Try in Splunk Security Cloud

Description

Detect activities and various techniques associated with the abuse of netsh.exe, which can disable local firewall settings or set up a remote connection to a host from an infected system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Risk
  • Last Updated: 2017-01-05
  • Author: Bhavin Patel, Splunk
  • ID: 2b1800dd-92f9-47ec-a981-fdf1351e5f65

Narrative

It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is netsh.exe,a command-line scripting utility that allows you to–either locally or remotely–display or modify the network configuration of a computer that is currently running. Netsh.exe can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.
To get started, run the detection search to identify parent processes of netsh.exe.

Detections

Name Technique Type
Processes created by netsh Disable or Modify System Firewall TTP
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Anomaly
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Correlation

Reference

source | version: 1