https://feed.craftedsignal.io/tags/netsh/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 30 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-30-wireless-creds-dumping/Tue, 30 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-30-wireless-creds-dumping/Adversaries use the Windows built-in utility Netsh to dump Wireless saved access keys in clear text, potentially leading to credential compromise.Attackers often target wireless credentials to gain unauthorized network access. This involves using the legitimate Windows command-line tool netsh.exe to extract Wi-Fi passwords stored on a compromised system. By leveraging netsh, attackers can bypass traditional security measures and retrieve sensitive information without deploying custom malware. The technique involves specific command-line arguments that instruct netsh to display wireless keys in cleartext, exposing the network passwords. Defenders must monitor netsh command-line activity to identify potential credential access attempts. This activity can lead to lateral movement within the network.

Attack Chain

1. The attacker gains initial access to a Windows system (e.g., via phishing or exploiting a software vulnerability).
2. The attacker executes netsh.exe with specific arguments to list available wireless profiles.
3. The attacker identifies a target wireless profile from the list.
4. The attacker executes netsh.exe again, this time specifying the target profile and requesting the key to be displayed in cleartext using the key=clear argument.
5. Netsh.exe retrieves the Wi-Fi password from the Windows Wireless LAN service.
6. The password is displayed in the command output, which the attacker captures.
7. The attacker uses the obtained Wi-Fi password to connect to the wireless network.
8. The attacker can now perform lateral movement and access internal resources.

Impact

Successful credential dumping allows attackers to gain unauthorized access to wireless networks. This can lead to lateral movement within the organization’s network, access to sensitive data, and further compromise of systems and resources. The impact includes potential data breaches, financial losses, and reputational damage. This technique allows attackers to bypass traditional network access controls.

Recommendation

• Deploy the Sigma rule Detect Wireless Credential Dumping via Netsh to identify suspicious netsh.exe commands in your environment.
• Enable Sysmon process creation logging to capture the netsh.exe command-line arguments.
• Investigate any alerts triggered by the Sigma rule, focusing on the process lineage and user context as outlined in the “Triage and analysis” section of the source.
• Implement strong password policies for Wi-Fi networks, including the use of WPA2 or WPA3 encryption.
• Review and restrict the use of netsh.exe on systems where it is not required, using application control solutions.
• Monitor for related alerts indicating lateral movement, staging, remote access, or persistence, as mentioned in the “Triage and analysis” section of the source.

]]>highadvisorycredential-accessnetshwindowshttps://feed.craftedsignal.io/briefs/2024-01-netsh-helper-dll/Tue, 30 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-netsh-helper-dll/Attackers may abuse the Netsh Helper DLL functionality by adding malicious DLLs to execute payloads every time the netsh utility is executed via administrators or scheduled tasks, achieving persistence.The netsh.exe utility in Windows supports the addition of Helper DLLs to extend its functionality. An attacker can abuse this mechanism to establish persistence by adding a malicious DLL. When netsh.exe is executed, the malicious DLL is loaded and executed, allowing the attacker to run arbitrary code with the privileges of the user or process that initiated netsh.exe. This can be done by administrators or scheduled tasks, making it a stealthy and effective persistence technique. The registry key targeted by this technique is HKLM\Software\Microsoft\netsh\.

Attack Chain

1. Attacker gains initial access to the target system through unspecified means.
2. Attacker creates a malicious DLL to be used as a Netsh Helper DLL.
3. Attacker modifies the Windows Registry to add the malicious DLL as a Netsh Helper DLL under HKLM\Software\Microsoft\netsh\.
4. The system administrator or a scheduled task executes netsh.exe.
5. netsh.exe loads and executes the malicious DLL, granting the attacker code execution.
6. The malicious DLL performs its intended actions, such as establishing a reverse shell or deploying additional malware.
7. The attacker maintains persistence on the system through the malicious Netsh Helper DLL.

Impact

Successful exploitation allows attackers to establish persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. While the risk score is low, the persistence mechanism can allow attackers to maintain a foothold for extended periods, increasing the potential for significant damage.

Recommendation

• Monitor registry modifications under the HKLM\Software\Microsoft\netsh\ path for suspicious DLL additions using the “Netsh Helper DLL Registry Modification” Sigma rule.
• Enable Sysmon registry event logging to collect the necessary data for the Sigma rule.
• Investigate any alerts generated by the Sigma rule by reviewing the DLL file properties, timestamps, and related processes.

