Skip to content
Threat Feed
medium advisory

Windows Host Network Discovery Enabled via Netsh

Attackers can enable host network discovery via netsh.exe to weaken host firewall settings, facilitating lateral movement by identifying other systems on the network.

Attackers can leverage the netsh.exe utility to modify Windows Firewall settings, specifically enabling Network Discovery. This setting allows a host to broadcast its presence and services, making it easier for attackers to identify potential targets within the network for lateral movement. The behavior is often a post-exploitation technique to weaken host-based defenses after gaining initial access. The modification uses netsh.exe, a command-line scripting utility for managing network configurations. This activity can be easily scripted and automated, making it a common step in reconnaissance and lateral movement playbooks. Defenders should monitor for unauthorized use of netsh.exe to modify firewall settings.

Attack Chain

  1. Attacker gains initial access to a Windows host.
  2. Attacker executes netsh.exe with elevated privileges.
  3. netsh.exe is used to modify the Windows Firewall configuration.
  4. The specific command executed enables Network Discovery using the netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes syntax.
  5. The firewall rule group “Network Discovery” is modified to allow inbound and outbound traffic.
  6. The compromised host begins sending out broadcast messages, advertising its presence and services on the network.
  7. The attacker uses the information gathered to identify other vulnerable systems on the network.
  8. The attacker moves laterally to other systems based on the discovery information.

Impact

Successful exploitation allows attackers to easily enumerate and identify other vulnerable systems within the network. This can lead to rapid lateral movement, further compromising the environment. The risk is heightened when the compromised host has access to sensitive data or critical systems. There is no specific victim count or sector targeted mentioned in the provided source.

Recommendation

  • Deploy the Sigma rule “Enable Host Network Discovery via Netsh” to your SIEM to detect the use of netsh.exe to enable network discovery (see rule below).
  • Enable Windows Firewall logging and monitor for changes to firewall rules, specifically those related to Network Discovery.
  • Review and restrict the use of netsh.exe to authorized personnel and systems only.

Detection coverage 2

Enable Host Network Discovery via Netsh

medium

Identifies use of the netsh.exe program to enable host discovery via the network.

sigma tactics: defense_evasion techniques: T1562.004 sources: process_creation, windows

Netsh Firewall Rule Modification

low

Detects netsh.exe being used to modify firewall rules, which can indicate defense evasion.

sigma tactics: defense_evasion techniques: T1562 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →