Analytics Alerts
Browse the Cortex analytics alert reference.
1 alert match the current filters. tactic: TA0005 ✕ technique: T1090 ✕
Show ATT&CK heatmapUnusual Netsh PortProxy rule Low 2 variations
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Defense Evasion (TA0005) Command and Control (TA0011)ATT&CK techniques: Impair Defenses: Disable or Modify System Firewall (T1562.004) Proxy: Internal Proxy (T1090.001)Required data: XDR Agent with eXtended Threat Hunting (XTH)Attacker's goals: Adding or deleting netsh forwarding rules as a proxy and to avoid possible detection.Investigative actions: Check the connect address and if it's a known IP/domain. Check whether the causality group owner (CGO) process is benign and if this was a desired behavior as part of its normal execution flow.Variations
Unusual Netsh PortProxy rule by non-netsh process
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden
Unusual Netsh PortProxy rule by an unsigned causality actor
Medium overridden
Attackers may use Netsh PortProxy rules as part of malicious actions performed in an organizational network (e.g., for tunneling). overridden