This note documents detection patterns related to Port Forwarding within Windows environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4688 | Process creation | Critical | Primary signal for native and third-party port forwarding. Hunt for netsh interface portproxy, ssh -L, ssh -R, ssh -D, plink.exe, chisel, socat, frp, rinetd, meterpreter, ligolo, stunnel, and custom relays. Review full command line, parent process, integrity level, and user context. |
| Sysmon | 1 | Process creation | Critical | Best host-level visibility for forwarding commands, dropped tunnel binaries, parent-child chains, and repeated operator use. Useful for detecting both transient tunnels and persistent forwarding infrastructure. |
| Sysmon | 3 | Network connection | Critical | Core behavioral signal. Port forwarding often produces a listener-side process that also establishes outbound connections to another host. Correlate source listener, destination IP/port, and same PID/process lineage. |
| Security | 5156 | Windows Filtering Platform permitted connection | High | Useful when Sysmon is absent. Can confirm inbound and outbound connections tied to forwarding tools, svchost.exe, ssh.exe, or unknown binaries. |
| Sysmon | 13 | Registry value set | Critical | Primary registry signal for native Windows netsh interface portproxy. Captures writes under HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\.... Strong evidence of persistent port proxy rules. |
| Sysmon | 12 | Registry object create/delete | High | Useful for creation or deletion of PortProxy subkeys and related tunnel persistence scaffolding. |
| Security | 4657 | Registry value modified | High | Native registry auditing equivalent if enabled. Valuable when Sysmon is unavailable. |
| PowerShell | 4104 | Script block logging | Critical | Captures PowerShell-based forwarding, socket relays, netsh invocation, firewall rule creation, SSH tunneling wrappers, or custom pivot scripts. |
| PowerShell | 4103 | Module logging | High | Useful for cmdlet-level confirmation such as New-NetFirewallRule, Start-Process, New-Object System.Net.Sockets.TcpListener, and custom relay logic. |
| System | 7045 | Service installed | High | Some tunnel tools install helper services or persistence wrappers. Investigate service-backed port forwarding or hidden tunnel daemons. |
| System | 7040 | Service start type changed | Medium | Important when attackers enable required services such as iphlpsvc or modify tunnel-related services to survive reboot. |
| Security | 4697 | Service installed | High | Native service installation signal with subject-user context when auditing is enabled. Useful for service-backed tunnel implants. |
| Sysmon | 7 | Image loaded | Medium | Can reveal SSH/tunnel helpers, custom DLL-backed relays, or networking libraries loaded by suspicious processes. |
| Sysmon | 11 | File create | High | Tunnel binaries, config files, SSH keys, helper scripts, and staging artifacts are often dropped shortly before forwarding is enabled. |
| Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | 2004 / 2005 / 2006 (environment dependent) | Firewall rule changes | High | Helpful when attackers add allow rules around the same time as port forwarding. Exact event availability varies by configuration and OS version. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| New local listener on unusual port | High ports or uncommon service ports suddenly listening on workstation/server | Critical | One of the strongest generic pivot indicators. Validate whether the host is expected to expose that port and whether it appeared recently. |
| Same process both listens and connects outward | One PID accepts inbound traffic and also connects to another host/port | Critical | Canonical forwarding behavior. Extremely valuable in EDR or Sysmon 3 correlation. |
New netsh interface portproxy rule | v4tov4, v4tov6, v6tov4, or v6tov6 entries appear unexpectedly | Critical | Very strong signal of native Windows forwarding. Often overlooked because no obvious third-party binary is required. |
iphlpsvc enabled or started unexpectedly | IP Helper service modified or started near PortProxy creation | High | Native netsh portproxy depends on IP Helper. Correlate with service changes and registry writes. |
| Firewall rule added near forwarding setup | New inbound allow rule for forwarded/listener port | High | Attackers frequently pair forwarding with firewall changes to ensure reachability. |
| Listener bound to loopback only | 127.0.0.1 or ::1 listener later used by a second-stage client | High | Common stealth tactic. Not externally visible, but still useful for local relay or covert chaining. |
| Forwarder binary in user-writable path | AppData, Temp, Public, ProgramData, Downloads | Critical | Strong malicious signal for plink/chisel/frp/custom tunnels. |
| SSH/plink activity from non-admin workstation | Developer-style tunneling commands on an unusual endpoint | High | Can indicate covert pivoting or operator staging. Baseline is essential. |
