Skip to content

T1562.001 Disable or Modify Tools netsh abuse

T1562.001 - Disable or Modify Tools - netsh abuse

DESCRIPTION

Detects changes made to the registry key as a result of the Netsh.exe abuse. Adversaries use the Netsh command to create a PortProxy registry modification on a compromised device to enable traffic redirection through proxies to C2 server.

Example:

1
2
3
HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\PortProxy\\v4tov4 \\cp\\0.0.0.0/49275 | {<Attacker IP>}/<Port number>.

HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\v4 tov4

Related

LOLBINs

Reference:

https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/identifying-and-mitigating-living-off-the-land-techniques
https://github.com/SigmaHQ/sigma/blob/49adcf9a00247ed6c3daacba03b589470f6716d0/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml#L22
https://github.com/redcanaryco/atomic-red-team/blob/ac9e63e872223cb2fe2655fe5ab156044cba4f79/atomics/T1090.001/T1090.001.md?plain=1#L13

ATT&CK TACTICS

T1562.001 - Impair Defenses: Disable or Modify Tools

Data Source(s): Windows Registry

SENTINEL RULE QUERY

1
2
3
4
let selection_cli_1 = dynamic(['PortProxy', 'HKLM']);
DeviceRegistryEvents
| where InitiatingProcessFolderPath endswith @"\netsh.exe" and InitiatingProcessVersionInfoOriginalFileName == "netsh.exe" 
| where RegistryKey has_all (selection_cli_1)

Triage

  1. Inspect the modified registry key and the IP address that has been used.
  2. Confirm with user if the activity was expected and approved.

FalsePositive

  • Legitimate administration activity

VERSION

Version 1.0 (date: 20/03/2024)