Processes launching netsh

Description

This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Other

Category

Abuse

Alert Volume

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Execution
Persistence
Defense Evasion

MITRE ATT&CK Techniques

Command and Scripting Interpreter
Disabling Security Tools

MITRE Threat Groups

APT19
APT32
APT39
Dragonfly 2.0
FIN5
FIN6
FIN7
Ke3chang
Molerats
OilRig
Stealth Falcon
Whitefly

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Processes launching netsh Help

This search looks for all the parent processes of netsh.exe and returns that process, the command-line used to execute it, the host name, and the user context under which it ran.