S0273: Socksbot
Analyst context for executives and security teams
Socksbot matters because it is a Windows backdoor described by ATT&CK as abusing SOCKS proxies. For leaders, the practical risk is not just malware presence; it is the possibility that compromised endpoints can become proxy-enabled access points for command-and-control activity and follow-on operations. The ATT&CK relationships show behaviors defenders should care about: proxy-based C2, PowerShell execution, DLL injection, process discovery, and screen capture.
Executive priority
Prioritize validation around egress visibility, endpoint behavior monitoring, and incident response readiness for Windows systems. This object has no official ATT&CK detection guidance, so executives should ask whether the organization can prove it collects the evidence needed to investigate proxy-like outbound traffic, suspicious PowerShell use, process injection indicators, process enumeration, and screen capture activity. This is especially relevant for SOC coverage evidence, IR scoping, and control assurance around command-and-control and post-compromise collection behaviors.
Technical view
Socksbot is mapped to Windows and uses T1090 Proxy, T1059.001 PowerShell, T1055.001 Dynamic-link Library Injection, T1057 Process Discovery, and T1113 Screen Capture. SOC and detection teams should validate whether endpoint and network controls can correlate unusual outbound proxy behavior with host-side execution and discovery activity. Because ATT&CK provides no official detection text for this malware, coverage should be built from the related techniques rather than from a malware-specific signature alone. IR teams should be prepared to examine Windows process lineage, PowerShell activity, process injection evidence, outbound network sessions, and possible screen capture artifacts when this software is suspected.
Likely telemetry
- Windows endpoint process creation and process lineage records
- PowerShell command, script, and module activity where available
- Endpoint telemetry for DLL loading, remote thread creation, or other process injection indicators
- Network connection and proxy logs showing outbound connections, proxy use, and unusual intermediary behavior
- Process enumeration or discovery command/activity records
Detection direction
- Validate detections for T1090 Proxy using network egress patterns, proxy logs, and unusual connections from endpoints that do not normally broker traffic.
- Tune PowerShell monitoring for suspicious execution context, parent-child process relationships, encoded or scripted activity, and correlation with network connections.
- Review endpoint visibility for DLL injection behaviors associated with T1055.001; prioritize correlation over single low-context alerts because legitimate software may also inject DLLs.
- Look for process discovery activity that appears near execution, network connection, or collection behaviors rather than treating process listing alone as high confidence.
- Assess screen capture detections in the context of remote-access-like behavior, sensitive user sessions, or preceding discovery activity.
Mitigation priorities
- Harden and monitor Windows endpoints with emphasis on behavioral visibility for process execution, PowerShell, DLL loading/injection, and outbound connections.
- Restrict and govern PowerShell use according to administrative need, and ensure logging is enabled where operationally feasible.
- Control outbound network paths and proxy usage so unauthorized proxy-like communication is easier to identify and investigate.
- Use least privilege and application control concepts where appropriate to reduce opportunities for unauthorized code execution and injection.
- Prepare IR playbooks that connect host triage with network egress review, since SOCKS proxy abuse can make command-and-control investigations depend on both data sources.
Analyst notes and limits
The strongest decision value comes from the relationship context: Socksbot is a Windows backdoor associated with proxy abuse and mapped to execution, stealth/privilege-escalation, discovery, command-and-control, and collection techniques. Glexia should treat this as a coverage-validation object: confirm whether the client can observe and investigate the behaviors ATT&CK links to the malware.
The official ATT&CK object is sparse: tactics are not specified for the malware object, aliases and labels are not provided, and official detection guidance is not provided. The summary is therefore constrained to the supplied description, external reference, platform, and stated relationships. Local environment evidence is required before making claims about exposure, compromise, or detection coverage.
Socksbot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Socksbot creates a suspended svchost process and injects its DLL into it.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Socksbot can write and execute PowerShell scripts.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1090 | Proxy | Socksbot can start SOCKS proxy threads.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1113 | Screen Capture | Socksbot can take screenshots.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1057 | Process Discovery | Socksbot can list all running processes.CitationTrendMicro Patchwork Dec 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | cdc2315d89fd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Patchwork Dec 2017
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Open source URL -
[2]
Socksbot
(Citation: TrendMicro Patchwork Dec 2017)
-
[3]
mitre-attack S0273Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.