netsh.exe

  • File Path: C:\WINDOWS\system32\netsh.exe
  • Description: Network Command Shell

Hashes

Type Hash
MD5 DC5FC594232484CEF643EBB590B4F37D
SHA1 8DBD78195AECD600AEB95BC432AE2C49E8713FBB
SHA256 B8F9A8275D946F40EF9C8BA5DBDE244EF73F3F280146FAE5454E2368628AFDAE
SHA384 DB9C8BE585EFD193820B2DE2BCB8400F3CD54200F540B5E4451560F9989F5C33E7C07CA1C34B57243E05656DF1E63323
SHA512 954DA189FA534F4C2D33C05F42899ECF979474C400028871AF2BC70C84DCF0C1F05833D76A6EB94DE7A90943D398C57DFF08CBAFFB053D9F0C5AE2098FE48F63
SSDEEP 1536:NEthRPGKHaycwsi0ND86sbtf5NviuIbc8IoW+26b1a+:NEtBa5D86mNviuCc8IoW+2KH
IMP 06F091DBEC9C3F0DD14808FFE59B95DE
PESHA1 8C7429AAAFA9A3C4EC7029FC0CF546D9CF746A49
PE256 FB1D99E7B22FEFCBBA940DC2A10768605B9EB04CB47428B11247D13840883C23

Runtime Data

Usage (stdout):


Usage: C:\WINDOWS\system32\netsh.exe [-a AliasFile] [-c Context] [-r RemoteMachine] [-u [DomainName\]UserName] [-p Password | *]
             [Command | -f ScriptFile]

The following commands are available:

Commands in this context:
?              - Displays a list of commands.
add            - Adds a configuration entry to a list of entries.
advfirewall    - Changes to the `netsh advfirewall' context.
branchcache    - Changes to the `netsh branchcache' context.
bridge         - Changes to the `netsh bridge' context.
delete         - Deletes a configuration entry from a list of entries.
dhcpclient     - Changes to the `netsh dhcpclient' context.
dnsclient      - Changes to the `netsh dnsclient' context.
dump           - Displays a configuration script.
exec           - Runs a script file.
firewall       - Changes to the `netsh firewall' context.
help           - Displays a list of commands.
http           - Changes to the `netsh http' context.
interface      - Changes to the `netsh interface' context.
ipsec          - Changes to the `netsh ipsec' context.
lan            - Changes to the `netsh lan' context.
mbn            - Changes to the `netsh mbn' context.
namespace      - Changes to the `netsh namespace' context.
netio          - Changes to the `netsh netio' context.
nlm            - Changes to the `netsh nlm' context.
p2p            - Changes to the `netsh p2p' context.
ras            - Changes to the `netsh ras' context.
rpc            - Changes to the `netsh rpc' context.
set            - Updates configuration settings.
show           - Displays information.
trace          - Changes to the `netsh trace' context.
wcn            - Changes to the `netsh wcn' context.
wfp            - Changes to the `netsh wfp' context.
winhttp        - Changes to the `netsh winhttp' context.
winsock        - Changes to the `netsh winsock' context.
wlan           - Changes to the `netsh wlan' context.

The following sub-contexts are available:
 advfirewall branchcache bridge dhcpclient dnsclient firewall http interface ipsec lan mbn namespace netio nlm p2p ras rpc trace wcn wfp winhttp winsock wlan

To view help for a command, type the command, followed by a space, and then
 type ?.

