{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/port-forwarding/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Sysmon Registry Events","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["port-forwarding","registry-modification","command-and-control","defense-evasion","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne","Crowdstrike"],"content_html":"\u003cp\u003eAttackers may configure port forwarding rules to bypass network segmentation restrictions, effectively using the compromised host as a jump box to access previously unreachable systems. This involves modifying the registry to redirect incoming TCP connections from a local port to another port or a remote computer. The technique is typically employed post-compromise to facilitate lateral movement and maintain unauthorized access within the network. This activity is detected by monitoring changes to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the target system through an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command-line interface (e.g., \u003ccode\u003ecmd.exe\u003c/code\u003e or \u003ccode\u003epowershell.exe\u003c/code\u003e) with administrative privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell\u0026rsquo;s \u003ccode\u003eSet-ItemProperty\u003c/code\u003e cmdlet to modify the \u003ccode\u003eHKLM\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a new port forwarding rule by creating a new subkey under \u003ccode\u003ev4tov4\\\u003c/code\u003e with specific settings for the local port, remote address, and remote port.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the \u003ccode\u003eListenAddress\u003c/code\u003e, \u003ccode\u003eListenPort\u003c/code\u003e, \u003ccode\u003eConnectAddress\u003c/code\u003e, and \u003ccode\u003eConnectPort\u003c/code\u003e values within the new subkey.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the successful creation and activation of the port forwarding rule using \u003ccode\u003enetsh interface portproxy show v4tov4\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the newly created port forwarding rule to tunnel traffic through the compromised host, bypassing network segmentation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the proxied connection to access internal resources and conduct further attacks, such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation enables attackers to bypass network segmentation restrictions, leading to unauthorized access to internal systems and data. This can facilitate lateral movement, data exfiltration, and further compromise of the network. The severity of the impact depends on the sensitivity of the accessible resources and the extent of the attacker\u0026rsquo;s lateral movement.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon registry event logging to capture modifications to the \u003ccode\u003eHKLM\\SYSTEM\\*ControlSet*\\Services\\PortProxy\\v4tov4\\\u003c/code\u003e registry subkeys, enabling detection of malicious port forwarding rule additions.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Port Forwarding Rule Addition via Registry Modification\u0026rdquo; to your SIEM to detect suspicious registry modifications related to port forwarding.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the process execution chain and the user account that performed the action.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit existing port forwarding rules to identify and remove any unauthorized or suspicious configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-port-forwarding-registry/","summary":"An adversary may abuse port forwarding to bypass network segmentation restrictions by creating a new port forwarding rule through modification of the Windows registry.","title":"Windows Port Forwarding Rule Addition via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-port-forwarding-registry/"}],"language":"en","title":"CraftedSignal Threat Feed — Port-Forwarding","version":"https://jsonfeed.org/version/1.1"}