Techniques
Sample rules
Processes launching netsh
- source: splunk
- technicques:
- T1562.004
- T1562
Description
This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.user Processes.dest
|`drop_dm_object_name("Processes")`
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
|`processes_launching_netsh_filter`
Windows Proxy Via Netsh
- source: splunk
- technicques:
- T1090.001
- T1090
Description
This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest
|`drop_dm_object_name("Processes")`
|`security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `windows_proxy_via_netsh_filter`