Processes Launching Netsh

Description

This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Other

Category

Abuse

Alert Volume

This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Impair Defenses

Disable or Modify System Firewall

MITRE Threat Groups

Carbanak
Dragonfly 2.0
Kimsuky
Lazarus Group
Rocke

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Processes Launching Netsh Help

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model

   Search

Open in Search