Windows Port Forwarding Rule Addition via Registry Modification

Attackers may configure port forwarding rules to bypass network segmentation restrictions, effectively using the compromised host as a jump box to access previously unreachable systems. This involves modifying the registry to redirect incoming TCP connections from a local port to another port or a remote computer. The technique is typically employed post-compromise to facilitate lateral movement and maintain unauthorized access within the network. This activity is detected by monitoring changes to the HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\ registry subkeys.

Attack Chain

1. The attacker gains initial access to the target system through an exploit or compromised credentials.
2. The attacker executes a command-line interface (e.g., cmd.exe or powershell.exe) with administrative privileges.
3. The attacker uses reg.exe or PowerShell’s Set-ItemProperty cmdlet to modify the HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\ registry key.
4. The attacker configures a new port forwarding rule by creating a new subkey under v4tov4\ with specific settings for the local port, remote address, and remote port.
5. The attacker sets the ListenAddress, ListenPort, ConnectAddress, and ConnectPort values within the new subkey.
6. The attacker verifies the successful creation and activation of the port forwarding rule using netsh interface portproxy show v4tov4.
7. The attacker leverages the newly created port forwarding rule to tunnel traffic through the compromised host, bypassing network segmentation.
8. The attacker uses the proxied connection to access internal resources and conduct further attacks, such as lateral movement or data exfiltration.

Impact

Successful exploitation enables attackers to bypass network segmentation restrictions, leading to unauthorized access to internal systems and data. This can facilitate lateral movement, data exfiltration, and further compromise of the network. The severity of the impact depends on the sensitivity of the accessible resources and the extent of the attacker’s lateral movement.

Recommendation

• Enable Sysmon registry event logging to capture modifications to the HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\ registry subkeys, enabling detection of malicious port forwarding rule additions.
• Deploy the Sigma rule “Port Forwarding Rule Addition via Registry Modification” to your SIEM to detect suspicious registry modifications related to port forwarding.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the process execution chain and the user account that performed the action.
• Regularly review and audit existing port forwarding rules to identify and remove any unauthorized or suspicious configurations.