Connection Proxy

 1title: Connection Proxy
 2id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
 3status: test
 4description: Detects setting proxy configuration
 5references:
 6    - https://attack.mitre.org/techniques/T1090/
 7author: Ömer Günal
 8date: 2020/06/17
 9modified: 2022/10/05
10tags:
11    - attack.defense_evasion
12    - attack.t1090
13logsource:
14    product: linux
15    category: process_creation
16detection:
17    selection:
18        CommandLine|contains:
19            - 'http_proxy='
20            - 'https_proxy='
21    condition: selection
22falsepositives:
23    - Legitimate administration activities
24level: low

References

• Proxy, Technique T1090 - Enterprise | MITRE ATT&CK®

  G0096 APT41 APT41 used a tool called CLASSFON to covertly proxy network communications.[2] S0456 Aria-body Aria-body has the ability to use a reverse SOCKS proxy module.[3] S0347 AuditCred AuditCre...

  
  Read More

Related rules

• Auditing Configuration Changes on Linux Host
• Clear Linux Logs
• File Deletion
• File or Folder Permissions Change
• Install Root Certificate