Home/ MITRE Matrix/ Command and Control/ T1090.002

T1090.002External Proxy

T1090.002 — External Proxy is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 7 detection use cases covering it and 6 threat-intel articles citing it.

Command and Control

View on the matrix → Filter Detection Library MITRE official spec ↗

7Use cases

6Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1090 · Proxy

Use cases covering this technique (7)

Cisco Secure Firewall - Connection to File Sharing Domain ESCU actions · hunting P [LLM] M365 / Entra sign-ins sourced from BRICKSTORM C2 IP 149.248.11.71 Bespoke c2 · hunting DSΣPDDCS [LLM] Outbound endpoint connections to BRICKSTORM C2 IP 149.248.11.71 Bespoke c2 · hunting DSΣPDDCSCW [LLM] Bright Data SDK control-plane beacon to proxyjs/clientsdk endpoints Bespoke c2 · alerting DSΣPDDCS [LLM] Smart-TV / mobile device acting as residential proxy exit node (high-fan-out HTTPS to unrelated public destinations) Bespoke actions · hunting DSP [LLM] CL-STA-1132 EarthWorm staging download from 146.70.100.69:8000/php_sess Bespoke c2 · hunting DSΣPDD [LLM] rsocx SOCKS5 reverse proxy beacon to 31.172.71.5:8008 (Sandworm Poland C2) Bespoke c2 · alerting DSΣP

Articles citing this technique (6)

crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107

high Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI art-114

crit Webworm: New burrowing techniques art-240

crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325

crit DynoWiper update: Technical analysis and attribution art-590

high ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 art-603