]]>lowadvisorypersistencewindowsnetshregistryhttps://feed.craftedsignal.io/briefs/2024-01-netsh-firewall-discovery/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-netsh-firewall-discovery/The analytic detects the execution of the Windows built-in tool netsh.exe to display the state, configuration, and profile of the host firewall, potentially leading to unauthorized network access or data exfiltration.This detection focuses on identifying instances where the netsh.exe utility is used to query firewall configurations on a Windows system. While netsh.exe is a legitimate tool for network configuration, adversaries can leverage it to gather information about firewall rules and settings. This information can then be used to plan further attacks, such as bypassing firewall restrictions or identifying vulnerable network services. This activity is typically seen during the reconnaissance phase of an attack. The scope of this detection covers any Windows environment where Endpoint Detection and Response (EDR) logs are available.

Attack Chain

1. An attacker gains initial access to a compromised system through various means, such as phishing or exploiting a vulnerability.
2. The attacker executes netsh.exe with specific commands to enumerate firewall rules and configurations (e.g., netsh firewall show state, netsh firewall show config).
3. The netsh.exe process retrieves the requested firewall information from the Windows operating system.
4. The collected firewall information is parsed to identify potential weaknesses or misconfigurations.
5. The attacker uses the gathered information to modify existing firewall rules or create new rules to allow unauthorized access.
6. The attacker leverages the modified firewall configuration to establish a covert communication channel or to move laterally within the network.
7. The attacker attempts to exfiltrate sensitive data or deploy ransomware.

Impact

Successful exploitation can lead to unauthorized network access, data exfiltration, or the deployment of ransomware. The enumeration of firewall configurations can provide attackers with valuable insights into the network’s security posture, enabling them to bypass security controls and compromise critical assets. This can result in significant financial losses, reputational damage, and disruption of business operations.

Recommendation

• Deploy the Sigma rule Detect Suspicious Netsh Firewall Discovery to your SIEM and tune for your environment to detect netsh.exe executions with firewall discovery commands.
• Enable Sysmon process-creation logging (Event ID 1) to capture the necessary command-line details.
• Investigate any identified instances of netsh.exe being used to query firewall settings, especially when initiated from unusual processes or user accounts.
• Monitor parent-child process relationships to identify suspicious process spawning, as highlighted by the Processes.parent_process_name field.
• Review firewall configurations regularly to identify and remediate any misconfigurations or overly permissive rules.

]]>mediumadvisorydiscoverywindowsnetshfirewallhttps://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-netsh-rdp-enable/Adversaries may use the `netsh.exe` utility to enable inbound Remote Desktop Protocol (RDP) connections in the Windows Firewall, potentially allowing unauthorized remote access to compromised systems.Attackers can leverage the native Windows command-line tool netsh.exe to modify Windows Firewall rules and enable inbound Remote Desktop Protocol (RDP) connections. This can be used as a defense evasion technique to bypass existing firewall restrictions, allowing them to establish remote access to a compromised host. Ransomware operators and other malicious actors frequently utilize RDP to access victim servers, often using privileged accounts, to further their objectives. This activity can be conducted post-compromise to facilitate lateral movement and the deployment of malicious payloads. The behavior was observed being detected by Elastic Defend, Microsoft Defender XDR, SentinelOne Cloud Funnel, and Crowdstrike.

Attack Chain

1. An attacker compromises a Windows host through initial access methods (e.g., phishing, exploitation of a vulnerability).
2. The attacker gains a foothold on the system and escalates privileges as needed.
3. The attacker executes netsh.exe with specific arguments to modify the Windows Firewall configuration.
4. The netsh command creates or modifies an inbound rule to allow RDP traffic (TCP port 3389).
5. The attacker establishes an RDP connection to the compromised host.
6. The attacker uses the RDP session to perform reconnaissance, move laterally, or deploy malware.
7. The attacker may attempt to disable or modify security tools to further evade detection.
8. The attacker achieves their objective, such as data exfiltration or ransomware deployment.

Impact

Successful exploitation of this technique can lead to unauthorized remote access to systems, enabling lateral movement, data theft, and ransomware deployment. If RDP is enabled on a large number of systems, the attacker can move laterally through the environment. The impact can range from data breaches to complete operational disruption.

Recommendation

• Monitor process creation events for netsh.exe executing with arguments related to enabling inbound RDP traffic using the “Remote Desktop Enabled in Windows Firewall by Netsh” rule.
• Implement the Sigma rule provided below to detect instances of netsh.exe being used to modify firewall rules related to RDP.
• Enforce the principle of least privilege and restrict the use of netsh.exe to authorized personnel only.
• Review existing firewall rules and remove any unnecessary or overly permissive rules.
• Enable Sysmon process creation logging for enhanced visibility into process execution events.

]]>mediumadvisorydefense-evasionlateral-movementwindowsnetshrdp