New Port Forwarding Rule Added Via Netsh.EXE
Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
Sigma rule (View on GitHub)
1title: New Port Forwarding Rule Added Via Netsh.EXE
2id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614
3status: test
4description: Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule
5references:
6 - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
7 - https://adepts.of0x.cc/netsh-portproxy-code/
8 - https://www.dfirnotes.net/portproxy_detection/
9author: Florian Roth (Nextron Systems), omkar72, oscd.community, Swachchhanda Shrawan Poudel
10date: 2019-01-29
11modified: 2023-09-01
12tags:
13 - attack.lateral-movement
14 - attack.command-and-control
15 - attack.t1090
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_img:
21 - Image|endswith: '\netsh.exe'
22 - OriginalFileName: 'netsh.exe'
23 selection_cli_1:
24 CommandLine|contains|all:
25 - 'interface'
26 - 'portproxy'
27 - 'add'
28 - 'v4tov4'
29 selection_cli_2:
30 CommandLine|contains|all:
31 # Example: netsh I p a v l=8001 listena=127.0.0.1 connectp=80 c=192.168.1.1
32 - 'i ' # interface
33 - 'p ' # portproxy
34 - 'a ' # add
35 - 'v ' # v4tov4
36 selection_cli_3:
37 CommandLine|contains|all:
38 - 'connectp'
39 - 'listena'
40 - 'c='
41 condition: selection_img and 1 of selection_cli_*
42falsepositives:
43 - Legitimate administration activity
44 - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
45level: medium
References
Related rules
- New PortProxy Registry Entry Added
- RDP Port Forwarding Rule Added Via Netsh.EXE
- Connection Proxy
- OpenCanary - HTTPPROXY Login Attempt
- Potential Exploitation of RCE Vulnerability CVE-2025-33053