1. Home
  2. Software
  3. netsh

netsh

netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

ID: S0108
Associated Software: netsh.exe
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 31 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .007 Event Triggered Execution: Netsh Helper DLL

netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.[2]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

netsh can be used to disable local firewall settings.[1][3]
Enterprise T1090 Proxy

netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[4]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

netsh can be used to discover system firewall settings.[1][3]

Groups That Use This Software

ID Name References
G0008 Carbanak

[5]
G0032 Lazarus Group

[6]
G0074 Dragonfly 2.0

[7]
G0019 Naikon

[8]
G0050 APT32

[9]

References

  1. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  2. Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017.
  3. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  4. Kaspersky Lab's Global Research and Analysis Team. (2017, February 8). Fileless attacks against enterprise networks. Retrieved February 8, 2017.
  5. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
  1. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  4. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.