New PortProxy Registry Entry Added
Detects the modification of the PortProxy registry key which is used for port forwarding.
Sigma rule (View on GitHub)
1title: New PortProxy Registry Entry Added
2id: a54f842a-3713-4b45-8c84-5f136fdebd3c
3status: test
4description: Detects the modification of the PortProxy registry key which is used for port forwarding.
5references:
6 - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
7 - https://adepts.of0x.cc/netsh-portproxy-code/
8 - https://www.dfirnotes.net/portproxy_detection/
9author: Andreas Hunkeler (@Karneades)
10date: 2021/06/22
11modified: 2024/03/25
12tags:
13 - attack.lateral_movement
14 - attack.defense_evasion
15 - attack.command_and_control
16 - attack.t1090
17logsource:
18 category: registry_event
19 product: windows
20detection:
21 selection:
22 # Example: HKLM\System\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/1337
23 TargetObject|contains: '\Services\PortProxy\v4tov4\tcp\'
24 condition: selection
25falsepositives:
26 - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
27 - Synergy Software KVM (https://symless.com/synergy)
28level: medium
References
-
Remote Desktop Services is a component of Microsoft Windows that is used by various companies for the convenience it offers systems administrators, engineers and remote employees. On the other hand...
Read More -
-
Related rules
- New Port Forwarding Rule Added Via Netsh.EXE
- RDP Port Forwarding Rule Added Via Netsh.EXE
- RDP over Reverse SSH Tunnel WFP
- Outbound Network Connection To Public IP Via Winlogon
- RDP Over Reverse SSH Tunnel