Proxy Information

Overview

Evidence: Proxy List Description: Collect Information About Proxy List Category: System Platform: Windows Short Name: prxy Is Parsed: Yes - Registry proxy settings extracted Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows stores HTTP proxy configuration in the registry. Proxy settings control how Windows and Internet Explorer route HTTP/HTTPS traffic through proxy servers.

Proxy configuration can indicate normal corporate policy or malicious proxy settings used for traffic interception or C2 communication.

Data Collected

Proxy information is included in the System collector output:

Field

Description

Example

ProxyEnabled

Whether proxy is enabled

FALSE

ProxyAddress

Proxy server address and port

proxy.corp.local:8080

Collection Method

This evidence is collected as part of the System collector by reading:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings - ProxyEnable value
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings - ProxyServer value

Usage

Proxy configuration reveals network traffic routing and can indicate traffic interception. Investigators use this data to verify legitimate proxy usage, detect malicious proxy configurations, identify traffic interception attempts, correlate with network traffic patterns, and detect C2 proxy usage.

Known Limitations

Only shows current user's proxy settings
System-wide or Group Policy proxies may not be captured
Doesn't show proxy bypass list
Application-specific proxies not included

Notes

Unexpected proxy servers, especially localhost proxies, can indicate malware intercepting traffic. Correlation with browser artifacts and network connections is important.

PreviousProcesses and Modules NextQuick Assist

Last updated 50 minutes ago

Was this helpful?