netsh.exe
- File Path:
C:\windows\system32\netsh.exe
- Description: Network Command Shell
Hashes
Type | Hash |
---|---|
MD5 | 5E1B10477EF43893470C8E4D76CB68F2 |
SHA1 | 74FC4C5A24F6FDE2D8492A58624094065C8F4ACA |
SHA256 | 71131C1535887FAC329EDCA024DBED4C6A2BDC4F9E91CE2443EE359016521836 |
SHA384 | BF376E2CF4948E1CD1F1189F583D70923F9D03F4E853F2FECCC7A4C913B3DF052C5466318E272E23DECD21550B6B9B40 |
SHA512 | FDB7C3C55FE4165FC8D1F9DA91A9C48DB7ED940AB59BFB9E1F1DEECBF7317BDC69DF80E4613A7C211F8DB422B95CC3EDAB4202C01F5629C43E030CA535B97AF2 |
SSDEEP | 1536:/FVbOdPjb9ZuPvDstdCkEnQrlVETxwzaMEjaWwIv/:dw9hLJPlVEtw2xn3 |
Signature
- Status: The file C:\windows\system32\netsh.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: netsh.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of netsh.exe
being misused. While netsh.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | proc_creation_win_apt_wocao.yml | - 'netsh advfirewall firewall add rule name=powershell dir=in' |
DRL 1.0 |
sigma | proc_creation_win_multiple_suspicious_cli.yml | - netsh.exe |
DRL 1.0 |
sigma | proc_creation_win_netsh_allow_port_rdp.yml | title: Netsh RDP Port Opening |
DRL 1.0 |
sigma | proc_creation_win_netsh_allow_port_rdp.yml | description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware |
DRL 1.0 |
sigma | proc_creation_win_netsh_allow_port_rdp.yml | - netsh |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_add.yml | title: Netsh Port or Application Allowed |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_add.yml | Image\|endswith: '\netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_add.yml | - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_add.yml | - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_add_susp_image.yml | title: Netsh Program Allowed with Suspcious Location |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_add_susp_image.yml | description: Detects Netsh commands that allows a suspcious application location on Windows Firewall |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_add_susp_image.yml | Image\|endswith: '\netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_enable_group_rule.yml | title: Netsh Allow Group Policy on Microsoft Defender Firewall |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_enable_group_rule.yml | - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior |
DRL 1.0 |
sigma | proc_creation_win_netsh_fw_enable_group_rule.yml | Image\|endswith: '\netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_netsh_packet_capture.yml | title: Capture a Network Trace with netsh.exe |
DRL 1.0 |
sigma | proc_creation_win_netsh_packet_capture.yml | description: Detects capture a network trace via netsh.exe trace functionality |
DRL 1.0 |
sigma | proc_creation_win_netsh_packet_capture.yml | - netsh |
DRL 1.0 |
sigma | proc_creation_win_netsh_packet_capture.yml | - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason |
DRL 1.0 |
sigma | proc_creation_win_netsh_port_fwd.yml | title: Netsh Port Forwarding |
DRL 1.0 |
sigma | proc_creation_win_netsh_port_fwd.yml | description: Detects netsh commands that configure a port forwarding (PortProxy) |
DRL 1.0 |
sigma | proc_creation_win_netsh_port_fwd.yml | - https://adepts.of0x.cc/netsh-portproxy-code/ |
DRL 1.0 |
sigma | proc_creation_win_netsh_port_fwd.yml | Image\|endswith: '\netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_netsh_port_fwd_3389.yml | title: Netsh RDP Port Forwarding |
DRL 1.0 |
sigma | proc_creation_win_netsh_port_fwd_3389.yml | description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP |
DRL 1.0 |
sigma | proc_creation_win_netsh_port_fwd_3389.yml | Image\|endswith: '\netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_netsh_wifi_credential_harvesting.yml | title: Harvesting of Wifi Credentials Using netsh.exe |
DRL 1.0 |
sigma | proc_creation_win_netsh_wifi_credential_harvesting.yml | description: Detect the harvesting of wifi credentials using netsh.exe |
DRL 1.0 |
sigma | proc_creation_win_netsh_wifi_credential_harvesting.yml | Image\|endswith: '\netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_netsh_wifi_credential_harvesting.yml | - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason |
DRL 1.0 |
sigma | proc_creation_win_renamed_binary.yml | - 'netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_renamed_binary.yml | - '\netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_firewall_disable.yml | title: Firewall Disabled via Netsh |
DRL 1.0 |
sigma | proc_creation_win_susp_firewall_disable.yml | description: Detects netsh commands that turns off the Windows firewall |
DRL 1.0 |
sigma | proc_creation_win_susp_firewall_disable.yml | - netsh |
DRL 1.0 |
sigma | proc_creation_win_susp_netsh_command.yml | title: Suspicious Netsh Discovery Command |
DRL 1.0 |
sigma | proc_creation_win_susp_netsh_command.yml | - 'netsh ' |
DRL 1.0 |
sigma | proc_creation_win_susp_netsh_dll_persistence.yml | title: Suspicious Netsh DLL Persistence |
DRL 1.0 |
sigma | proc_creation_win_susp_netsh_dll_persistence.yml | description: Detects persitence via netsh helper |
DRL 1.0 |
