Skip to content

S0108 netsh

netsh is a scripting utility used to interact with networking components on local or remote systems. 1

Item Value
ID S0108
Associated Names
Type TOOL
Version 1.3
Created 31 May 2017
Last Modified 25 February 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1546 Event Triggered Execution -
enterprise T1546.007 Netsh Helper DLL netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.3
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall netsh can be used to disable local firewall settings.12
enterprise T1090 Proxy netsh can be used to set up a proxy tunnel to allow remote host access to an infected host.4
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery netsh can be used to discover system firewall settings.12

Groups That Use This Software

ID Name References
G1017 Volt Typhoon 897
G0019 Naikon 10
G0050 APT32 11
G0059 Magic Hound 12
G0032 Lazarus Group 13
G0008 Carbanak 14
G0035 Dragonfly 15
G0007 APT28 APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024.6

References

  1. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. 

  2. Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016. 

  3. Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. 

  4. Kaspersky Lab’s Global Research and Analysis Team. (2017, February 8). Fileless attacks against enterprise networks. Retrieved February 8, 2017. 

  5. Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. 

  6. Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025. 

  7. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. 

  8. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. 

  9. NSA et al. (2023, May 24). People’s Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. 

  10. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. 

  11. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  12. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. 

  13. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024. 

  14. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016. 

  15. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.