New Port Forwarding Rule Added Via Netsh.EXE

 1title: New Port Forwarding Rule Added Via Netsh.EXE
 2id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
 3status: test
 4description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
 7    - https://adepts.of0x.cc/netsh-portproxy-code/
 8    - https://www.dfirnotes.net/portproxy_detection/
 9author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
10date: 2019/01/29
11modified: 2023/09/01
12tags:
13    - attack.lateral_movement
14    - attack.defense_evasion
15    - attack.command_and_control
16    - attack.t1090
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith: '\netsh.exe'
23        - OriginalFileName: 'netsh.exe'
24    selection_cli_1:
25        CommandLine|contains|all:
26            - 'interface'
27            - 'portproxy'
28            - 'add'
29            - 'v4tov4'
30    selection_cli_2:
31        CommandLine|contains|all:
32            # Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1
33            - 'i ' # interface
34            - 'p ' # portproxy
35            - 'a ' # add
36            - 'v ' # v4tov4
37    selection_cli_3:
38        CommandLine|contains|all:
39            - 'connectp'
40            - 'listena'
41            - 'c='
42    condition: selection_img and 1 of selection_cli_*
43falsepositives:
44    - Legitimate administration activity
45    - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
46level: medium

References

• Bypassing Network Restrictions Through RDP Tunneling | Mandiant

  

  Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. On the other hand...

  
  Read More

• Don't use commands, use code: the tale of Netsh & PortProxy |

  

  Understanding how netsh & portproxy works and how to implement it on our own code

  
  Read More

• Port Proxy detection

  How can we see port proxy configurations in DFIR?

  
  Read More

Related rules

• RDP Port Forwarding Rule Added Via Netsh.EXE
• RDP over Reverse SSH Tunnel WFP
• WannaCry Ransomware Activity
• Audit CVE Event
• Communication To Ngrok Tunneling Service - Linux