LoFP / wsl2 network bridge powershell script used for wsl/kubernetes/docker (e.g. https://github.com/microsoft/wsl/issues/4150#issuecomment-504209723)

Techniques

t1090

Sample rules

New Port Forwarding Rule Added Via Netsh.EXE

source: sigma
technicques:
- t1090

Description

Detects the execution of netsh commands that configure a new port forwarding (PortProxy) rule

Detection logic

condition: selection_img and 1 of selection_cli_*
selection_cli_1:
  CommandLine|contains|all:
  - interface
  - portproxy
  - add
  - v4tov4
selection_cli_2:
  CommandLine|contains|all:
  - 'i '
  - 'p '
  - 'a '
  - 'v '
selection_cli_3:
  CommandLine|contains|all:
  - connectp
  - listena
  - c=
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe

New PortProxy Registry Entry Added

source: sigma
technicques:
- t1090

Description

Detects the modification of the PortProxy registry key which is used for port forwarding.

Detection logic

condition: selection
selection:
  TargetObject|contains: \Services\PortProxy\v4tov4\tcp\