This detection rule identifies the execution of netsh commands responsible for adding new port forwarding rules in Windows systems, specifically using the PortProxy feature. These commands can be exploited by attackers to bypass network restrictions or establish remote access through port forwarding, which is a common tactic used during lateral movement in a network. The rule captures the execution of 'netsh.exe' with specific command line arguments associated with creating port proxies. It utilizes a combination of command-line pattern matching and the process image to ensure the detection of suspicious activity related to port forwarding configuration. The detection conditions are set to trigger when the process image ends with 'netsh.exe' and at least one corresponding command line pattern matches. The rule also accounts for potential false positives from legitimate administrative tasks or other benign scripts that may utilize similar command lines.