netsh.exe

  • File Path: C:\WINDOWS\SysWOW64\netsh.exe
  • Description: Network Command Shell

Hashes

Type Hash
MD5 C01247388A87FE388880EE6986891137
SHA1 9C193485B1C872D473C0D18F6DF5582579C0C1C1
SHA256 53CFAE69BB8B4179BFBD217216BF41EEDAFFC793998F87A6E476257FAE1690B9
SHA384 A04A828813EC5D20C8FE5AAB1E34C2ED95635EA7DD368ED1F5BC2FAC446A3649A0357C44D6BF9F4A5AA56AE75F12DBC7
SHA512 F6DD659A7D5DA3558E3666664BF18F8BA7C3B8384051397C97CE3438A010A02F0C04ECEBABE9291409F81130755A744DE5A9159B40722D894DCDCF4584B6DF81
SSDEEP 768:H9BaJHoZ0fOsfFwedPz23En4yppczEQkoY6JAobFN9u+pF:dUptFwmS3rsXVpobFN9u+p
IMP 70231D84696D81B713D6745D5C313838
PESHA1 28D25032AFDB806C267C790770C93B9BDCEFC7EE
PE256 A7071CECA0CFD83964224700E964B3461BD5824ED2B54776D13450A141905BC7

Runtime Data

Usage (stdout):


Usage: C:\WINDOWS\SysWOW64\netsh.exe [-a AliasFile] [-c Context] [-r RemoteMachine] [-u [DomainName\]UserName] [-p Password | *]
             [Command | -f ScriptFile]

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
add            - Adds a configuration entry to a list of entries.
advfirewall    - Changes to the `netsh advfirewall' context.
branchcache    - Changes to the `netsh branchcache' context.
bridge         - Changes to the `netsh bridge' context.
delete         - Deletes a configuration entry from a list of entries.
dhcpclient     - Changes to the `netsh dhcpclient' context.
dnsclient      - Changes to the `netsh dnsclient' context.
dump           - Displays a configuration script.
exec           - Runs a script file.
firewall       - Changes to the `netsh firewall' context.
help           - Displays a list of commands.
http           - Changes to the `netsh http' context.
interface      - Changes to the `netsh interface' context.
ipsec          - Changes to the `netsh ipsec' context.
lan            - Changes to the `netsh lan' context.
mbn            - Changes to the `netsh mbn' context.
namespace      - Changes to the `netsh namespace' context.
netio          - Changes to the `netsh netio' context.
p2p            - Changes to the `netsh p2p' context.
ras            - Changes to the `netsh ras' context.
rpc            - Changes to the `netsh rpc' context.
set            - Updates configuration settings.
show           - Displays information.
trace          - Changes to the `netsh trace' context.
wfp            - Changes to the `netsh wfp' context.
winhttp        - Changes to the `netsh winhttp' context.
winsock        - Changes to the `netsh winsock' context.
wlan           - Changes to the `netsh wlan' context.

The following sub-contexts are available:
 advfirewall branchcache bridge dhcpclient dnsclient firewall http interface ipsec lan mbn namespace netio p2p ras rpc trace wfp winhttp winsock wlan

To view help for a command, type the command, followed by a space, and then
 type ?.

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\netsh.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: netsh.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/53cfae69bb8b4179bfbd217216bf41eedaffc793998f87a6e476257fae1690b9/detection

