Detect activities and various techniques associated with the abuse of
netsh.exe, which can disable local firewall settings or set up a remote connection to a host from an infected system.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2017-01-05
- Author: Bhavin Patel, Splunk
- ID: 2b1800dd-92f9-47ec-a981-fdf1351e5f65
It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons. One such tool on Windows OS is
netsh.exe,a command-line scripting utility that allows you to–either locally or remotely–display or modify the network configuration of a computer that is currently running.
Netsh.exe can be used to discover and disable local firewall settings. It can also be used to set up a remote connection to a host from an infected system.
To get started, run the detection search to identify parent processes of
|Processes created by netsh||Disable or Modify System Firewall||TTP|
|Processes launching netsh||Disable or Modify System Firewall, Impair Defenses||Anomaly|
source | version: 1