netsh

netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

ID: S0108
Associated Software: netsh.exe
Type: TOOL
Platforms: Windows
Version: 1.2
Created: 31 May 2017
Last Modified: 17 January 2023

Techniques Used

Domain ID Name Use
Enterprise T1546 .007 Event Triggered Execution: Netsh Helper DLL

netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.[2]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

netsh can be used to disable local firewall settings.[1][3]

Enterprise T1090 Proxy

netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[4]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

netsh can be used to discover system firewall settings.[1][3]

Groups That Use This Software

Campaigns

ID Name Description
C0018 C0018

During C0018, the threat actors used netsh on a domain controller to ensure there was no existing firewall or to disable one.[14]

References