---
Name: Netsh.exe
Description: Netsh is a Windows tool used to manipulate network interface settings.
Author: 'Freddie Barr-Smith'
Created: 2019-12-24
Commands:
  - Command: netsh.exe add helper C:\Users\User\file.dll
    Description: Use Netsh in order to execute a .dll file and also gain persistence, every time the netsh command is called
    Usecase: Proxy execution of .dll
    Category: Execute
    Privileges: User
    MitreID: T1546.007
    OperatingSystem: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full_Path:
  - Path: C:\WINDOWS\System32\Netsh.exe
  - Path: C:\WINDOWS\SysWOW64\Netsh.exe
Code_Sample:
  - Code:
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/0a410010a2655bc6f2aae73b9fb3b2c00ed589f7/rules/windows/process_creation/win_susp_netsh_dll_persistence.yml
  - Splunk: https://github.com/splunk/security_content/blob/2b87b26bdc2a84b65b1355ffbd5174bdbdb1879c/detections/endpoint/processes_launching_netsh.yml
  - Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/detections/deprecated/processes_created_by_netsh.yml
  - IOC: Netsh initiating a network connection
Resources:
  - Link: https://freddiebarrsmith.com/trix/trix.html
  - Link: https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
  - Link: https://liberty-shell.com/sec/2018/07/28/netshlep/
Acknowledgement:
  - Person: 'Freddie Barr-Smith'
    Handle:
  - Person: 'Riccardo Spolaor'
    Handle:
  - Person: 'Mariano Graziano'
    Handle:
  - Person: 'Xabier Ugarte-Pedrero'
    Handle: