THREAT OPS › Threat News › Finding SOCKS with Proxywatch
Finding SOCKS with Proxywatch
<p class="wp-block-paragraph"><em><strong>TL;DR: </strong>Adversaries use SOCKS proxy tunnels to pivot within environments and to execute code against compromised systems without bringing tools to the system. Defenders often lack reliable guidance to detect proxying behavior, falling back to preset rules based on static indicators or process-port baselines. This blog post highlights <a href="https
Attributed threat actors
MITRE ATT&CK techniques
Indicators of compromise
- https://www.bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdfurl
- https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/#h-socks-tunneling-with-chiselurl
- https://www.cybereason.com/blog/sliver-c2-leveraged-by-many-threat-actorsurl
- https://thedfirreport.com/2024/12/02/the-curious-case-of-an-egg-cellent-resume/#case-summaryurl
- https://blog.yaxser.io/blue/detecting-cobalt-strike-fork-and-runurl
- https://trustedsec.com/blog/the-socks-we-have-at-homeurl
- http://reg.pyurl
- http://ifconfig.meurl
Original source: https://specterops.io/blog/2026/07/09/finding-socks-with-proxywatch/