sigma | proc_creation_win_susp_netsh_dll_persistence.yml | Image\|endswith: '\netsh.exe' |
DRL 1.0 |
sigma | proc_creation_win_susp_network_command.yml | - 'netsh interface show interface' |
DRL 1.0 |
sigma | proc_creation_win_susp_spoolsv_child_processes.yml | Image\|endswith: \netsh.exe |
DRL 1.0 |
sigma | registry_event_portproxy_registry_key.yml | - https://adepts.of0x.cc/netsh-portproxy-code/ |
DRL 1.0 |
LOLBAS | Netsh.yml | Name: Netsh.exe |
|
LOLBAS | Netsh.yml | netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>) |
|
LOLBAS | Netsh.yml | netsh.exe trace show status |
|
LOLBAS | Netsh.yml | - Command: netsh.exe add helper C:\Path\file.dll |
|
LOLBAS | Netsh.yml | Description: Load (execute) NetSh.exe helper DLL file. |
|
LOLBAS | Netsh.yml | - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 |
|
LOLBAS | Netsh.yml | Name: Netsh.exe |
|
LOLBAS | Netsh.yml | Description: Netsh is a Windows tool used to manipulate network interface settings. |
|
LOLBAS | Netsh.yml | - Command: netsh.exe add helper C:\Users\User\file.dll |
|
LOLBAS | Netsh.yml | Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called |
|
LOLBAS | Netsh.yml | - Path: C:\WINDOWS\System32\Netsh.exe |
|
LOLBAS | Netsh.yml | - Path: C:\WINDOWS\SysWOW64\Netsh.exe |
|
LOLBAS | Netsh.yml | - IOC: Netsh initiating a network connection |
|
malware-ioc | misp_invisimole.json | "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", |
© ESET 2014-2018 |
atomic-red-team | index.md | - T1546.007 Netsh Helper DLL | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #1: Netsh Helper DLL Registration [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - T1546.007 Netsh Helper DLL | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Netsh Helper DLL Registration [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | matrix.md | | | | Local Account | Netsh Helper DLL | File Deletion | Unsecured Credentials CONTRIBUTE A TEST | | | | | | | | MIT License. © 2018 Red Canary |
atomic-red-team | matrix.md | | | | Netsh Helper DLL | Path Interception by Search Order Hijacking CONTRIBUTE A TEST | Hidden Files and Directories | | | | | | | | | MIT License. © 2018 Red Canary |
atomic-red-team | windows-matrix.md | | | | Logon Script (Windows) | Netsh Helper DLL | File and Directory Permissions Modification CONTRIBUTE A TEST | Silver Ticket CONTRIBUTE A TEST | | | | | Traffic Signaling CONTRIBUTE A TEST | | | MIT License. © 2018 Red Canary |
atomic-red-team | windows-matrix.md | | | | Netsh Helper DLL | Parent PID Spoofing | Hidden File System CONTRIBUTE A TEST | Steal or Forge Kerberos Tickets CONTRIBUTE A TEST | | | | | Web Service CONTRIBUTE A TEST | | | MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | netsh interface show interface | MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | Enumerates Windows Firewall Rules using netsh. | MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. | MIT License. © 2018 Red Canary |
atomic-red-team | T1016.md | netsh advfirewall firewall show rule name=all | MIT License. © 2018 Red Canary |
atomic-red-team | T1021.001.md | netsh advfirewall firewall add rule name=”RDPPORTLatest-TCP-In” dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port} | MIT License. © 2018 Red Canary |
atomic-red-team | T1021.001.md | netsh advfirewall firewall delete rule name=”RDPPORTLatest-TCP-In” >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1040.md | netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10 | MIT License. © 2018 Red Canary |
atomic-red-team | T1040.md | netsh trace stop >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1090.001.md | Upon execution there will be a new proxy entry in netsh | MIT License. © 2018 Red Canary |
atomic-red-team | T1090.001.md | netsh interface portproxy show all | MIT License. © 2018 Red Canary |
atomic-red-team | T1090.001.md | netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress} | MIT License. © 2018 Red Canary |
atomic-red-team | T1090.001.md | netsh interface portproxy delete v4tov4 listenport=#{listenport} -ErrorAction Ignore | Out-Null | MIT License. © 2018 Red Canary |
atomic-red-team | T1518.001.md | Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. |
MIT License. © 2018 Red Canary |
atomic-red-team | T1518.001.md | netsh.exe advfirewall show allprofiles | MIT License. © 2018 Red Canary |
atomic-red-team | T1546.007.md | # T1546.007 - Netsh Helper DLL | MIT License. © 2018 Red Canary |
atomic-red-team | T1546.007.md | <blockquote>Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh . |
MIT License. © 2018 Red Canary |
atomic-red-team | T1546.007.md | Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)</blockquote> | MIT License. © 2018 Red Canary |
atomic-red-team | T1546.007.md | - Atomic Test #1 - Netsh Helper DLL Registration | MIT License. © 2018 Red Canary |
atomic-red-team | T1546.007.md | ## Atomic Test #1 - Netsh Helper DLL Registration | MIT License. © 2018 Red Canary |
atomic-red-team | T1546.007.md | Netsh interacts with other operating system components using dynamic-link library (DLL) files | MIT License. © 2018 Red Canary |
