Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0445: Detection of Proxy Infrastructure Setup and Traffic Bridging

DET0445 is a detection strategy for identifying proxy infrastructure setup and traffic bridging associated with ATT&CK technique T1090 Proxy. For leaders,...

EnterpriseDET0445Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0445 is a detection strategy for identifying proxy infrastructure setup and traffic bridging associated with ATT&CK technique T1090 Proxy. For leaders, the practical issue is that proxying can obscure where command-and-control traffic is really going, making incident scoping, containment, and audit evidence harder if network visibility is incomplete.

Executive priority

Prioritize this as a visibility and resilience question: can the organization prove when systems or network devices are being used as intermediaries for command-and-control traffic? This matters for SOC effectiveness, incident response containment decisions, and control validation around network monitoring. Because the DET0445 object has no official description or detection text supplied, teams should treat it as a prompt to validate coverage against T1090 rather than as a complete detection specification.

Technical view

The supplied relationship says this detection strategy detects T1090 Proxy, a command-and-control technique involving connection proxies or traffic redirection through intermediary systems. Detection engineering should focus on whether existing network, endpoint, and infrastructure telemetry can show traffic bridging behavior, unexpected proxy-like communications, and systems acting as intermediaries. Relationship context lists ESXi, Linux, macOS, and Network Devices for T1090; validate coverage for those environments if they exist locally, but do not assume DET0445 itself defines platform scope.

Likely telemetry

  • Network connection metadata and flow logs showing source, destination, ports, timing, and volume
  • Proxy, firewall, VPN, and secure web gateway logs where available
  • Network device logs that can show forwarding, tunneling, or unusual intermediary behavior
  • Endpoint network telemetry from Linux, macOS, and ESXi-hosted workloads where locally applicable
  • DNS and destination reputation/context logs to support investigation of indirect command-and-control paths

Detection direction

  • Validate that detections look for systems behaving as unexpected intermediaries, not only direct outbound command-and-control connections.
  • Baseline approved proxy, NAT, VPN, remote administration, and network management patterns to reduce false positives.
  • Correlate network flows with asset role: a workstation, server, hypervisor, or network device unexpectedly bridging traffic should be investigated differently than sanctioned proxy infrastructure.
  • Ensure detections are not limited to a single operating system or endpoint sensor if the local environment includes ESXi, Linux, macOS, or network devices referenced by T1090.
  • Use relationship-driven context only: DET0445 is tied to T1090 Proxy, but the supplied object does not provide analytics, thresholds, data sources, or detection logic.

Mitigation priorities

  • Maintain an inventory of sanctioned proxying, forwarding, remote access, and network egress paths.
  • Restrict unauthorized traffic forwarding and proxy services through network segmentation, egress control, and administrative policy where appropriate.
  • Harden and monitor network devices and systems that can act as intermediaries, especially where they have broad routing or management reach.
  • Prepare incident response playbooks to trace indirect network paths and identify the true initiating host when proxying is suspected.
  • Use detection validation exercises to confirm SOC analysts can distinguish approved infrastructure from suspicious traffic bridging.
Analyst notes and limits

This take is based on the DET0445 detection strategy metadata and its relationship to ATT&CK T1090 Proxy. The business value is in validating whether monitoring can expose indirect command-and-control paths and unauthorized intermediary systems. Local architecture, approved proxy design, and available telemetry will determine the practical detection approach.

The supplied DET0445 object has no official description, no official detection text, no tactics, and no platforms of its own. Platform and tactic context comes only from the related T1090 technique. No active exploitation, actor attribution, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Detection of Proxy Infrastructure Setup and Traffic Bridging

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1090 Proxy This object detects Proxy.
Relationship explorer

All related ATT&CK context

detects · Technique T1090: Proxy Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
f9663822dbb3ea6a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle f9663822dbb3…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0445
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use