netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

ID: S0108
Associated Software: netsh.exe
Type: TOOL
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 31 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1546 .007 Event Triggered Execution: Netsh Helper DLL

netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.[2]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

netsh can be used to disable local firewall settings.[1][3]

Enterprise T1090 Proxy

netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[4]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

netsh can be used to discover system firewall settings.[1][3]

Groups That Use This Software

ID Name References
G0008 Carbanak


G0059 Magic Hound


G0035 Dragonfly


G0032 Lazarus Group


G0050 APT32


G0019 Naikon