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\system32\netsh.exe
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: netsh.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/b8f9a8275d946f40ef9c8ba5dbde244ef73f3f280146fae5454e2368628afdae/detection

Possible Misuse

The following table contains possible examples of netsh.exe being misused. While netsh.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_apt_wocao.yml - 'netsh advfirewall firewall add rule name=powershell dir=in' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - netsh.exe DRL 1.0
sigma proc_creation_win_netsh_allow_port_rdp.yml title: Netsh RDP Port Opening DRL 1.0
sigma proc_creation_win_netsh_allow_port_rdp.yml description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware DRL 1.0
sigma proc_creation_win_netsh_allow_port_rdp.yml - netsh DRL 1.0
sigma proc_creation_win_netsh_fw_add.yml title: Netsh Port or Application Allowed DRL 1.0
sigma proc_creation_win_netsh_fw_add.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_fw_add.yml - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' DRL 1.0
sigma proc_creation_win_netsh_fw_add.yml - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' DRL 1.0
sigma proc_creation_win_netsh_fw_add_susp_image.yml title: Netsh Program Allowed with Suspcious Location DRL 1.0
sigma proc_creation_win_netsh_fw_add_susp_image.yml description: Detects Netsh commands that allows a suspcious application location on Windows Firewall DRL 1.0
sigma proc_creation_win_netsh_fw_add_susp_image.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_fw_enable_group_rule.yml title: Netsh Allow Group Policy on Microsoft Defender Firewall DRL 1.0
sigma proc_creation_win_netsh_fw_enable_group_rule.yml - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior DRL 1.0
sigma proc_creation_win_netsh_fw_enable_group_rule.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_packet_capture.yml title: Capture a Network Trace with netsh.exe DRL 1.0
sigma proc_creation_win_netsh_packet_capture.yml description: Detects capture a network trace via netsh.exe trace functionality DRL 1.0
sigma proc_creation_win_netsh_packet_capture.yml - netsh DRL 1.0
sigma proc_creation_win_netsh_packet_capture.yml - Legitimate administrator or user uses netsh.exe trace functionality for legitimate reason DRL 1.0
sigma proc_creation_win_netsh_port_fwd.yml title: Netsh Port Forwarding DRL 1.0
sigma proc_creation_win_netsh_port_fwd.yml description: Detects netsh commands that configure a port forwarding (PortProxy) DRL 1.0
sigma proc_creation_win_netsh_port_fwd.yml - https://adepts.of0x.cc/netsh-portproxy-code/ DRL 1.0
sigma proc_creation_win_netsh_port_fwd.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_port_fwd_3389.yml title: Netsh RDP Port Forwarding DRL 1.0
sigma proc_creation_win_netsh_port_fwd_3389.yml description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP DRL 1.0
sigma proc_creation_win_netsh_port_fwd_3389.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_wifi_credential_harvesting.yml title: Harvesting of Wifi Credentials Using netsh.exe DRL 1.0
sigma proc_creation_win_netsh_wifi_credential_harvesting.yml description: Detect the harvesting of wifi credentials using netsh.exe DRL 1.0
sigma proc_creation_win_netsh_wifi_credential_harvesting.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_netsh_wifi_credential_harvesting.yml - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'netsh.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\netsh.exe' DRL 1.0
sigma proc_creation_win_susp_firewall_disable.yml title: Firewall Disabled via Netsh DRL 1.0
sigma proc_creation_win_susp_firewall_disable.yml description: Detects netsh commands that turns off the Windows firewall DRL 1.0
sigma proc_creation_win_susp_firewall_disable.yml - netsh DRL 1.0
sigma proc_creation_win_susp_netsh_command.yml title: Suspicious Netsh Discovery Command DRL 1.0
sigma proc_creation_win_susp_netsh_command.yml - 'netsh ' DRL 1.0
sigma proc_creation_win_susp_netsh_dll_persistence.yml title: Suspicious Netsh DLL Persistence DRL 1.0
sigma proc_creation_win_susp_netsh_dll_persistence.yml description: Detects persitence via netsh helper DRL 1.0
sigma proc_creation_win_susp_netsh_dll_persistence.yml Image\|endswith: '\netsh.exe' DRL 1.0
sigma proc_creation_win_susp_network_command.yml - 'netsh interface show interface' DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml Image\|endswith: \netsh.exe DRL 1.0
sigma registry_event_portproxy_registry_key.yml - https://adepts.of0x.cc/netsh-portproxy-code/ DRL 1.0
LOLBAS Netsh.yml Name: Netsh.exe  
LOLBAS Netsh.yml netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!(<IPofRemoteFileShare>)  
LOLBAS Netsh.yml netsh.exe trace show status  
LOLBAS Netsh.yml - Command: netsh.exe add helper C:\Path\file.dll  
LOLBAS Netsh.yml Description: Load (execute) NetSh.exe helper DLL file.  
LOLBAS Netsh.yml - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1  
LOLBAS Netsh.yml Name: Netsh.exe  
LOLBAS Netsh.yml Description: Netsh is a Windows tool used to manipulate network interface settings.  
LOLBAS Netsh.yml - Command: netsh.exe add helper C:\Users\User\file.dll  
LOLBAS Netsh.yml Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called  
LOLBAS Netsh.yml - Path: C:\WINDOWS\System32\Netsh.exe  
LOLBAS Netsh.yml - Path: C:\WINDOWS\SysWOW64\Netsh.exe  
LOLBAS Netsh.yml - IOC: Netsh initiating a network connection  
malware-ioc misp_invisimole.json "description": "Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n\n### Windows\n\nExample commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for.\n\n### Mac\n\nIt's becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.", © ESET 2014-2018
