{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/netsh/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Defender XDR","Elastic Defend","Sysmon"],"_cs_severities":["high"],"_cs_tags":["credential-access","netsh","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers often target wireless credentials to gain unauthorized network access. This involves using the legitimate Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to extract Wi-Fi passwords stored on a compromised system. By leveraging \u003ccode\u003enetsh\u003c/code\u003e, attackers can bypass traditional security measures and retrieve sensitive information without deploying custom malware. The technique involves specific command-line arguments that instruct \u003ccode\u003enetsh\u003c/code\u003e to display wireless keys in cleartext, exposing the network passwords. Defenders must monitor \u003ccode\u003enetsh\u003c/code\u003e command-line activity to identify potential credential access attempts. This activity can lead to lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system (e.g., via phishing or exploiting a software vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to list available wireless profiles.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target wireless profile from the list.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e again, this time specifying the target profile and requesting the key to be displayed in cleartext using the \u003ccode\u003ekey=clear\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eNetsh.exe\u003c/code\u003e retrieves the Wi-Fi password from the Windows Wireless LAN service.\u003c/li\u003e\n\u003cli\u003eThe password is displayed in the command output, which the attacker captures.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained Wi-Fi password to connect to the wireless network.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform lateral movement and access internal resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful credential dumping allows attackers to gain unauthorized access to wireless networks. This can lead to lateral movement within the organization\u0026rsquo;s network, access to sensitive data, and further compromise of systems and resources. The impact includes potential data breaches, financial losses, and reputational damage. This technique allows attackers to bypass traditional network access controls.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Wireless Credential Dumping via Netsh\u003c/code\u003e to identify suspicious \u003ccode\u003enetsh.exe\u003c/code\u003e commands in your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the \u003ccode\u003enetsh.exe\u003c/code\u003e command-line arguments.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process lineage and user context as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eImplement strong password policies for Wi-Fi networks, including the use of WPA2 or WPA3 encryption.\u003c/li\u003e\n\u003cli\u003eReview and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e on systems where it is not required, using application control solutions.\u003c/li\u003e\n\u003cli\u003eMonitor for related alerts indicating lateral movement, staging, remote access, or persistence, as mentioned in the \u0026ldquo;Triage and analysis\u0026rdquo; section of the source.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-30-wireless-creds-dumping/","summary":"Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.","title":"Wireless Credential Dumping via Netsh","url":"https://feed.craftedsignal.io/briefs/2024-01-30-wireless-creds-dumping/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","CrowdStrike Falcon","SentinelOne Cloud Funnel"],"_cs_severities":["low"],"_cs_tags":["persistence","windows","netsh","registry"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e utility in Windows supports the addition of Helper DLLs to extend its functionality. An attacker can abuse this mechanism to establish persistence by adding a malicious DLL. When \u003ccode\u003enetsh.exe\u003c/code\u003e is executed, the malicious DLL is loaded and executed, allowing the attacker to run arbitrary code with the privileges of the user or process that initiated \u003ccode\u003enetsh.exe\u003c/code\u003e. This can be done by administrators or scheduled tasks, making it a stealthy and effective persistence technique. The registry key targeted by this technique is \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the target system through unspecified means.\u003c/li\u003e\n\u003cli\u003eAttacker creates a malicious DLL to be used as a Netsh Helper DLL.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the Windows Registry to add the malicious DLL as a Netsh Helper DLL under \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe system administrator or a scheduled task executes \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e loads and executes the malicious DLL, granting the attacker code execution.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL performs its intended actions, such as establishing a reverse shell or deploying additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistence on the system through the malicious Netsh Helper DLL.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to establish persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. While the risk score is low, the persistence mechanism can allow attackers to maintain a foothold for extended periods, increasing the potential for significant damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor registry modifications under the \u003ccode\u003eHKLM\\Software\\Microsoft\\netsh\\\u003c/code\u003e path for suspicious DLL additions using the \u0026ldquo;Netsh Helper DLL Registry Modification\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to collect the necessary data for the Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by reviewing the DLL file properties, timestamps, and related processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"/briefs/2024-01-netsh-helper-dll/","summary":"Attackers may abuse the Netsh Helper DLL functionality by adding malicious DLLs to execute payloads every time the netsh utility is executed via administrators or scheduled tasks, achieving persistence.","title":"Netsh Helper DLL Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-helper-dll/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["discovery","windows","netsh","firewall"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying instances where the \u003ccode\u003enetsh.exe\u003c/code\u003e utility is used to query firewall configurations on a Windows system. While \u003ccode\u003enetsh.exe\u003c/code\u003e is a legitimate tool for network configuration, adversaries can leverage it to gather information about firewall rules and settings. This information can then be used to plan further attacks, such as bypassing firewall restrictions or identifying vulnerable network services. This activity is typically seen during the reconnaissance phase of an attack. The scope of this detection covers any Windows environment where Endpoint Detection and Response (EDR) logs are available.