{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/network-configuration/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":true,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows"],"_cs_severities":["high"],"_cs_tags":["netsh","living-off-the-land","persistence","network-configuration"],"_cs_type":"threat","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThis brief focuses on the anomalous execution of \u003ccode\u003enetsh.exe\u003c/code\u003e, a command-line utility native to Windows operating systems used for network configuration. While legitimate use of \u003ccode\u003enetsh.exe\u003c/code\u003e exists, its invocation by uncommon processes can signify malicious activity, such as establishing persistence or modifying network settings. This activity has been observed in attacks attributed to Volt Typhoon, where it was used for \u0026ldquo;living off the land\u0026rdquo; tactics targeting US critical infrastructure, and in malware campaigns involving Azorult, Snake Keylogger, ShrinkLocker, and Hellcat Ransomware. Defenders should monitor for unexpected processes launching \u003ccode\u003enetsh.exe\u003c/code\u003e to identify potential threats within their environments.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system through various means (e.g., compromised credentials, exploitation of vulnerabilities).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a process (e.g., a script interpreter or legitimate application) to execute \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enetsh.exe\u003c/code\u003e is invoked with specific commands to modify network configurations (e.g., adding firewall rules, configuring port forwarding, or changing DNS settings).\u003c/li\u003e\n\u003cli\u003eThese network configuration changes facilitate further malicious activities, such as lateral movement, command and control communication, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eMalicious helper DLLs are loaded through \u003ccode\u003enetsh.exe\u003c/code\u003e to maintain persistent access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised system as a foothold to move laterally within the network, targeting critical assets.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as data theft, system disruption, or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation via anomalous \u003ccode\u003enetsh.exe\u003c/code\u003e execution can lead to significant network compromise, including persistent access for attackers, unauthorized modification of network settings, and potential privilege escalation. This can result in data breaches, service disruption, and reputational damage. The Volt Typhoon campaign targeted US critical infrastructure, demonstrating the potential for significant impact on national security. Multiple malware families including Azorult, Snake Keylogger, ShrinkLocker, and Hellcat Ransomware have been known to abuse \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events (Sysmon Event ID 1, Windows Event Log Security 4688) for the execution of \u003ccode\u003enetsh.exe\u003c/code\u003e by unusual parent processes.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious Processes Launching Netsh\u003c/code\u003e to identify suspicious invocations of \u003ccode\u003enetsh.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where \u003ccode\u003enetsh.exe\u003c/code\u003e is launched with network configuration-related commands.\u003c/li\u003e\n\u003cli\u003eReview and audit existing \u003ccode\u003enetsh.exe\u003c/code\u003e configurations to identify any unauthorized or malicious changes.\u003c/li\u003e\n\u003cli\u003eConsider blocking execution of \u003ccode\u003enetsh.exe\u003c/code\u003e where it is not required for legitimate business operations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Netsh Helper DLL Load\u003c/code\u003e to detect malicious DLL loading by netsh.exe.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-netsh-abuse/","summary":"Detection of netsh.exe execution by unusual processes indicative of potential malicious activity, including persistence and network configuration changes by threat actors.","title":"Detection of Processes Launching netsh.exe for Malicious Purposes","url":"https://feed.craftedsignal.io/briefs/2024-01-netsh-abuse/"}],"language":"en","title":"CraftedSignal Threat Feed — Network-Configuration","version":"https://jsonfeed.org/version/1.1"}