Connection Proxy

Jun 4, 2025 · attack.defense-evasion attack.command-and-control attack.t1090 ·

Detects setting proxy configuration

Sigma rule (View on GitHub)

 1title: Connection Proxy
 2id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
 3status: test
 4description: Detects setting proxy configuration
 5author: Ömer Günal
 6date: 2020-06-17
 7modified: 2022-10-05
 8tags:
 9    - attack.defense-evasion
10    - attack.command-and-control
11    - attack.t1090
12logsource:
13    product: linux
14    category: process_creation
15detection:
16    selection:
17        CommandLine|contains:
18            - 'http_proxy='
19            - 'https_proxy='
20    condition: selection
21falsepositives:
22    - Legitimate administration activities
23level: low

Related rules

OpenCanary - HTTPPROXY Login Attempt
New Port Forwarding Rule Added Via Netsh.EXE
New PortProxy Registry Entry Added
RDP Port Forwarding Rule Added Via Netsh.EXE
Potentially Suspicious Rundll32.EXE Execution of UDL File