Detects changes made to the registry key as a result of the Netsh.exe abuse. Adversaries use the Netsh command to create a PortProxy registry modification on a compromised device to enable traffic redirection through proxies to C2 server.
Example:
HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\PortProxy\\v4tov4 \\cp\\0.0.0.0/49275 | {<Attacker IP>}/<Port number>.
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4 tov4
Related
LOLBINs
Reference:
https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques
https://github.com/SigmaHQ/sigma/blob/49adcf9a00247ed6c3daacba03b589470f6716d0/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml#L22
https://github.com/redcanaryco/atomic-red-team/blob/ac9e63e872223cb2fe2655fe5ab156044cba4f79/atomics/T1090.001/T1090.001.md?plain=1#L13
{{ mitre("T1562.001")}}
Data Source(s): Windows Registry
let selection_cli_1 = dynamic(['PortProxy', 'HKLM']);
DeviceRegistryEvents
| where InitiatingProcessFolderPath endswith @"\netsh.exe" and InitiatingProcessVersionInfoOriginalFileName == "netsh.exe"
| where RegistryKey has_all (selection_cli_1)
- Inspect the modified registry key and the IP address that has been used.
- Confirm with user if the activity was expected and approved.
- Legitimate administration activity
Version 1.0 (date: 20/03/2024)