| Port forwarding appears after foothold activity | Tunnel setup shortly after credential theft, remote exec, or service creation | Critical | Very common attacker progression: foothold → stabilize → pivot infrastructure. |
| Long-lived established sessions to internal targets | One host repeatedly relays traffic to otherwise inaccessible subnets | High | Suggests the machine is acting as a pivot node. |
| Service-backed forwarder | Service binary or DLL silently maintains listener | High | Indicates persistence, not just temporary operator activity. |
| SOCKS/dynamic forwarding behavior | Local high port open, multiple destinations reached through same process | High | Often associated with SSH -D, ligolo-ng, Cobalt Strike SOCKS, or similar pivot tooling. |
Common Tools
| Tool | Usage |
|---|---|
| netsh | Native Windows interface portproxy forwarding; persists via registry and commonly abused because it blends in with built-in tooling. |
| ssh | Supports local (-L), remote (-R), and dynamic (-D) port forwarding; often used on Windows via OpenSSH or on Linux pivot hosts. |
| plink.exe | PuTTY-based SSH client often used for scripted port forwarding on Windows endpoints. |
| chisel | HTTP/WebSocket-based tunneling and forwarding tool commonly used for red-team pivoting. |
| ligolo-ng | Agent/proxy-based tunneling used to reach internal networks through a compromised host. |
| socat | General-purpose relay that can forward TCP/UDP locally or remotely. |
| frp | Fast reverse proxy often used to expose internal services outward or bridge segments. |
| rinetd | Simple TCP forwarding daemon sometimes used for lightweight relay setups. |
| Meterpreter | portfwd and SOCKS capabilities for operator pivoting. |
| Cobalt Strike | SOCKS proxy and pivot listeners for internal routing and lateral movement. |
| Custom socket relays / PowerShell tunnels | Attackers frequently build ad hoc relays with .NET sockets, TcpListener, or wrapper scripts to avoid known tool signatures. |
Relevant Artifacts
- Security log 4688 for process creation with full command line where available
- Sysmon 1, 3, 11, 12, 13 for process execution, network connections, file drop, and PortProxy registry changes
- Security 5156 for connection approval telemetry if Sysmon is unavailable
- PowerShell logs 4103 / 4104 for script-based forwarding, firewall changes, or custom socket relay logic
- System 7040 / 7045 and Security 4697 for service-backed forwarding or required service changes
- Registry:
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcpHKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov6\tcpHKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v6tov4\tcpHKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v6tov6\tcp
- Registry/service dependency:
HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc
- Firewall-related registry context:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
- Native inspection commands:
netsh interface portproxy show allsc qc iphlpsvcnetstat -anoGet-NetTCPConnection
- Prefetch where applicable:
NETSH.EXESSH.EXEPLINK.EXECHISEL.EXESOCAT.EXE
- Amcache/ShimCache for execution evidence and binary paths of forwarding tools
- MFT / USN Journal for dropped tunnel binaries, configs, scripts, or key material
- SRUM for post-forwarding network usage on workstations where available
- EDR process/socket lineage to prove same process handled both listen and relay phases
- Firewall logs, proxy logs, and network telemetry for confirming data passed through the pivot host
- Service configuration and persistence artifacts if the forwarder is wrapped as a service or scheduled task
MITRE ATT&CK References
- T1090 Proxy
- T1090.001 Internal Proxy
- T1090.002 External Proxy
- T1090.003 Multi-hop Proxy
- T1090.004 Domain Fronting / protocol-adjacent proxy behavior (contextual depending on tooling)
- T1572 Protocol Tunneling
- T1047 Windows Management Instrumentation (contextual if WMI used to deploy the forwarder)
- T1569.002 Service Execution (contextual if tunnel deployed as a service)
Decision Tree
- Is the suspicious event present?
- Look for 4688 / Sysmon 1 showing
netsh interface portproxy,ssh -L/-R/-D,plink,chisel,ligolo, or other relay tooling. - Check for Sysmon 13 / 12 registry writes under
PortProxy.
- Look for 4688 / Sysmon 1 showing
- What host and process generated it?
- Identify the exact host, user, integrity level, parent process, and full command line.
- Determine whether the process is a built-in utility (
netsh,ssh) or a dropped third-party binary.
- Is there a listener?
- Validate with Sysmon 3, EDR socket telemetry,
netstat, or connection logs whether a local listener was established. - Record bind address, local port, and whether the listener is loopback-only or externally reachable.
- Validate with Sysmon 3, EDR socket telemetry,
- Is there an outbound relay destination?
- Confirm whether the same process or a tightly linked child process connected to another system.
- Map destination IP, port, protocol, and timing relative to inbound activity.