atomic-red-team index.md - T1546.007 Netsh Helper DLL MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Netsh Helper DLL Registration [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1546.007 Netsh Helper DLL MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Netsh Helper DLL Registration [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Local Account | Netsh Helper DLL | File Deletion | Unsecured Credentials CONTRIBUTE A TEST | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Netsh Helper DLL | Path Interception by Search Order Hijacking CONTRIBUTE A TEST | Hidden Files and Directories | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Logon Script (Windows) | Netsh Helper DLL | File and Directory Permissions Modification CONTRIBUTE A TEST | Silver Ticket CONTRIBUTE A TEST | | | | | Traffic Signaling CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Netsh Helper DLL | Parent PID Spoofing | Hidden File System CONTRIBUTE A TEST | Steal or Forge Kerberos Tickets CONTRIBUTE A TEST | | | | | Web Service CONTRIBUTE A TEST | | MIT License. © 2018 Red Canary
atomic-red-team T1016.md netsh interface show interface MIT License. © 2018 Red Canary
atomic-red-team T1016.md Enumerates Windows Firewall Rules using netsh. MIT License. © 2018 Red Canary
atomic-red-team T1016.md Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1016.md netsh advfirewall firewall show rule name=all MIT License. © 2018 Red Canary
atomic-red-team T1021.001.md netsh advfirewall firewall add rule name=”RDPPORTLatest-TCP-In” dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port} MIT License. © 2018 Red Canary
atomic-red-team T1021.001.md netsh advfirewall firewall delete rule name=”RDPPORTLatest-TCP-In” >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1040.md netsh trace start capture=yes tracefile=%temp%\trace.etl maxsize=10 MIT License. © 2018 Red Canary
atomic-red-team T1040.md netsh trace stop >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1090.001.md Upon execution there will be a new proxy entry in netsh MIT License. © 2018 Red Canary
atomic-red-team T1090.001.md netsh interface portproxy show all MIT License. © 2018 Red Canary
atomic-red-team T1090.001.md netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress} MIT License. © 2018 Red Canary
atomic-red-team T1090.001.md netsh interface portproxy delete v4tov4 listenport=#{listenport} -ErrorAction Ignore | Out-Null MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md Example commands that can be used to obtain security software information are netsh, reg query with Reg, dir with cmd, and Tasklist, but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software. MIT License. © 2018 Red Canary
atomic-red-team T1518.001.md netsh.exe advfirewall show allprofiles MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md # T1546.007 - Netsh Helper DLL MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md <blockquote>Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md - Atomic Test #1 - Netsh Helper DLL Registration MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md ## Atomic Test #1 - Netsh Helper DLL Registration MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md Netsh interacts with other operating system components using dynamic-link library (DLL) files MIT License. © 2018 Red Canary
atomic-red-team T1546.007.md netsh.exe add helper #{helper_file} MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall set currentprofile state off MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall set currentprofile state on >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall set rule group=”file and printer sharing” new enable=Yes MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall reset >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall add rule name=”atomic testing” action=allow dir=in protocol=TCP localport=450 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall delete rule name=”atomic testing” protocol=TCP localport=450 >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall add rule name=”Open Port to Any” dir=in protocol=tcp localport=#{local_port} action=allow profile=any MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall delete rule name=”Open Port to Any” | Out-Null MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall add rule name=”Atomic Test” dir=in action=allow program=”C:\Users$env:UserName\AtomicTest.exe” enable=yes MIT License. © 2018 Red Canary
atomic-red-team T1562.004.md netsh advfirewall firewall delete rule name=”Atomic Test” | Out-Null MIT License. © 2018 Red Canary
signature-base apt_ar18_165a.yar $s1 = “netsh.exe advfirewall firewall add rule name="PortOpenning" dir=in protocol=tcp localport=%d action=allow enable=yes” fullword wide CC BY-NC 4.0
signature-base apt_ar18_165a.yar $s2 = “netsh.exe firewall add portopening TCP %d "PortOpenning" enable” fullword wide CC BY-NC 4.0
signature-base apt_lazarus_aug20.yar $str_netsh_1 = “netsh firewall add portopening TCP %d” ascii wide nocase CC BY-NC 4.0
signature-base apt_lazarus_aug20.yar $str_netsh_2 = “netsh firewall delete portopening TCP %d” ascii wide nocase CC BY-NC 4.0
signature-base crime_phish_gina_dec15.yar $s1 = “netsh.exe” fullword wide CC BY-NC 4.0
signature-base gen_malware_set_qa.yar $s6 = “netsh firewall delete allowedprogram” fullword wide CC BY-NC 4.0
signature-base gen_mal_backnet.yar $s3 = “/C netsh wlan show profile” wide CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $s2 = “netsh firewall add allowedprogram” wide CC BY-NC 4.0
signature-base gen_suspicious_strings.yar description = “Detects a suspicious command line with netsh and the portproxy command” CC BY-NC 4.0
signature-base gen_suspicious_strings.yar reference = “https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-interface-portproxy” CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $x1 = “netsh interface portproxy add v4tov4 listenport=” ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


