netsh.exe

• File Path: C:\Windows\system32\netsh.exe
• Description: Network Command Shell

Hashes

Type	Hash
MD5	6F1E6DD688818BC3D1391D0CC7D597EB
SHA1	9184E64C36629A1DCEF084E19CC3E3BEF78F2D7B
SHA256	6B691B06FA865F52C9484EF4F10E2E02ED6D7C3A3F474B8B138A33AF7258B2A9
SHA384	74019373E67C55140F8E420FACCDC47311D23CB4A77DD47293E6999A6721B79EC9D0D4C0A16D6DA112299DBF5D49AB39
SHA512	92BB25170B96980CA688DE629220D0321BA3601F6396456BE462E432C5CE958D29DD52F728A7FA992B16F82D456F017809A9E9138E3C2608832469D0F007AF24
SSDEEP	1536:VwF6OfZyb85Gj8fgKoc43C3RagjPpr0HJ6HpfbFqgu9:VszRBGj8gKou38gjPp0p6HpTQge
IMP	90B4317BE51850B8EF9F14EB56FB7DDC
PESHA1	9E5648571DDF8849C0F2C51E7D756306088D00EE
PE256	B91D3DA216D32ABA80D9B1F826E6B063E9A039033C3AB2485D117F77B616159A

Runtime Data

Usage (stdout):

Usage: C:\Windows\system32\netsh.exe [-a AliasFile] [-c Context] [-r RemoteMachine] [-u [DomainName\]UserName] [-p Password | *]
             [Command | -f ScriptFile]

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
add            - Adds a configuration entry to a list of entries.
advfirewall    - Changes to the `netsh advfirewall' context.
branchcache    - Changes to the `netsh branchcache' context.
bridge         - Changes to the `netsh bridge' context.
delete         - Deletes a configuration entry from a list of entries.
dhcpclient     - Changes to the `netsh dhcpclient' context.
dnsclient      - Changes to the `netsh dnsclient' context.
dump           - Displays a configuration script.
exec           - Runs a script file.
firewall       - Changes to the `netsh firewall' context.
help           - Displays a list of commands.
http           - Changes to the `netsh http' context.
interface      - Changes to the `netsh interface' context.
ipsec          - Changes to the `netsh ipsec' context.
lan            - Changes to the `netsh lan' context.
mbn            - Changes to the `netsh mbn' context.
namespace      - Changes to the `netsh namespace' context.
netio          - Changes to the `netsh netio' context.
p2p            - Changes to the `netsh p2p' context.
ras            - Changes to the `netsh ras' context.
rpc            - Changes to the `netsh rpc' context.
set            - Updates configuration settings.
show           - Displays information.
trace          - Changes to the `netsh trace' context.
wcn            - Changes to the `netsh wcn' context.
wfp            - Changes to the `netsh wfp' context.
winhttp        - Changes to the `netsh winhttp' context.
winsock        - Changes to the `netsh winsock' context.
wlan           - Changes to the `netsh wlan' context.

The following sub-contexts are available:
 advfirewall branchcache bridge dhcpclient dnsclient firewall http interface ipsec lan mbn namespace netio p2p ras rpc trace wcn wfp winhttp winsock wlan

To view help for a command, type the command, followed by a space, and then
 type ?.

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\netsh.exe
C:\Windows\SYSTEM32\ntdll.dll

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: netsh.exe.mui
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.19041.1 (WinBuild.160101.0800)
• Product Version: 10.0.19041.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 64-bit

File Scan

• VirusTotal Detections: 0/76
• VirusTotal Link: https://www.virustotal.com/gui/file/6b691b06fa865f52c9484ef4f10e2e02ed6d7c3a3f474b8b138a33af7258b2a9/detection

