Windows Proxy Via Registry

Try in Splunk Security Cloud

Description

The following analytic detects the modification of registry keys related to the Windows Proxy settings via netsh.exe. It leverages data from the Endpoint.Registry data model, focusing on changes to the registry path "\System\CurrentControlSet\Services\PortProxy\v4tov4\tcp". This activity is significant because netsh.exe can be used to establish a persistent proxy, potentially allowing an attacker to execute a helper DLL whenever netsh.exe runs. If confirmed malicious, this could enable the attacker to maintain persistence, manipulate network configurations, and potentially exfiltrate data or further compromise the system.

• Type: Anomaly
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2024-05-27
• Author: Teoderick Contreras, Splunk
• ID: 0270455b-1385-4579-9ac5-e77046c508ae

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1090.001	Internal Proxy	Command And Control

T1090

Proxy

Command And Control

Kill Chain Phase

• Command and Control

NIST

• DE.AE

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count  min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest  Registry.user 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `drop_dm_object_name(Registry)` 
| `windows_proxy_via_registry_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

windows_proxy_via_registry_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• Registry.registry_key_name
• Registry.registry_path
• Registry.user
• Registry.dest
• Registry.registry_value_name
• Registry.action
• Registry.registry_value_data

How To Implement

To successfully implement this search, you need to be ingesting logs with the registry value name, registry path, and registry value data from your endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical Sysmon TA. https://splunkbase.splunk.com/app/5709

Known False Positives

unknown

Associated Analytic Story

• Volt Typhoon

RBA

Risk Score	Impact	Confidence	Message
49.0	70	70	A registry modification for port proxy in$dest$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2