JUST RELEASED: ATT&CK for Industrial Control Systems


netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

ID: S0108
Associated Software: netsh.exe
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1090 Connection Proxy

netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.[3]

Enterprise T1089 Disabling Security Tools

netsh can be used to disable local firewall settings.[1][2]

Enterprise T1128 Netsh Helper DLL

netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.[4]

Enterprise T1063 Security Software Discovery

netsh can be used to discover system firewall settings.[1][2]

Groups That Use This Software

ID Name References
G0008 Carbanak [5]
G0032 Lazarus Group [6]
G0074 Dragonfly 2.0 [7]
G0019 Naikon [8]
G0050 APT32 [9]