Processes Created By Netsh

Description

This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Other

Category

Abuse

Alert Volume

This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution
Execution

MITRE ATT&CK Techniques

Command and Scripting Interpreter
Command and Scripting Interpreter

PowerShell
Windows Command Shell

MITRE Threat Groups

APT1
APT18
APT19
APT28
APT29
APT3
APT32
APT33
APT37
APT38
APT39
APT41
BRONZE BUTLER
Blue Mockingbird
Chimera
Cobalt Group
CopyKittens
Dark Caracal
DarkHydrus
DarkVishnya
Darkhotel
Deep Panda
Dragonfly 2.0
FIN10
FIN6
FIN7
FIN8
Frankenstein
Gallmaker
Gamaredon Group
Gorgon Group
Honeybee
Inception
Ke3chang
Kimsuky
Lazarus Group
Leviathan
Magic Hound
Molerats
MuddyWater
OilRig
Patchwork
Poseidon Group
Rancor
Silence
Soft Cell
Sowbug
Stealth Falcon
Suckfly
TA459
TA505
TEMP.Veles
Threat Group-1314
Threat Group-3390
Thrip
Tropic Trooper
Turla
WIRTE
Wizard Spider
admin@338
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Processes Created By Netsh Help

To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search