Possible Misuse

The following table contains possible examples of netsh.exe being misused. While netsh.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_apt_wocao.yml	- 'netsh advfirewall firewall add rule name=powershell dir=in'	DRL 1.0
sigma	proc_creation_win_multiple_suspicious_cli.yml	- netsh.exe	DRL 1.0
sigma	proc_creation_win_netsh_allow_port_rdp.yml	title: Netsh RDP Port Opening	DRL 1.0
sigma	proc_creation_win_netsh_allow_port_rdp.yml	description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware	DRL 1.0
sigma	proc_creation_win_netsh_allow_port_rdp.yml	- netsh	DRL 1.0
sigma	proc_creation_win_netsh_fw_add.yml	title: Netsh Port or Application Allowed	DRL 1.0
sigma	proc_creation_win_netsh_fw_add.yml	Image\|endswith: '\netsh.exe'	DRL 1.0
sigma	proc_creation_win_netsh_fw_add.yml	- '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'	DRL 1.0
sigma	proc_creation_win_netsh_fw_add.yml	- '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any'	DRL 1.0
sigma	proc_creation_win_netsh_fw_add_susp_image.yml	title: Netsh Program Allowed with Suspcious Location	DRL 1.0
sigma	proc_creation_win_netsh_fw_add_susp_image.yml	description: Detects Netsh commands that allows a suspcious application location on Windows Firewall	DRL 1.0
sigma	proc_creation_win_netsh_fw_add_susp_image.yml	Image\|endswith: '\netsh.exe'	DRL 1.0
sigma	proc_creation_win_netsh_fw_enable_group_rule.yml	title: Netsh Allow Group Policy on Microsoft Defender Firewall	DRL 1.0
sigma	proc_creation_win_netsh_fw_enable_group_rule.yml	- https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior	DRL 1.0
sigma	proc_creation_win_netsh_fw_enable_group_rule.yml	Image\|endswith: '\netsh.exe'	DRL 1.0
sigma	proc_creation_win_netsh_packet_capture.yml	title: Capture a Network Trace with netsh.exe	DRL 1.0
sigma	proc_creation_win_netsh_packet_capture.yml	description: Detects capture a network trace via netsh.exe trace functionality	DRL 1.0
sigma	proc_creation_win_netsh_packet_capture.yml	- netsh	DRL 1.0
sigma	proc_creation_win_netsh_packet_capture.yml	- Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason	DRL 1.0
sigma	proc_creation_win_netsh_port_fwd.yml	title: Netsh Port Forwarding	DRL 1.0
sigma	proc_creation_win_netsh_port_fwd.yml	description: Detects netsh commands that configure a port forwarding (PortProxy)	DRL 1.0
sigma	proc_creation_win_netsh_port_fwd.yml	- https://adepts.of0x.cc/netsh-portproxy-code/	DRL 1.0
sigma	proc_creation_win_netsh_port_fwd.yml	Image\|endswith: '\netsh.exe'	DRL 1.0
sigma	proc_creation_win_netsh_port_fwd_3389.yml	title: Netsh RDP Port Forwarding	DRL 1.0
sigma	proc_creation_win_netsh_port_fwd_3389.yml	description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP	DRL 1.0
sigma	proc_creation_win_netsh_port_fwd_3389.yml	Image\|endswith: '\netsh.exe'	DRL 1.0
sigma	proc_creation_win_netsh_wifi_credential_harvesting.yml	title: Harvesting of Wifi Credentials Using netsh.exe	DRL 1.0
sigma	proc_creation_win_netsh_wifi_credential_harvesting.yml	description: Detect the harvesting of wifi credentials using netsh.exe	DRL 1.0
sigma	proc_creation_win_netsh_wifi_credential_harvesting.yml	Image\|endswith: '\netsh.exe'	DRL 1.0
sigma	proc_creation_win_netsh_wifi_credential_harvesting.yml	- Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	- 'netsh.exe'	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	- '\netsh.exe'	DRL 1.0
sigma	proc_creation_win_susp_firewall_disable.yml	title: Firewall Disabled via Netsh	DRL 1.0
sigma	proc_creation_win_susp_firewall_disable.yml	description: Detects netsh commands that turns off the Windows firewall	DRL 1.0
sigma	proc_creation_win_susp_firewall_disable.yml	- netsh	DRL 1.0
sigma	proc_creation_win_susp_netsh_command.yml	title: Suspicious Netsh Discovery Command	DRL 1.0
sigma	proc_creation_win_susp_netsh_command.yml	- 'netsh '	DRL 1.0
sigma	proc_creation_win_susp_netsh_dll_persistence.yml	title: Suspicious Netsh DLL Persistence	DRL 1.0
sigma	proc_creation_win_susp_netsh_dll_persistence.yml	description: Detects persitence via netsh helper	DRL 1.0
sigma	proc_creation_win_susp_netsh_dll_persistence.yml	Image\|endswith: '\netsh.exe'	DRL 1.0
sigma	proc_creation_win_susp_network_command.yml	- 'netsh interface show interface'	DRL 1.0
sigma	proc_creation_win_susp_spoolsv_child_processes.yml	Image\|endswith: \netsh.exe	DRL 1.0
sigma	registry_event_portproxy_registry_key.yml	- https://adepts.of0x.cc/netsh-portproxy-code/	DRL 1.0
LOLBAS	Netsh.yml	Name: Netsh.exe
LOLBAS	Netsh.yml	netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)
LOLBAS	Netsh.yml	netsh.exe trace show status
LOLBAS	Netsh.yml	- Command: netsh.exe add helper C:\Path\file.dll
LOLBAS	Netsh.yml	Description: Load (execute) NetSh.exe helper DLL file.
LOLBAS	Netsh.yml	- Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
LOLBAS	Netsh.yml	Name: Netsh.exe
LOLBAS	Netsh.yml	Description: Netsh is a Windows tool used to manipulate network interface settings.
LOLBAS	Netsh.yml	- Command: netsh.exe add helper C:\Users\User\file.dll
LOLBAS	Netsh.yml	Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
LOLBAS	Netsh.yml	- Path: C:\WINDOWS\System32\Netsh.exe
LOLBAS	Netsh.yml	- Path: C:\WINDOWS\SysWOW64\Netsh.exe
LOLBAS	Netsh.yml	- IOC: Netsh initiating a network connection
malware-ioc	misp_invisimole.json	"description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.",	© ESET 2014-2018
atomic-red-team	index.md	- T1546.007 Netsh Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: Netsh Helper DLL Registration [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- T1546.007 Netsh Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Netsh Helper DLL Registration [windows]	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | | Local Account | Netsh Helper DLL | File Deletion | Unsecured Credentials CONTRIBUTE A TEST | | | | | | |	MIT License. © 2018 Red Canary
