Windows Port Forwarding Rule Addition via Registry Modification
This alert detects the creation of a new port forwarding rule in the Windows Registry, a technique used by attackers to bypass network segmentation and establish internal proxies for command and control or lateral movement.
This detection identifies the creation of new port forwarding rules within the Windows Registry. Adversaries may exploit this to bypass network segmentation, effectively using a compromised host as a jump box to access systems that were previously unreachable. This is achieved by modifying the HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\ registry subkeys to redirect TCP connections. The rule is based on Elastic's detection rule "Port Forwarding Rule Addition", updated as of April 7, 2026, and leverages EQL to detect these registry modifications. This technique allows attackers to establish internal proxies and tunnels, facilitating command and control activities and lateral movement within the compromised network.
Attack Chain
- The attacker gains initial access to a Windows host, potentially through exploitation of a vulnerability or compromised credentials.
- The attacker obtains necessary privileges to modify the Windows Registry.
- The attacker navigates to the
HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\registry key. - The attacker creates a new subkey within the
v4tov4key, representing a new port forwarding rule. - The attacker modifies the properties of the newly created registry key to define the local port, remote IP address, and remote port for the forwarding rule.
- The system begins forwarding traffic according to the newly configured rule, potentially allowing the attacker to access internal resources.
- The attacker uses the newly established port forwarding rule to pivot to other internal systems.
- The attacker continues their objectives, such as data exfiltration, lateral movement or establishing persistence.
Impact
A successful attack can allow an adversary to bypass network segmentation, gain access to internal resources, and establish persistent command and control within the compromised network. This can lead to data exfiltration, further compromise of internal systems, and significant disruption to business operations. While the exact number of victims is unknown, this technique is applicable across various sectors where Windows systems are used and network segmentation is implemented.
Recommendation
- Enable Windows Registry auditing and monitor
HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\for modifications to activate the Sigma rules below. - Deploy the Sigma rules provided in this brief to your SIEM and tune them for your environment.
- Investigate any alerts generated by these rules promptly, focusing on the associated processes and user accounts.
- Review and validate existing port forwarding rules to identify and remove any unauthorized configurations.
- Implement network segmentation best practices to minimize the impact of potential breaches.
Detection coverage 2
Detect Port Forwarding Rule Addition via Registry
mediumDetects the creation of port forwarding rules in the Windows Registry.
Detect Port Forwarding Configuration via Registry Value
lowDetects modifications to existing port forwarding rules, specifically the LocalPort value.
Detection queries are available on the platform. Get full rules →