1. Home
  2. Software
  3. netsh

netsh

netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

ID: S0108
Associated Software: netsh.exe
Type: TOOL
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 25 February 2025
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .007 Event Triggered Execution: Netsh Helper DLL

netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.[2]
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

netsh can be used to disable local firewall settings.[1][3]
Enterprise T1090 Proxy

netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[4]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

netsh can be used to discover system firewall settings.[1][3]

Groups That Use This Software

ID Name References
G1017 Volt Typhoon

[5][6][7]
G0019 Naikon

[8]
G0050 APT32

[9]
G0059 Magic Hound

[10]
G0032 Lazarus Group

[11]
G0008 Carbanak

[12]
G0035 Dragonfly

[13]
G0007 APT28

APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024.[14]

Campaigns

ID Name Description
C0051 APT28 Nearest Neighbor Campaign

APT28[14]
APT28 Nearest Neighbor Campaign[14]

C0018 C0018

During C0018, the threat actors used netsh on a domain controller to ensure there was no existing firewall or to disable one.[15]

References

  1. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
  2. Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017.
  3. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
  4. Kaspersky Lab's Global Research and Analysis Team. (2017, February 8). Fileless attacks against enterprise networks. Retrieved February 8, 2017.
  5. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  6. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  7. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  8. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  1. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  2. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  3. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
  4. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
  5. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  6. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
  7. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.