Unusual Netsh PortProxy rule

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).

Attacker's Goals

Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.

Investigative actions

  • Check the connect address and if it's a known IP/domain.
  • Check whether the causality group owner (CGO) process is benign, and if this was a desired behavior as part of its normal execution flow.

Variations

Unusual Netsh PortProxy rule by non-netsh process

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).

Attacker's Goals

Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.

Investigative actions

  • Check the connect address and if it's a known IP/domain.
  • Check whether the causality group owner (CGO) process is benign, and if this was a desired behavior as part of its normal execution flow.


Unusual Netsh PortProxy rule by an unsigned causality actor

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).

Attacker's Goals

Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.

Investigative actions

  • Check the connect address and if it's a known IP/domain.
  • Check whether the causality group owner (CGO) process is benign, and if this was a desired behavior as part of its normal execution flow.