Associated Software: netsh.exe
|Enterprise||T1090||Connection Proxy||netsh can be used to set up a proxy tunnel to allow remote host access to an infected host. |
|Enterprise||T1089||Disabling Security Tools||netsh can be used to disable local firewall settings.  |
|Enterprise||T1128||Netsh Helper DLL||netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. |
|Enterprise||T1063||Security Software Discovery||netsh can be used to discover system firewall settings.  |
Groups That Use This Software
- Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
- Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2017, February 8). Fileless attacks against enterprise networks. Retrieved February 8, 2017.
- Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017.
- Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.