- Is this persistent or temporary?
- For native Windows forwarding, inspect
PortProxyregistry keys and the state of IP Helper (iphlpsvc). - For third-party tools, check for services, scheduled tasks, Run keys, Startup folder, config files, or helper scripts.
- For native Windows forwarding, inspect
- Pivot:
- Source host → process execution
- Hunt for file drops, configs, SSH keys, helper scripts, and repeated tunnel invocations.
- Network → internal access expansion
- Identify which internal systems became reachable only after the forwarder was established.
- Adjacent admin changes
- Check for firewall rules, service installation, credential use,
LocalAccountTokenFilterPolicy, ADMIN$ access, or remote exec nearby.
- Check for firewall rules, service installation, credential use,
- Source host → process execution
- Confirm scope and intent
- Was this developer/admin activity, enterprise remote support, or attacker pivot infrastructure?
- Determine whether the host acted as a single-use tunnel endpoint or a durable pivot node.
Example Detection Templates
KQL
// Native and tool-based port forwarding command-line hunt
let terms = dynamic(["portproxy","ssh -L","ssh -R","ssh -D","plink","chisel","ligolo","socat","frp","rinetd","portfwd"]);
union isfuzzy=true SecurityEvent, Sysmon
| where EventID in (4688, 1)
| extend Image = coalesce(tostring(NewProcessName), tostring(Image), tostring(Process)),
CommandLine = coalesce(tostring(CommandLine), tostring(ProcessCommandLine)),
ParentImage = coalesce(tostring(ParentProcessName), tostring(ParentImage))
| where CommandLine has_any (terms) or Image has_any ("netsh.exe","ssh.exe","plink.exe","chisel.exe","ligolo.exe","socat.exe","frpc.exe","frps.exe")
| project TimeGenerated, Computer, User=coalesce(tostring(SubjectUserName), tostring(User), tostring(UserName)), Image, CommandLine, ParentImage, EventID
| order by TimeGenerated desc
// Native Windows PortProxy registry hunt
Sysmon
| where EventID in (12, 13)
| where TargetObject has @"\SYSTEM\CurrentControlSet\Services\PortProxy\"
| project TimeGenerated, Computer, User, EventID, TargetObject, Details, Image, ProcessGuid, ProcessId
| order by TimeGenerated desc
// Correlate forwarding process creation with later network activity from same host/process
let Forwarders = Sysmon
| where EventID == 1
| extend Image = tostring(Process), CommandLine = tostring(CommandLine), ProcessId = tostring(ProcessId)
| where CommandLine has_any ("portproxy","ssh -L","ssh -R","ssh -D","plink","chisel","ligolo","socat","frp","portfwd")
or Image has_any ("netsh.exe","ssh.exe","plink.exe","chisel.exe","ligolo.exe","socat.exe","frpc.exe","frps.exe")
| project FwdTime=TimeGenerated, Computer, ProcessId, Image, CommandLine, ParentImage=tostring(ParentProcessName), User=tostring(User);
let Net = Sysmon
| where EventID == 3
| extend ProcessId = tostring(ProcessId)
| project NetTime=TimeGenerated, Computer, ProcessId, DestinationIp, DestinationPort, SourceIp, SourcePort, Protocol, Image=tostring(Image);
Forwarders
| join kind=leftouter (Net) on Computer, ProcessId
| where NetTime between (FwdTime .. FwdTime + 30m)
| project FwdTime, NetTime, Computer, User, Image, CommandLine, ParentImage, SourceIp, SourcePort, DestinationIp, DestinationPort, Protocol
| order by FwdTime desc
// Hunt for IP Helper service changes around PortProxy creation
let PortProxyChanges = Sysmon
| where EventID in (12, 13)
| where TargetObject has @"\SYSTEM\CurrentControlSet\Services\PortProxy\"
| project PPTime=TimeGenerated, Computer, User, TargetObject;
let ServiceChanges = union isfuzzy=true SystemEvent, SecurityEvent
| where EventID in (7040, 7045, 4697)
| project SvcTime=TimeGenerated, Computer, EventID, RenderedDescription=tostring(EventData);
PortProxyChanges
| join kind=leftouter (ServiceChanges) on Computer
| where SvcTime between (PPTime - 10m .. PPTime + 10m)
| project PPTime, SvcTime, Computer, User, TargetObject, EventID, RenderedDescription
| order by PPTime desc
EQL
/* Tooling or native commands commonly used for port forwarding */
process where
process.command_line like "*portproxy*" or
process.command_line like "*ssh -L*" or
process.command_line like "*ssh -R*" or
process.command_line like "*ssh -D*" or
process.command_line like "*plink*" or
process.command_line like "*chisel*" or
process.command_line like "*ligolo*" or
process.command_line like "*socat*" or
process.command_line like "*frp*"
/* PortProxy registry creation following netsh command */
sequence by host.name with maxspan=5m
[ process where process.command_line like "*netsh*portproxy*" ]
[ registry where registry.path like "*\\SYSTEM\\CurrentControlSet\\Services\\PortProxy\\*" ]
/* Forwarding process followed by outbound network connections */
sequence by host.name, process.pid with maxspan=30m
[ process where process.command_line like "*ssh -L*" or process.command_line like "*ssh -R*" or process.command_line like "*chisel*" or process.command_line like "*plink*" or process.command_line like "*ligolo*" ]
[ network where true ]
Sigma
title: Suspicious Port Forwarding Activity
id: 9f7a2c44-6d1d-4b47-a0f3-port-forwarding
status: experimental
description: Detects native Windows PortProxy and common tool-based port forwarding commands frequently associated with pivoting or covert transport infrastructure.
