Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1546 | .007 | Event Triggered Execution: Netsh Helper DLL |
netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.[2] |
Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall | |
Enterprise | T1090 | Proxy |
netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[4] |
|
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
netsh can be used to discover system firewall settings.[1][3] |
ID | Name | References |
---|---|---|
G1017 | Volt Typhoon | |
G0019 | Naikon | |
G0050 | APT32 | |
G0059 | Magic Hound | |
G0032 | Lazarus Group | |
G0008 | Carbanak | |
G0035 | Dragonfly |
ID | Name | Description |
---|---|---|
C0018 | C0018 |
During C0018, the threat actors used netsh on a domain controller to ensure there was no existing firewall or to disable one.[14] |