Connection Proxy
Detects setting proxy configuration
Sigma rule (View on GitHub)
1title: Connection Proxy
2id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
3status: test
4description: Detects setting proxy configuration
5references:
6 - https://attack.mitre.org/techniques/T1090/
7author: Ömer Günal
8date: 2020-06-17
9modified: 2022-10-05
10tags:
11 - attack.defense-evasion
12 - attack.t1090
13logsource:
14 product: linux
15 category: process_creation
16detection:
17 selection:
18 CommandLine|contains:
19 - 'http_proxy='
20 - 'https_proxy='
21 condition: selection
22falsepositives:
23 - Legitimate administration activities
24level: low
References
-
G0096 APT41 APT41 used a tool called CLASSFON to covertly proxy network communications.[2] S0456 Aria-body Aria-body has the ability to use a reverse SOCKS proxy module.[3] S0347 AuditCred AuditCre...
Read More
Related rules
- New Port Forwarding Rule Added Via Netsh.EXE
- New PortProxy Registry Entry Added
- OpenCanary - HTTPPROXY Login Attempt
- RDP Port Forwarding Rule Added Via Netsh.EXE
- AD Object WriteDAC Access