references:
- https://attack.mitre.org/techniques/T1090/
- https://attack.mitre.org/techniques/T1572/
author: Vergil
date: 2026-03-07
logsource:
product: windows
category: process_creation
detection:
selection_cmd:
CommandLine|contains:
- 'portproxy'
- 'ssh -L'
- 'ssh -R'
- 'ssh -D'
- 'plink'
- 'chisel'
- 'ligolo'
- 'socat'
- 'frp'
- 'portfwd'
selection_img:
Image|endswith:
- '\netsh.exe'
- '\ssh.exe'
- '\plink.exe'
- '\chisel.exe'
- '\ligolo.exe'
- '\socat.exe'
- '\frpc.exe'
- '\frps.exe'
condition: selection_cmd or selection_img
fields:
- Image
- CommandLine
- ParentImage
- User
falsepositives:
- Legitimate administrator tunneling
- Developer SSH tunnels
- Approved remote support tooling
- Network engineering diagnostics
level: high
tags:
- attack.command_and_control
- attack.t1090
- attack.t1572
title: Native Windows PortProxy Registry Modification
id: 4c5fd447-e1fd-4ed9-b8f0-portproxy-registry
status: experimental
description: Detects registry modifications associated with native Windows netsh interface portproxy forwarding.
references:
- https://attack.mitre.org/techniques/T1090/
author: Vergil
date: 2026-03-07
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\PortProxy\'
condition: selection
fields:
- TargetObject
- Details
- Image
- User
falsepositives:
- Legitimate portproxy administration
level: high
tags:
- attack.command_and_control
- attack.t1090
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| Native forwarding control | Monitor and tightly restrict use of netsh interface portproxy; regularly review PortProxy registry keys | High | Native PortProxy is powerful because it survives reboot and blends with legitimate Windows tooling. |
| Registry auditing | Alert on changes under HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\* | High | Essential for detecting persistent native forwarding. Many defenders miss this entirely. |
| IP Helper service governance | Baseline and monitor iphlpsvc start type and state changes | Medium | PortProxy depends on IP Helper; unexpected enablement or start activity can provide valuable context. |
| Process command-line monitoring | Log and alert on ssh -L/-R/-D, plink, chisel, ligolo, socat, and similar forwarding syntax | High | Core visibility for transient operator tunnels that leave no registry footprint. |
| Firewall change monitoring | Correlate forwarding activity with new inbound allow rules or firewall policy changes | High | A forwarding rule plus firewall modification is a strong combined signal. |
| Application control | Restrict unapproved tunneling tools and unsigned networking binaries from user-writable paths | High | Reduces attacker flexibility and raises detection opportunities. |
| Network egress controls | Limit which hosts can initiate outbound connections to internal segments or unusual external ports | High | Makes pivot infrastructure harder to sustain. |
| Listener baselining | Continuously monitor for new listening ports and unexpected bind behavior on workstations and servers | High | Strong general pivot detection, especially where process telemetry is incomplete. |
| Service / scheduled task review | Hunt for tunnel persistence wrapped as services, tasks, Run keys, or Startup entries | Medium | Third-party tunnel tools are often made durable with common Windows persistence mechanisms. |
| Endpoint visibility | Prefer EDR or Sysmon configurations that can correlate process lineage with socket activity | Critical | Best method for proving the host is acting as a relay rather than merely making ordinary outbound connections. |