Windows.Registry.PortProxy

This artifact will return any items in the Windows PortProxy service registry path. The most common configuration of this service is via the lolbin netsh.exe; Metaspoit and other common attack tools also have configuration modules.


name: Windows.Registry.PortProxy
description: |
    This artifact will return any items in the Windows PortProxy service
    registry path. The most common configuration of this service is via the
    lolbin netsh.exe; Metaspoit and other common attack tools also have
    configuration modules.

reference:
  - Port Proxy detection(http://www.dfirnotes.net/portproxy_detection/)
  - ATT&CK T1090 - Connection Proxy(https://attack.mitre.org/techniques/T1090/)
    Adversaries may use a connection proxy to direct network traffic between
    systems or act as an intermediary for network communications to a command
    and control server to avoid direct connections to their infrastructure.

author: Matt Green - @mgreen27

precondition: SELECT OS From info() where OS = 'windows'

parameters:
 - name: KeyGlob
   default: HKEY_LOCAL_MACHINE\SYSTEM\*ControlSet*\services\PortProxy\**

sources:
 - name: PortProxy
   query: |
     SELECT OSPath,
         OSPath[-3] AS ProxyType,
         OSPath[-2] AS Protocol,
         regex_replace(source=OSPath.Basename, re="/", replace=":") as Listening,
         regex_replace(source=Data.value, re="/", replace=":") as Destination,
         Mtime as ModifiedTime,
         Type
       FROM glob(globs=KeyGlob, accessor="registry")
       WHERE Type


reports:
  - type: CLIENT
    template: |

      Port Forwarding: PortProxy
      ==========================
      {{ .Description }}

      {{ define "report" }}
         LET report = SELECT Protocol,
            ProxyType,
            Listening,
            Destination,
            ModifiedTime,
            ProxyType + Protocol + Listening + Destination as ServiceKey
         FROM source(source='PortProxy')
         GROUP BY ServiceKey
      {{ end }}

      {{ Query "report"  "SELECT ProxyType, Protocol, Listening, Destination, ModifiedTime FROM report" | Table }}

  - type: HUNT
    template: |

      Port Forwarding: PortProxy
      ==========================
      {{ .Description }}

      {{ define "report" }}
         LET report = SELECT Fqdn,
            Protocol,
            ProxyType,
            Listening,
            Destination,
            ModifiedTime,
            ProxyType + Protocol + Listening + Destination as ServiceKey
         FROM source(source='PortProxy')
         GROUP BY ServiceKey
      {{ end }}

      {{ Query "report"  "SELECT Fqdn, ProxyType, Protocol, Listening, Destination, ModifiedTime FROM report" | Table }}