AN1233: Analytic 1233
Dynamic or static port forwarding rules added to route traffic through an internal host, or configuration changes to proxy firewall rules not aligned with baselined policy.
Analyst context for executives and security teams
AN1233 highlights a network-device configuration risk: new dynamic or static port forwarding, or proxy firewall rule changes, that route traffic through an internal host and do not match the approved baseline. For leaders, the practical issue is not the rule change itself, but whether the organization can prove that network path changes are authorized, reviewed, and visible before they create hidden access paths or bypass expected segmentation.
Executive priority
Prioritize this analytic where business continuity depends on controlled network paths, firewall policy governance, and audit-ready change management. Executives should ask whether teams can rapidly distinguish approved network changes from unexpected forwarding or proxy rule changes, and whether SOC, network operations, and incident response teams share the same baseline of permitted policy.
Technical view
For SOC and detection teams, validate visibility into Network Devices configuration changes involving port forwarding and proxy firewall rules. Because ATT&CK does not provide an official detection implementation for this analytic, coverage depends on local baselines: approved firewall policy, change tickets, configuration snapshots, and logs showing who changed what, when, and on which device. IR teams should be prepared to compare current device configuration against known-good policy and determine whether traffic is being routed through an internal host outside approved design.
Likely telemetry
- Network device configuration change logs
- Firewall and proxy policy change records
- Configuration snapshots or backups for network devices
- Change-management approvals or tickets tied to firewall/proxy updates
- Administrative authentication and command/audit logs from network devices
Detection direction
- Baseline approved dynamic and static port forwarding rules and proxy firewall policies, then alert on deviations.
- Correlate configuration changes with authorized change records to reduce false positives from planned maintenance.
- Tune for high-risk changes that route traffic through internal hosts or alter proxy behavior outside documented policy.
- Validate that device logs capture the actor, timestamp, target device, and specific rule or configuration object changed.
- Account for blind spots where configuration changes are made out-of-band, logs are not centralized, or approved baselines are outdated.
Mitigation priorities
- Maintain an authoritative baseline for firewall, proxy, and forwarding configurations on Network Devices.
- Require documented approval and review for port forwarding and proxy firewall rule changes.
- Centralize and retain network device configuration and administrative audit logs.
- Periodically compare running configurations against approved policy and investigate drift.
- Limit administrative access to network devices and ensure privileged changes are attributable to named accounts where possible.
Analyst notes and limits
This is a detection analytic object for Network Devices with no tactics, relationships, or official detection text supplied. The strongest use is as a governance and detection-validation prompt: confirm whether the organization can identify unauthorized forwarding or proxy policy drift and connect changes back to approved business need.
The supplied ATT&CK fields do not identify related techniques, adversary use, impact, or a specific detection query. Local device types, logging capability, network architecture, and change-management quality determine practical coverage.
Analytic 1233
Dynamic or static port forwarding rules added to route traffic through an internal host, or configuration changes to proxy firewall rules not aligned with baselined policy.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2d8f45f8867f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1233Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.