atomic-red-team	matrix.md	| | | Netsh Helper DLL | Path Interception by Search Order Hijacking CONTRIBUTE A TEST | Hidden Files and Directories | | | | | | | |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | | Logon Script (Windows) | Netsh Helper DLL | File and Directory Permissions Modification CONTRIBUTE A TEST | Silver Ticket CONTRIBUTE A TEST | | | | | Traffic Signaling CONTRIBUTE A TEST | |	MIT License. © 2018 Red Canary
atomic-red-team	windows-matrix.md	| | | Netsh Helper DLL | Parent PID Spoofing | Hidden File System CONTRIBUTE A TEST | Steal or Forge Kerberos Tickets CONTRIBUTE A TEST | | | | | Web Service CONTRIBUTE A TEST | |	MIT License. © 2018 Red Canary
atomic-red-team	T1016.md	netsh interface show interface	MIT License. © 2018 Red Canary
atomic-red-team	T1016.md	Enumerates Windows Firewall Rules using netsh.	MIT License. © 2018 Red Canary
atomic-red-team	T1016.md	Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout.	MIT License. © 2018 Red Canary
atomic-red-team	T1016.md	netsh advfirewall firewall show rule name=all	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	netsh advfirewall firewall add rule name=”RDPPORTLatest-TCP-In” dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}	MIT License. © 2018 Red Canary
atomic-red-team	T1021.001.md	netsh advfirewall firewall delete rule name=”RDPPORTLatest-TCP-In” >nul 2>&1	MIT License. © 2018 Red Canary
atomic-red-team	T1040.md	netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10	MIT License. © 2018 Red Canary
atomic-red-team	T1040.md	netsh trace stop >nul 2>&1	MIT License. © 2018 Red Canary
atomic-red-team	T1090.001.md	Upon execution there will be a new proxy entry in netsh	MIT License. © 2018 Red Canary
atomic-red-team	T1090.001.md	netsh interface portproxy show all	MIT License. © 2018 Red Canary
atomic-red-team	T1090.001.md	netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}	MIT License. © 2018 Red Canary
atomic-red-team	T1090.001.md	netsh interface portproxy delete v4tov4 listenport=#{listenport} -ErrorAction Ignore | Out-Null	MIT License. © 2018 Red Canary
atomic-red-team	T1518.001.md	Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.	MIT License. © 2018 Red Canary
atomic-red-team	T1518.001.md	netsh.exe advfirewall show allprofiles	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	# T1546.007 - Netsh Helper DLL	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	<blockquote>Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)</blockquote>	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	- Atomic Test #1 - Netsh Helper DLL Registration	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	## Atomic Test #1 - Netsh Helper DLL Registration	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	Netsh interacts with other operating system components using dynamic-link library (DLL) files	MIT License. © 2018 Red Canary
atomic-red-team	T1546.007.md	netsh.exe add helper #{helper_file}	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall set currentprofile state off	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall set currentprofile state on >nul 2>&1	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall set rule group=”file and printer sharing” new enable=Yes	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall reset >nul 2>&1	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall add rule name=”atomic testing” action=allow dir=in protocol=TCP localport=450	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall delete rule name=”atomic testing” protocol=TCP localport=450 >nul 2>&1	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall add rule name=”Open Port to Any” dir=in protocol=tcp localport=#{local_port} action=allow profile=any	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall delete rule name=”Open Port to Any” | Out-Null	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall add rule name=”Atomic Test” dir=in action=allow program=”C:\Users$env:UserName\AtomicTest.exe” enable=yes	MIT License. © 2018 Red Canary
atomic-red-team	T1562.004.md	netsh advfirewall firewall delete rule name=”Atomic Test” | Out-Null	MIT License. © 2018 Red Canary
signature-base	apt_ar18_165a.yar	$s1 = “netsh.exe advfirewall firewall add rule name="PortOpenning" dir=in protocol=tcp localport=%d action=allow enable=yes” fullword wide	CC BY-NC 4.0
signature-base	apt_ar18_165a.yar	$s2 = “netsh.exe firewall add portopening TCP %d "PortOpenning" enable” fullword wide	CC BY-NC 4.0
signature-base	apt_lazarus_aug20.yar	$str_netsh_1 = “netsh firewall add portopening TCP %d” ascii wide nocase	CC BY-NC 4.0
signature-base	apt_lazarus_aug20.yar	$str_netsh_2 = “netsh firewall delete portopening TCP %d” ascii wide nocase	CC BY-NC 4.0
signature-base	crime_phish_gina_dec15.yar	$s1 = “netsh.exe” fullword wide	CC BY-NC 4.0
signature-base	gen_malware_set_qa.yar	$s6 = “netsh firewall delete allowedprogram” fullword wide	CC BY-NC 4.0
signature-base	gen_mal_backnet.yar	$s3 = “/C netsh wlan show profile” wide	CC BY-NC 4.0
signature-base	gen_rats_malwareconfig.yar	$s2 = “netsh firewall add allowedprogram” wide	CC BY-NC 4.0
signature-base	gen_suspicious_strings.yar	description = “Detects a suspicious command line with netsh and the portproxy command”	CC BY-NC 4.0
signature-base	gen_suspicious_strings.yar	reference = “https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy”	CC BY-NC 4.0
signature-base	gen_suspicious_strings.yar	$x1 = “netsh interface portproxy add v4tov4 listenport=” ascii	CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

