LoFP / some vpn applications are known to launch netsh.exe. outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.

Techniques

• T1090
• T1090.001
• T1562
• T1562.004

Sample rules

Windows Proxy Via Netsh

• source: splunk
• technicques:
  • T1090.001
  • T1090

Description

The following analytic identifies the use of netsh.exe to configure a connection proxy, which can be leveraged for persistence by executing a helper DLL. It detects this activity by analyzing process creation events from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving “portproxy” and “v4tov4” parameters. This activity is significant because it indicates potential unauthorized network configuration changes, which could be used to maintain persistence or redirect network traffic. If confirmed malicious, this could allow an attacker to maintain covert access or manipulate network communications, posing a significant security risk.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest 
|`drop_dm_object_name("Processes")` 
|`security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
| `windows_proxy_via_netsh_filter`

Processes launching netsh

• source: splunk
• technicques:
  • T1562.004
  • T1562

Description

The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network’s integrity and security.

Detection logic

| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest 
|`drop_dm_object_name("Processes")` 
|`security_content_ctime(firstTime)` 
|`security_content_ctime(lastTime)` 
|`processes_launching_netsh_filter`