Netsh Used to Enable Network Discovery
Adversaries may use the `netsh.exe` command-line tool to enable Network Discovery via the Windows firewall, weakening host defenses and facilitating lateral movement by identifying other systems on the network.
Attackers can exploit the netsh.exe utility to modify Windows Firewall settings, specifically enabling Network Discovery. This weakens the host's defenses and can reveal the host to other systems on the network, making it easier for adversaries to perform reconnaissance and move laterally. The activity is often part of a larger attack chain focused on compromising multiple systems. Defenders should monitor for unusual uses of netsh.exe, especially those involving firewall modifications related to network discovery. This technique allows compromised systems to identify other potential targets on the network.
Attack Chain
- An attacker gains initial access to a Windows host (e.g., via phishing or exploiting a vulnerability).
- The attacker executes
netsh.exewith administrative privileges. netsh.exeis used to modify the Windows Firewall configuration.- The specific command executed is
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes. - This command enables Network Discovery, allowing the compromised host to send and receive network broadcast messages.
- The attacker uses the enabled Network Discovery to identify other systems on the same network segment.
- The attacker uses discovered hosts for lateral movement or further exploitation.
- The final objective is often data theft, ransomware deployment, or establishing persistence within the network.
Impact
Enabling Network Discovery via netsh.exe weakens a host's defenses and allows attackers to more easily identify and target other systems on the network. While the direct impact of this single action may be limited, it facilitates subsequent stages of an attack, potentially leading to widespread compromise, data exfiltration, or ransomware deployment. This activity has been observed in multiple incidents and can affect organizations of any size.
Recommendation
- Deploy the Sigma rule to detect the use of
netsh.exeto enable Network Discovery (see rule: "Detect Netsh Enabling Network Discovery"). - Investigate any instances of
netsh.exebeing used to modify firewall settings, particularly those related to the "Network Discovery" group. - Review and harden Windows Firewall configurations across the environment to restrict unnecessary network discovery.
- Monitor process execution events for
netsh.exewith process creation logs, specifically looking for command-line arguments related to firewall modifications.
Detection coverage 2
Detect Netsh Enabling Network Discovery
mediumDetects the execution of netsh.exe to enable Network Discovery through the Windows Firewall.
Detect Netsh Firewall Modification (Generic)
lowDetects the execution of netsh.exe to modify Windows Firewall rules, which may indicate defense evasion.
Detection queries are available on the platform. Get full rules →