This artifact detects evidence of several common proxy tools.
NOTE: this artifact is Windows only. Similar queries for 2. can be run on linux and macos
name: Windows.Detection.ProxyHunter
author: Matt Green - @mgreen27
description: |
This artifact detects evidence of several common proxy tools.
1. Hunt through Event Logs for potential evidence of proxy tool commandline.
2. Checks active connections for proxy tool commandline (for active threat)
3. Checks port proxy registry key for OS level forwarding
NOTE: this artifact is Windows only. Similar queries for 2. can be run on linux and macos
type: CLIENT
parameters:
- name: TargetGlob
description: Glob target for event log regex search
default: '%SystemRoot%\\System32\\Winevt\\Logs\\*{Powershell,Security,Sysmon}*.evtx'
- name: ProxyCliRegex
type: regex
description: Regex to detect proxy tool cli. Default example includes plink.
default: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}:\d{1,5}\s+-p|\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5} :\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}:socks
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
-- firstly hunt through Event Logs for potential evidence of proxy tool commandline
SELECT EventTime, Computer, Channel, Provider,
EventID, EventData, UserData, Message, FullPath
FROM Artifact.Windows.EventLogs.EvtxHunter(
IocRegex=ProxyCliRegex,
EvtxGlob=TargetGlob,
SearchVSS='Y' )
- name: ActiveConnections
query: |
-- Secondly check for proxy CLI with potential active network connections by CLI.
SELECT * FROM Artifact.Windows.Network.NetstatEnriched(CommandLineRegex=ProxyCliRegex,ProcessNameRegex='.')
- name: PortProxy
query: |
-- next we check for Windows inbuilt proxy config usually empty
SELECT * FROM Artifact.Windows.Registry.PortProxy()