Possible Misuse

The following table contains possible examples of netsh.exe being misused. While netsh.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_apt_wocao.yml - 'netsh advfirewall firewall add rule name=powershell dir=in' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - netsh.exe DRL 1.0
sigma proc_creation_win_netsh_allow_port_rdp.yml title: Netsh RDP Port Opening DRL 1.0
sigma proc_creation_win_netsh_allow_port_rdp.yml description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware DRL 1.0
sigma proc_creation_win_netsh_allow_port_rdp.yml - netsh DRL 1.0
sigma proc_creation_win_netsh_fw_add.yml title: Netsh Port or Application Allowed DRL 1.0
sigma proc_creation_win_netsh_fw_add.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_fw_add.yml - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' DRL 1.0
sigma proc_creation_win_netsh_fw_add.yml - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' DRL 1.0
sigma proc_creation_win_netsh_fw_add_susp_image.yml title: Netsh Program Allowed with Suspcious Location DRL 1.0
sigma proc_creation_win_netsh_fw_add_susp_image.yml description: Detects Netsh commands that allows a suspcious application location on Windows Firewall DRL 1.0
sigma proc_creation_win_netsh_fw_add_susp_image.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_fw_enable_group_rule.yml title: Netsh Allow Group Policy on Microsoft Defender Firewall DRL 1.0
sigma proc_creation_win_netsh_fw_enable_group_rule.yml - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior DRL 1.0
sigma proc_creation_win_netsh_fw_enable_group_rule.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_packet_capture.yml title: Capture a Network Trace with netsh.exe DRL 1.0
sigma proc_creation_win_netsh_packet_capture.yml description: Detects capture a network trace via netsh.exe trace functionality DRL 1.0
sigma proc_creation_win_netsh_packet_capture.yml - netsh DRL 1.0
sigma proc_creation_win_netsh_packet_capture.yml - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason DRL 1.0
sigma proc_creation_win_netsh_port_fwd.yml title: Netsh Port Forwarding DRL 1.0
sigma proc_creation_win_netsh_port_fwd.yml description: Detects netsh commands that configure a port forwarding (PortProxy) DRL 1.0
sigma proc_creation_win_netsh_port_fwd.yml - https://adepts.of0x.cc/netsh-portproxy-code/ DRL 1.0
sigma proc_creation_win_netsh_port_fwd.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_port_fwd_3389.yml title: Netsh RDP Port Forwarding DRL 1.0
sigma proc_creation_win_netsh_port_fwd_3389.yml description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP DRL 1.0
sigma proc_creation_win_netsh_port_fwd_3389.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_wifi_credential_harvesting.yml title: Harvesting of Wifi Credentials Using netsh.exe DRL 1.0
sigma proc_creation_win_netsh_wifi_credential_harvesting.yml description: Detect the harvesting of wifi credentials using netsh.exe DRL 1.0
sigma proc_creation_win_netsh_wifi_credential_harvesting.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_wifi_credential_harvesting.yml - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'netsh.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\netsh.exe' DRL 1.0
sigma proc_creation_win_susp_firewall_disable.yml title: Firewall Disabled via Netsh DRL 1.0
sigma proc_creation_win_susp_firewall_disable.yml description: Detects netsh commands that turns off the Windows firewall DRL 1.0
sigma proc_creation_win_susp_firewall_disable.yml - netsh DRL 1.0
sigma proc_creation_win_susp_netsh_command.yml title: Suspicious Netsh Discovery Command DRL 1.0
sigma proc_creation_win_susp_netsh_command.yml - 'netsh ' DRL 1.0
sigma proc_creation_win_susp_netsh_dll_persistence.yml title: Suspicious Netsh DLL Persistence DRL 1.0
sigma proc_creation_win_susp_netsh_dll_persistence.yml description: Detects persitence via netsh helper DRL 1.0
sigma proc_creation_win_susp_netsh_dll_persistence.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_susp_network_command.yml - 'netsh interface show interface' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \netsh.exe DRL 1.0
sigma registry_event_portproxy_registry_key.yml - https://adepts.of0x.cc/netsh-portproxy-code/ DRL 1.0
LOLBAS Netsh.yml Name: Netsh.exe  
LOLBAS Netsh.yml netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)  
LOLBAS Netsh.yml netsh.exe trace show status  
LOLBAS Netsh.yml - Command: netsh.exe add helper C:\Path\file.dll  
LOLBAS Netsh.yml Description: Load (execute) NetSh.exe helper DLL file.  
LOLBAS Netsh.yml - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1  
LOLBAS Netsh.yml Name: Netsh.exe  
LOLBAS Netsh.yml Description: Netsh is a Windows tool used to manipulate network interface settings.  
LOLBAS Netsh.yml - Command: netsh.exe add helper C:\Users\User\file.dll  
LOLBAS Netsh.yml Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called  
LOLBAS Netsh.yml - Path: C:\WINDOWS\System32\Netsh.exe  
LOLBAS Netsh.yml - Path: C:\WINDOWS\SysWOW64\Netsh.exe  
LOLBAS Netsh.yml - IOC: Netsh initiating a network connection  
malware-ioc misp_invisimole.json "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", © ESET 2014-2018
atomic-red-team index.md - T1546.007 Netsh Helper DLL MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Netsh Helper DLL Registration [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1546.007 Netsh Helper DLL MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Netsh Helper DLL Registration [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Local Account | Netsh Helper DLL | File Deletion | Unsecured Credentials CONTRIBUTE A TEST | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Netsh Helper DLL | Path Interception by Search Order Hijacking CONTRIBUTE A TEST | Hidden Files and Directories | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Logon Script (Windows) | Netsh Helper DLL | File and Directory Permissions Modification CONTRIBUTE A TEST | Silver Ticket CONTRIBUTE A TEST | | | | | Traffic Signaling CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Netsh Helper DLL | Parent PID Spoofing | Hidden File System CONTRIBUTE A TEST | Steal or Forge Kerberos Tickets CONTRIBUTE A TEST | | | | | Web Service CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team T1016.md netsh interface show interface MIT License. © 2018 Red Canary
atomic-red-team T1016.md Enumerates Windows Firewall Rules using netsh. MIT License. © 2018 Red Canary
atomic-red-team T1016.md Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1016.md netsh advfirewall firewall show rule name=all MIT License. © 2018 Red Canary
atomic-red-team T1021.001.md netsh advfirewall firewall add rule name=”RDPPORTLatest-TCP-In” dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port} MIT License. © 2018 Red Canary
atomic-red-team T1021.001.md netsh advfirewall firewall delete rule name=”RDPPORTLatest-TCP-In” >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1040.md netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10 MIT License. © 2018 Red Canary
atomic-red-team T1040.md netsh trace stop >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1090.001.md Upon execution there will be a new proxy entry in netsh MIT License. © 2018 Red Canary
atomic-red-team T1090.001.md netsh interface portproxy show all MIT License. © 2018 Red Canary
atomic-red-team T1090.001.md netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress} MIT License. © 2018 Red Canary
atomic-red-team T1090.001.md netsh interface portproxy delete v4tov4 listenport=#{listenport} -ErrorAction Ignore | Out-Null MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md netsh.exe advfirewall show allprofiles MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md # T1546.007 - Netsh Helper DLL MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md <blockquote>Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md - Atomic Test #1 - Netsh Helper DLL Registration MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md ## Atomic Test #1 - Netsh Helper DLL Registration MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md Netsh interacts with other operating system components using dynamic-link library (DLL) files MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md netsh.exe add helper #{helper_file} MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall set currentprofile state off MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall set currentprofile state on >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall set rule group=”file and printer sharing” new enable=Yes MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall reset >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall add rule name=”atomic testing” action=allow dir=in protocol=TCP localport=450 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall delete rule name=”atomic testing” protocol=TCP localport=450 >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall add rule name=”Open Port to Any” dir=in protocol=tcp localport=#{local_port} action=allow profile=any MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall delete rule name=”Open Port to Any” | Out-Null MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall add rule name=”Atomic Test” dir=in action=allow program=”C:\Users$env:UserName\AtomicTest.exe” enable=yes MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall delete rule name=”Atomic Test” | Out-Null MIT License. © 2018 Red Canary
signature-base apt_ar18_165a.yar $s1 = “netsh.exe advfirewall firewall add rule name="PortOpenning" dir=in protocol=tcp localport=%d action=allow enable=yes” fullword wide CC BY-NC 4.0
signature-base apt_ar18_165a.yar $s2 = “netsh.exe firewall add portopening TCP %d "PortOpenning" enable” fullword wide CC BY-NC 4.0
signature-base apt_lazarus_aug20.yar $str_netsh_1 = “netsh firewall add portopening TCP %d” ascii wide nocase CC BY-NC 4.0
signature-base apt_lazarus_aug20.yar $str_netsh_2 = “netsh firewall delete portopening TCP %d” ascii wide nocase CC BY-NC 4.0
signature-base crime_phish_gina_dec15.yar $s1 = “netsh.exe” fullword wide CC BY-NC 4.0
signature-base gen_malware_set_qa.yar $s6 = “netsh firewall delete allowedprogram” fullword wide CC BY-NC 4.0
signature-base gen_mal_backnet.yar $s3 = “/C netsh wlan show profile” wide CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $s2 = “netsh firewall add allowedprogram” wide CC BY-NC 4.0
signature-base gen_suspicious_strings.yar description = “Detects a suspicious command line with netsh and the portproxy command” CC BY-NC 4.0
signature-base gen_suspicious_strings.yar reference = “https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy” CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $x1 = “netsh interface portproxy add v4tov4 listenport=” ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


