Clankerusecase
MITRE ATT&CK detection coverage
 ← Back to main site
Home/ MITRE Matrix/ Command and Control/ T1090

T1090Proxy

T1090 — Proxy is a MITRE ATT&CK technique in the Command and Control tactic. Clankerusecase tracks 18 detection use cases covering it and 11 threat-intel articles citing it.

Command and Control
View on the matrix → Filter Detection Library MITRE official spec ↗
18Use cases
11Articles
4Sub-techniques
1Tactic

Sub-techniques (4)

T1090.004 · Domain FrontingT1090.002 · External ProxyT1090.001 · Internal ProxyT1090.003 · Multi-hop Proxy

Use cases covering this technique (18)

Cisco IOS XE Tunnel Interface Configuration ESCU actions · hunting P Okta Non-Standard VPN Usage ESCU actions · alerting P Linux Ngrok Reverse Proxy Usage ESCU actions · hunting P Linux Proxy Socks Curl ESCU actions · alerting P Windows Devtunnels Execution ESCU actions · hunting P Windows Devtunnels Image Loaded ESCU actions · hunting P Windows Ngrok Reverse Proxy Usage ESCU actions · hunting P Ngrok Reverse Proxy on Network ESCU actions · hunting P [LLM] Velvet Ant air-gap bridge — fcgiwrap/uptime spawning SSH from HTTP-driven FastCGI Bespoke actions · alerting DSΣPDDCS [LLM] SOCKS5 proxy masquerading as 'smbd -D' from non-Samba install path Bespoke c2 · alerting DSΣPDDCS [LLM] VerdantBamboo BRICKSTORM / PLENET / AGENTPSD file-hash IOCs Bespoke install · hunting DSΣPDDCS [LLM] Egress to BTMOB hosted C2 cluster (LATAM/Hetzner IPs, Google CDN excluded) Bespoke c2 · hunting DSPDDCS [LLM] BadIIS traffic-hijacking: IIS 503 surge + anomalous external redirect ratio per site/hour Bespoke actions · hunting SP [LLM] zrok ProxyShare SSRF — request path begins with absolute URL (CVE-2026-45568) Bespoke exploit · hunting DSΣPDDCS [LLM] IIS worker (w3wp.exe) initiating outbound connection to public IP Bespoke c2 · hunting DSPDDCS [LLM] Outbound C2 callback to xygeni-action backdoor IP 91.214.78.178 from CI runner Bespoke c2 · hunting DSΣPDDCS [LLM] DRILLAPP C2: msedge.exe egress to known DRILLAPP IPs or WebSocket to localhost:8000 Bespoke c2 · hunting DSΣPDDCS [LLM] Sandworm SOCKS5 C2 egress to 31.172.71[.]5 (Fornex) or progamevl.ru Bespoke c2 · hunting DSΣPDDCS

Articles citing this technique (11)

crit Chinese hackers hijack auth flow, spy on isolated network for a decade art-07
crit VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances art-107
crit BTMOB: A stealthy RAT burrowing deep into Android devices art-209
high The art of being ungovernable art-228
crit [GHSA / CRITICAL] CVE-2026-45568: rok Python ProxyShare can be used as an SSRF proxy through absolute URL paths art-260
crit From PDB strings to MaaS: Tracking a commodity BadIIS ecosystem used by Chinese-speaking threat art-265
crit Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution art-325
crit A rigged game: ScarCruft compromises gaming platform in a supply-chain attack art-332
high xygeni-action Compromised: C2 Reverse Shell Backdoor Injected via Tag Poisoning art-435
high DRILLAPP: new backdoor targeting Ukrainian entities with possible links to Laundry Bear art-470
crit DynoWiper update: Technical analysis and attribution art-590