← Back to Explore
sigmamediumHunting
New PortProxy Registry Entry Added
Detects the modification of the PortProxy registry key which is used for port forwarding.
Detection Query
selection:
TargetObject|contains: \Services\PortProxy\v4tov4\tcp\
condition: selection
Author
Andreas Hunkeler (@Karneades)
Created
2021-06-22
Data Sources
windowsRegistry Events
Platforms
windows
References
Tags
attack.lateral-movementattack.defense-evasionattack.command-and-controlattack.t1090
Raw Content
title: New PortProxy Registry Entry Added
id: a54f842a-3713-4b45-8c84-5f136fdebd3c
status: test
description: Detects the modification of the PortProxy registry key which is used for port forwarding.
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
author: Andreas Hunkeler (@Karneades)
date: 2021-06-22
modified: 2024-03-25
tags:
- attack.lateral-movement
- attack.defense-evasion
- attack.command-and-control
- attack.t1090
logsource:
category: registry_event
product: windows
detection:
selection:
# Example: HKLM\System\CurrentControlSet\Services\PortProxy\v4tov4\tcp\0.0.0.0/1337
TargetObject|contains: '\Services\PortProxy\v4tov4\tcp\'
condition: selection
falsepositives:
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
- Synergy Software KVM (https://symless.com/synergy)
level: medium