Processes Launching Netsh


This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.


Processes Launching Netsh Help

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model


Open in Search

   Baseline Generation Searches

This detection relies on the following searches to generate the baseline lookup.

  • Baseline of SMB Traffic - MLTK
  • Previously seen command line arguments