This detection rule monitors the creation of proxy connections on Windows endpoints, particularly focusing on internal proxies utilized by adversaries to facilitate command and control (C2) communications. Internal proxies allow for reduced outbound network connections, increased resiliency during connection interruptions, and the ability to traverse already established trusted communication paths, which can help obfuscate nefarious activities from detection mechanisms. The underlying command for monitoring is based on the Windows command line involving the 'portproxy' feature. The technique is associated with the cyber threat actor group known as Volt Typhoon, who leverage this tactic to obscure the true destination of C2 traffic. Detection is achieved by querying EDR logs for processes related to the creation of proxy connections within the last two hours, filtering through specific command line patterns that indicate proxy setup activities.