Adversary may use connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
Example:
"cmd.exe /c "netsh interface portproxy add v4tov4 listenaddress=0.0.0.0 listenport=9999 connectaddress= connectport=8443 protocol=tcp""
"cmd.exe /c netsh interface portproxy add v4tov4 listenport=50100 listenaddress=0.0.0.0 connectport=1433 connectaddress="
Related
Volt Typhoon activity
Reference:
{{ mitre("T1090")}}
Data Source(s): Process, Command
let c1 = dynamic(["portproxy", "netsh", "add"]);
find where InitiatingProcessCommandLine has_all (c1) or ProcessCommandLine has_all (c1) or CommandLine has_all (c1)
- Inspect if the activity is expected and performed by an admin or a service
Version 1.0 (date: 10/07/2023)