or Automator tools are used for network tunneling tasks.
LaunchAgentSource	Monitor for LaunchAgents executing proxy tools or dynamic ports.

ESXi

AN1232

Direct use of nc, socat, or reverse tunnel scripts initiated by abnormal user contexts or unauthorized VIBs initiating connections from hypervisor to external systems.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	esxi:shell	None
Network Traffic Flow (DC0078)	esxi:vmkernel	None
Network Connection Creation (DC0082)	NSM:Flow	conn.log

Mutable Elements

Field	Description
CLICommand	Custom proxy or port forwarding scripts executed from ESXi shell.
DestinationIP	Unusual outbound connections from ESXi host, particularly to internet.
UserContext	Root or elevated users initiating unexpected tunnels.

Network Devices

AN1233

Dynamic or static port forwarding rules added to route traffic through an internal host, or configuration changes to proxy firewall rules not aligned with baselined policy.

Log Sources

Data Component	Name	Channel
Firewall Rule Modification (DC0051)	NSM:Firewall	Policy Change / Rule Update
Network Traffic Flow (DC0078)	NSM:Flow	Flow Creation (NetFlow/sFlow)
Command Execution (DC0064)	networkdevice:cli	Interface commands

Mutable Elements

Field	Description
RuleType	Focus on new allow/permit rules with dynamic NAT or port forwarders.
ChangeUser	Flag any non-admins initiating proxy config changes.
FlowVolumeDelta	Detect sharp changes in bi-directional traffic patterns.