netsh

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

The Network Shell command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. You can start this utility at the command prompt or in Windows PowerShell.

Syntax

netsh [-a <Aliasfile>][-c <Context>][-r <Remotecomputer>][-u [<domainname>\<username>][-p <Password> | [{<NetshCommand> | -f <scriptfile>}]

Parameters

Parameter Description
-a <Aliasfile> Specifies that you are returned to the netsh prompt after running Aliasfile and the name of the text file that contains one or more netsh commands.
-c <Context> Specifies that netsh enters the specified netsh context and the netsh context to enter.
-r <Remotecomputer> Specifies the remote computer to configure.<p>Important: If you use this parameter, you must make sure the Remote Registry service is running on the remote computer. If it isn’t running, Windows displays a “Network Path Not Found” error message.
-u <domainname>\<username> Specifies the domain and user account name to use while running the netsh command under a user account. If you omit the domain, the local domain is used by default.
-p <Password> Specifies the password for the user account specified by the -u <username> parameter.
<NetshCommand> Specifies the netsh command to run.
-f <scriptfile> Exits the netsh command after running the specified script file.
/? Displays help at the command prompt.
Remarks
  • If you specify -r followed by another command, netsh runs the command on the remote computer and then returns to the Cmd.exe command prompt. If you specify -r without another command, netsh opens in remote mode. The process is similar to using set machine at the Netsh command prompt. When you use -r, you set the target computer for the current instance of netsh only. After you exit and reenter netsh, the target computer is reset as the local computer. You can run netsh commands on a remote computer by specifying a computer name stored in WINS, a UNC name, an Internet name to be resolved by the DNS server, or an IP address.

  • If your string value contains spaces between characters, you must enclose the string value in quotation marks. For example, -r "contoso remote device"

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.