This detection rule monitors modifications to the PortProxy registry key, specifically targeting entries associated with TCP port forwarding configurations in Windows. The PortProxy feature allows for the creation of network address translation (NAT) configurations that can be exploited for lateral movement and command-and-control purposes, often circumventing traditional network security measures. The rule focuses on registry entries located at 'HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp\', as changes here can indicate an attempt to establish unauthorized network pathways. The rule employs a simple selection condition that looks for any entries that modify this key. It is particularly relevant in environments where users may inadvertently become hosts for malicious traffic, such as during lateral movement attacks.