atomic-red-team | T1546.007.md | netsh.exe add helper #{helper_file} | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall set currentprofile state off | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall set currentprofile state on >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall firewall set rule group=”file and printer sharing” new enable=Yes | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall reset >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall firewall add rule name=”atomic testing” action=allow dir=in protocol=TCP localport=450 | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall firewall delete rule name=”atomic testing” protocol=TCP localport=450 >nul 2>&1 | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall firewall add rule name=”Open Port to Any” dir=in protocol=tcp localport=#{local_port} action=allow profile=any | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall firewall delete rule name=”Open Port to Any” | Out-Null | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall firewall add rule name=”Atomic Test” dir=in action=allow program=”C:\Users$env:UserName\AtomicTest.exe” enable=yes | MIT License. © 2018 Red Canary |
atomic-red-team | T1562.004.md | netsh advfirewall firewall delete rule name=”Atomic Test” | Out-Null | MIT License. © 2018 Red Canary |
signature-base | apt_ar18_165a.yar | $s1 = “netsh.exe advfirewall firewall add rule name="PortOpenning" dir=in protocol=tcp localport=%d action=allow enable=yes” fullword wide | CC BY-NC 4.0 |
signature-base | apt_ar18_165a.yar | $s2 = “netsh.exe firewall add portopening TCP %d "PortOpenning" enable” fullword wide | CC BY-NC 4.0 |
signature-base | apt_lazarus_aug20.yar | $str_netsh_1 = “netsh firewall add portopening TCP %d” ascii wide nocase | CC BY-NC 4.0 |
signature-base | apt_lazarus_aug20.yar | $str_netsh_2 = “netsh firewall delete portopening TCP %d” ascii wide nocase | CC BY-NC 4.0 |
signature-base | crime_phish_gina_dec15.yar | $s1 = “netsh.exe” fullword wide | CC BY-NC 4.0 |
signature-base | gen_malware_set_qa.yar | $s6 = “netsh firewall delete allowedprogram” fullword wide | CC BY-NC 4.0 |
signature-base | gen_mal_backnet.yar | $s3 = “/C netsh wlan show profile” wide | CC BY-NC 4.0 |
signature-base | gen_rats_malwareconfig.yar | $s2 = “netsh firewall add allowedprogram” wide | CC BY-NC 4.0 |
signature-base | gen_suspicious_strings.yar | description = “Detects a suspicious command line with netsh and the portproxy command” | CC BY-NC 4.0 |
signature-base | gen_suspicious_strings.yar | reference = “https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy” | CC BY-NC 4.0 |
signature-base | gen_suspicious_strings.yar | $x1 = “netsh interface portproxy add v4tov4 listenport=” ascii | CC BY-NC 4.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
netsh
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016
The Network Shell command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. You can start this utility at the command prompt or in Windows PowerShell.
Syntax
netsh [-a <Aliasfile>][-c <Context>][-r <Remotecomputer>][-u [<domainname>\<username>][-p <Password> | [{<NetshCommand> | -f <scriptfile>}]
Parameters
Parameter | Description |
---|---|
-a <Aliasfile> |
Specifies that you are returned to the netsh prompt after running Aliasfile and the name of the text file that contains one or more netsh commands. |
-c <Context> |
Specifies that netsh enters the specified netsh context and the netsh context to enter. |
-r <Remotecomputer> |
Specifies the remote computer to configure.<p>Important: If you use this parameter, you must make sure the Remote Registry service is running on the remote computer. If it isn’t running, Windows displays a “Network Path Not Found†error message. |
-u <domainname>\<username> |
Specifies the domain and user account name to use while running the netsh command under a user account. If you omit the domain, the local domain is used by default. |
-p <Password> |
Specifies the password for the user account specified by the -u <username> parameter. |
<NetshCommand> |
Specifies the netsh command to run. |
-f <scriptfile> |
Exits the netsh command after running the specified script file. |
/? | Displays help at the command prompt. |
Remarks
-
If you specify -r followed by another command, netsh runs the command on the remote computer and then returns to the Cmd.exe command prompt. If you specify -r without another command, netsh opens in remote mode. The process is similar to using set machine at the Netsh command prompt. When you use -r, you set the target computer for the current instance of netsh only. After you exit and reenter netsh, the target computer is reset as the local computer. You can run netsh commands on a remote computer by specifying a computer name stored in WINS, a UNC name, an Internet name to be resolved by the DNS server, or an IP address.
-
If your string value contains spaces between characters, you must enclose the string value in quotation marks. For example,
-r "contoso remote device"
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.