netsh

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016

The Network Shell command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. You can start this utility at the command prompt or in Windows PowerShell.

Syntax

netsh [-a <Aliasfile>][-c <Context>][-r <Remotecomputer>][-u [<domainname>\<username>][-p <Password> | [{<NetshCommand> | -f <scriptfile>}]

Parameters

Parameter Description
-a <Aliasfile> Specifies that you are returned to the netsh prompt after running Aliasfile and the name of the text file that contains one or more netsh commands.
-c <Context> Specifies that netsh enters the specified netsh context and the netsh context to enter.
-r <Remotecomputer> Specifies the remote computer to configure.<p>Important: If you use this parameter, you must make sure the Remote Registry service is running on the remote computer. If it isn’t running, Windows displays a “Network Path Not Found” error message.
-u <domainname>\<username> Specifies the domain and user account name to use while running the netsh command under a user account. If you omit the domain, the local domain is used by default.
-p <Password> Specifies the password for the user account specified by the -u <username> parameter.
<NetshCommand> Specifies the netsh command to run.
-f <scriptfile> Exits the netsh command after running the specified script file.
/? Displays help at the command prompt.
Remarks
  • If you specify -r followed by another command, netsh runs the command on the remote computer and then returns to the Cmd.exe command prompt. If you specify -r without another command, netsh opens in remote mode. The process is similar to using set machine at the Netsh command prompt. When you use -r, you set the target computer for the current instance of netsh only. After you exit and reenter netsh, the target computer is reset as the local computer. You can run netsh commands on a remote computer by specifying a computer name stored in WINS, a UNC name, an Internet name to be resolved by the DNS server, or an IP address.

  • If your string value contains spaces between characters, you must enclose the string value in quotation marks. For example, -r "contoso remote device"

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.