netsh

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

The Network Shell command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. You can start this utility at the command prompt or in Windows PowerShell.

Syntax

netsh [-a <Aliasfile>][-c <Context>][-r <Remotecomputer>][-u [<domainname>\<username>][-p <Password> | [{<NetshCommand> | -f <scriptfile>}]

Parameters

Parameter	Description
-a <Aliasfile>	Specifies that you are returned to the netsh prompt after running Aliasfile and the name of the text file that contains one or more netsh commands.
-c <Context>	Specifies that netsh enters the specified netsh context and the netsh context to enter.
-r <Remotecomputer>	Specifies the remote computer to configure.<p>Important: If you use this parameter, you must make sure the Remote Registry service is running on the remote computer. If it isn’t running, Windows displays a “Network Path Not Found” error message.
-u <domainname>\<username>	Specifies the domain and user account name to use while running the netsh command under a user account. If you omit the domain, the local domain is used by default.
-p <Password>	Specifies the password for the user account specified by the -u <username> parameter.
<NetshCommand>	Specifies the netsh command to run.
-f <scriptfile>	Exits the netsh command after running the specified script file.
/?	Displays help at the command prompt.

Remarks

• If you specify -r followed by another command, netsh runs the command on the remote computer and then returns to the Cmd.exe command prompt. If you specify -r without another command, netsh opens in remote mode. The process is similar to using set machine at the Netsh command prompt. When you use -r, you set the target computer for the current instance of netsh only. After you exit and reenter netsh, the target computer is reset as the local computer. You can run netsh commands on a remote computer by specifying a computer name stored in WINS, a UNC name, an Internet name to be resolved by the DNS server, or an IP address.

• If your string value contains spaces between characters, you must enclose the string value in quotation marks. For example, -r "contoso remote device"

Additional References

• Command-Line Syntax Key

---

MIT License. Copyright (c) 2020-2021 Strontic.