Adversaries may configure a proxy to exfiltrate data or mask their command and control communications. SOC teams should proactively hunt for proxy configuration changes in Azure Sentinel to identify potential covert network traffic and early-stage compromise indicators.
Detection Rule
title: Connection Proxy
id: 72f4ab3f-787d-495d-a55d-68c2ff46cf4c
status: test
description: Detects setting proxy configuration
author: Ömer Günal
date: 2020-06-17
modified: 2022-10-05
tags:
- attack.defense-evasion
- attack.command-and-control
- attack.t1090
logsource:
product: linux
category: process_creation
detection:
selection:
CommandLine|contains:
- 'http_proxy='
- 'https_proxy='
condition: selection
falsepositives:
- Legitimate administration activities
level: low
imProcessCreate
| where TargetProcessCommandLine contains "http_proxy=" or TargetProcessCommandLine contains "https_proxy="Scenario: System administrator configures proxy settings via Group Policy or registry during a routine maintenance task.
Filter/Exclusion: Exclude events where the proxy configuration is applied via Group Policy or registry keys under HKLM\Software\Policies\Microsoft\Windows\Proxy or HKCU\Software\Microsoft\Windows\CurrentVersion\InternetSettings.
Scenario: A scheduled job or script (e.g., PowerShell, Python, or batch) updates proxy settings as part of a network configuration change.
Filter/Exclusion: Exclude processes associated with known configuration management tools (e.g., PowerShell.exe, task scheduler, or msiexec.exe) or jobs running under a specific service account.
Scenario: A developer or DevOps engineer manually sets proxy settings in a development environment to test network behavior.
Filter/Exclusion: Exclude processes running from known development directories (e.g., C:\Users\dev\AppData\Local\Temp, C:\Program Files\DevTools\) or users with specific roles (e.g., DevOps, Developer).
Scenario: A third-party application (e.g., Cisco AnyConnect, Citrix Workspace, or Microsoft Teams) modifies proxy settings during connection setup.
Filter/Exclusion: Exclude processes associated with known third-party applications or network clients (e.g., AnyConnect.exe, CitrixWorkspaceApp.exe, Teams.exe).
Scenario: A system update or patching tool (e.g., Windows Update, WSUS, or Chocolatey) temporarily adjusts proxy settings during installation.
Filter/Exclusion: Exclude events where the process is related to system update tools (e.g., wuauclt.exe, msiexec.exe, choco.exe) or occurs during known update windows.