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific commands to enumerate firewall rules and configurations (e.g., \u003ccode\u003enetsh firewall show state\u003c/code\u003e, \u003ccode\u003enetsh firewall show config\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh.exe\u003c/code\u003e process retrieves the requested firewall information from the Windows operating system.\u003c/li\u003e\n\u003cli\u003eThe collected firewall information is parsed to identify potential weaknesses or misconfigurations.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the gathered information to modify existing firewall rules or create new rules to allow unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the modified firewall configuration to establish a covert communication channel or to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to exfiltrate sensitive data or deploy ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized network access, data exfiltration, or the deployment of ransomware. The enumeration of firewall configurations can provide attackers with valuable insights into the network\u0026rsquo;s security posture, enabling them to bypass security controls and compromise critical assets. This can result in significant financial losses, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Suspicious Netsh Firewall Discovery\u003c/code\u003e to your SIEM and tune for your environment to detect netsh.exe executions with firewall discovery commands.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging (Event ID 1) to capture the necessary command-line details.\u003c/li\u003e\n\u003cli\u003eInvestigate any identified instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to query firewall settings, especially when initiated from unusual processes or user accounts.\u003c/li\u003e\n\u003cli\u003eMonitor parent-child process relationships to identify suspicious process spawning, as highlighted by the \u003ccode\u003eProcesses.parent_process_name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eReview firewall configurations regularly to identify and remediate any misconfigurations or overly permissive rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-netsh-firewall-discovery/","summary":"The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.","title":"Windows Netsh Tool Used for Firewall Discovery","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-firewall-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows Firewall","Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","Crowdstrike"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","lateral-movement","windows","netsh","rdp"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eAttackers can leverage the native Windows command-line tool \u003ccode\u003enetsh.exe\u003c/code\u003e to modify Windows Firewall rules and enable inbound Remote Desktop Protocol (RDP) connections. This can be used as a defense evasion technique to bypass existing firewall restrictions, allowing them to establish remote access to a compromised host. Ransomware operators and other malicious actors frequently utilize RDP to access victim servers, often using privileged accounts, to further their objectives. This activity can be conducted post-compromise to facilitate lateral movement and the deployment of malicious payloads. The behavior was observed being detected by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Crowdstrike.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a Windows host through initial access methods (e.g., phishing, exploitation of a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker gains a foothold on the system and escalates privileges as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enetsh.exe\u003c/code\u003e with specific arguments to modify the Windows Firewall configuration.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003enetsh\u003c/code\u003e command creates or modifies an inbound rule to allow RDP traffic (TCP port 3389).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes an RDP connection to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RDP session to perform reconnaissance, move laterally, or deploy malware.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to disable or modify security tools to further evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this technique can lead to unauthorized remote access to systems, enabling lateral movement, data theft, and ransomware deployment. If RDP is enabled on a large number of systems, the attacker can move laterally through the environment. The impact can range from data breaches to complete operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enetsh.exe\u003c/code\u003e executing with arguments related to enabling inbound RDP traffic using the \u0026ldquo;Remote Desktop Enabled in Windows Firewall by Netsh\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule provided below to detect instances of \u003ccode\u003enetsh.exe\u003c/code\u003e being used to modify firewall rules related to RDP.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege and restrict the use of \u003ccode\u003enetsh.exe\u003c/code\u003e to authorized personnel only.\u003c/li\u003e\n\u003cli\u003eReview existing firewall rules and remove any unnecessary or overly permissive rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging for enhanced visibility into process execution events.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-netsh-rdp-enable/","summary":"Adversaries may use the `netsh.exe` utility to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall, potentially allowing unauthorized remote access to compromised systems.","title":"Netsh Used to Enable Remote Desktop Protocol (RDP) in Windows Firewall","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/"}],"language":"en","title":"CraftedSignal Threat Feed — Netsh","version":"https://jsonfeed.org/version/1.1"}