netsh

netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

ID: S0108
Associated Software: netsh.exe
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 31 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1546 .007 Event Triggered Execution: Netsh Helper DLL

netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.[4]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

netsh can be used to disable local firewall settings.[1][2]

Enterprise T1090 Proxy

netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[3]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

netsh can be used to discover system firewall settings.[1][2]

Groups That Use This Software

ID Name References
G0008 Carbanak

[5]

G0032 Lazarus Group

[6]

G0074 Dragonfly 2.0

[7]

G0019 Naikon

[8]

G0050 APT32

[9]

References