PUA - 3Proxy Execution
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the use of 3proxy, a small free proxy server, which can be exploited by adversaries for protocol tunneling to facilitate covert command and control communications.
Severity
Trouble
Rule journey
Attack chain scenario
Command and Control: Protocol Tunneling (T1572)
Impact
Enables attackers to tunnel malicious traffic through proxy services, aiding in stealthy communication, data exfiltration, and lateral movement.
Rule Requirement
Prerequisites
Process Creation Auditing
Using Windows Event Viewer
- Log in to a domain controller with domain admin credentials.
- Open Group Policy Management Console (GPMC) by typing gpmc.msc in the Run dialog.
- Create a new GPO or edit an existing one linked to the appropriate OU.
- Navigate to:
Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Detailed Tracking - Right-click Audit Process Creation → Select Properties
- Choose Configure the following audit events → Check Success → Click OK
- Right-click Audit Process Termination → Select Properties
- Choose Configure the following audit events → Check Success → Click OK
- For enhanced tracking with command-line data:
- Go to Computer Configuration → Administrative Templates → System → Audit Process Creation
- Double-click Include command line in process creation events
- Select Enabled → Click OK
- Create the registry key:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download and install Sysmon from Microsoft Sysinternals
- Open Command Prompt with administrator privileges
- Create or download a Sysmon configuration file that includes process creation monitoring
- Install Sysmon using:
sysmon.exe -i [configfile.xml] - Sample configuration to monitor process creation:
- xml
- CopyEdit
- <Sysmon>
<EventFiltering>
<ProcessCreate onmatch="exclude"/>
<!-- This captures all process creations -->
</EventFiltering>
</Sysmon> - Create the registry key:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND PROCESSNAME endswith "\3proxy.exe" OR MESSAGE = "3proxy - tiny proxy server" OR COMMANDLINE contains ".exe -i127.0.0.1 -p" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1572: Protocol Tunneling
Security Standards
- Filter network traffic to block connections to untrusted or malicious domains and IP addresses.
- Deploy intrusion detection and prevention systems with signatures targeting adversary proxy and tunneling activities.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
Potential for legitimate use during authorized proxy server testing or administration.
Next Steps
- Investigate instances of 3proxy execution or suspicious command line patterns.
- Verify authorized use or presence of malicious activity.
- Implement network and endpoint monitoring to detect and halt proxy tunneling.
- Train security teams on proxy tunneling attack methods and mitigation.
Mitigation
Mitigation ID | Name | Description |
M1037 | Filter Network Traffic | Filter and monitor network traffic to block communications with known malicious or untrusted endpoints. |
M1031 | Network Intrusion Prevention | Deploy IDS/IPS solutions to detect and prevent proxy tunneling and associated C2 traffic. |
