Windows.Registry.PortProxy

This artifact will return any items in the Windows PortProxy service registry path. The most common configuration of this service is via the LOLBin netsh.exe. Metaspoit and other common attack tools also have configuration modules.


name: Windows.Registry.PortProxy
description: |
    This artifact will return any items in the Windows PortProxy service
    registry path. The most common configuration of this service is via the
    LOLBin `netsh.exe`. Metaspoit and other common attack tools also have
    configuration modules.

reference:
  - Port Proxy detection (http://www.dfirnotes.net/portproxy_detection/)
  - ATT&CK T1090 - Connection Proxy (https://attack.mitre.org/techniques/T1090/) \
    Adversaries may use a connection proxy to direct network traffic between
    systems or act as an intermediary for network communications to a command
    and control server to avoid direct connections to their infrastructure.

author: Matt Green - @mgreen27

precondition: SELECT OS From info() where OS = 'windows'

parameters:
 - name: KeyGlob
   default: HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\services\PortProxy\**

sources:
 - name: PortProxy
   query: |
     SELECT OSPath,
         OSPath[-3] AS ProxyType,
         OSPath[-2] AS Protocol,
         regex_replace(source=OSPath.Basename, re="/", replace=":") as Listening,
         regex_replace(source=Data.value, re="/", replace=":") as Destination,
         Mtime as ModifiedTime,
         Type
       FROM glob(globs=KeyGlob, accessor="registry")
       WHERE Type


reports:
  - type: CLIENT
    template: |

      Port Forwarding: PortProxy
      ==========================
      {{ .Description }}

      {{ define "report" }}
         LET report = SELECT Protocol,
            ProxyType,
            Listening,
            Destination,
            ModifiedTime,
            ProxyType + Protocol + Listening + Destination as ServiceKey
         FROM source(source='PortProxy')
         GROUP BY ServiceKey
      {{ end }}

      {{ Query "report"  "SELECT ProxyType, Protocol, Listening, Destination, ModifiedTime FROM report" | Table }}

  - type: HUNT
    template: |

      Port Forwarding: PortProxy
      ==========================
      {{ .Description }}

      {{ define "report" }}
         LET report = SELECT Fqdn,
            Protocol,
            ProxyType,
            Listening,
            Destination,
            ModifiedTime,
            ProxyType + Protocol + Listening + Destination as ServiceKey
         FROM source(source='PortProxy')
         GROUP BY ServiceKey
      {{ end }}

      {{ Query "report"  "SELECT Fqdn, ProxyType, Protocol, Listening, Destination, ModifiedTime FROM report" | Table }}