netsh
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1546 | .007 | Event Triggered Execution: Netsh Helper DLL |
netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.(Citation: Demaske Netsh Persistence) |
| Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
netsh can be used to disable local firewall settings.(Citation: TechNet Netsh)(Citation: TechNet Netsh Firewall) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
netsh can be used to discover system firewall settings.(Citation: TechNet Netsh)(Citation: TechNet Netsh Firewall) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G1017 | Volt Typhoon |
(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) (Citation: Microsoft Volt Typhoon May 2023) (Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023) |
|
(Citation: Costa AvosLocker May 2022) |
||
| G0074 | Dragonfly 2.0 |
(Citation: US-CERT TA18-074A) |
| G0019 | Naikon |
(Citation: Baumgartner Naikon 2015) |
| G0050 | APT32 |
(Citation: Cybereason Cobalt Kitty 2017) |
| G0059 | Magic Hound |
(Citation: DFIR Report APT35 ProxyShell March 2022) |
| G0032 | Lazarus Group |
(Citation: Novetta Blockbuster Loaders) |
| G0008 | Carbanak |
(Citation: Group-IB Anunak) |
| G0035 | Dragonfly |
(Citation: US-CERT TA18-074A) |
References
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
- NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
- Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
- Microsoft. (2009, June 3). Netsh Commands for Windows Firewall. Retrieved April 20, 2016.
- Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2017, February 8). Fileless attacks against enterprise networks. Retrieved February 8, 2017.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.