This detection rule, authored by Elastic, focuses on identifying the creation of new port forwarding rules in a Windows environment, specifically through modifications in the Windows registry. Such activities can indicate attempts by adversaries to bypass network segmentation restrictions, using the host machine as a jump point to access otherwise unreachable systems. It monitors the `HKLM\SYSTEM\*ControlSet*\Services\PortProxy\v4tov4\` subkeys for signs of unauthorized changes that could facilitate malicious lateral movement within a network. The rule specifies a risk score of 47, categorizing the severity as medium, and recommends a thorough investigation whenever this rule triggers. Investigators are instructed to look into the execution chain of processes, validate user account authority, and assess the broader network activities surrounding the event. Special emphasis is placed on distinguishing between legitimate administrative actions and potentially harmful modifications. In case of detection, the incident response process is outlined, advocating for immediate remediation steps such as deleting unauthorized port forwarding rules, isolating affected hosts, and conducting comprehensive malware scans.