T1090 — Proxy

Technique

T1090

Tactics

Command and Control

MISP citations

0

KEV CVEs mapped

3

Community rules

22

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1090

MITRE description

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic. Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2021-26855
• CVE-2021-22986
• CVE-2019-3396

Detection coverage

SigmaHQ community rules

• Kalambur Backdoor Curl TOR SOCKS Proxy Execution (emerging-threats)
• OpenCanary - HTTPPROXY Login Attempt (core)
• Malicious IP Address Sign-In Suspicious (core)
• Malicious IP Address Sign-In Failure Rate (core)
• Sign-In From Malware Infected IP (core)
• Communication To LocaltoNet Tunneling Service Initiated - Linux (core)
• Communication To Ngrok Tunneling Service - Linux (core)
• Connection Proxy (core)
• Ngrok Usage with Remote Desktop Service (core)
• Communication To LocaltoNet Tunneling Service Initiated (core)
• Communication To Ngrok Tunneling Service Initiated (core)
• Suspicious TCP Tunnel Via PowerShell Script (core)
• Cloudflared Tunnel Connections Cleanup (core)
• Cloudflared Tunnel Execution (core)
• HackTool - Htran/NATBypass Execution (core)
• RDP Port Forwarding Rule Added Via Netsh.EXE (core)
• New Port Forwarding Rule Added Via Netsh.EXE (core)
• PUA - Fast Reverse Proxy (FRP) Execution (core)
• PUA- IOX Tunneling Tool Execution (core)
• PUA - NPS Tunneling Tool Execution (core)
• Potentially Suspicious Usage Of Qemu (core)
• New PortProxy Registry Entry Added (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.