valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c01ec60e7d
SigmaHQ/rules/windows/registry_event/win_portproxy_registry_key.yml

27 lines
1.1 KiB
YAML
Raw Normal View History

rule: add port proxy registry rule and add references
2021-06-22 06:16:56 +00:00
title: PortProxy Registry Key
id: a54f842a-3713-4b45-8c84-5f136fdebd3c
status: experimental
description: Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml.
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
- https://adepts.of0x.cc/netsh-portproxy-code/
- https://www.dfirnotes.net/portproxy_detection/
date: 2021/06/22
tags:
- attack.lateral_movement
- attack.defense_evasion
- attack.command_and_control
- attack.t1090
author: Andreas Hunkeler (@Karneades)
logsource:
category: registry_event
product: windows
detection:
selection_registry:
TargetObject: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp'
condition: selection_registry
falsepositives:
Add fp note to PortProxy rules
2021-06-24 09:21:29 +00:00
- WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723)
Add Synergy as possible FP for PortProxy key
2021-06-28 10:10:16 +00:00
- Synergy Software KVM (https://symless.com/synergy)
rule: add port proxy registry rule and add references
2021-06-22 06:16:56 +00:00
level: medium
Reference in New Issue Copy Permalink