netsh_launching_process.yml

asset_type: Endpoint
confidence: medium
creation_date: '2018-01-04'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: This search looks for processes launching netsh.exe to execute various
  commands via the netsh command-line utility. Netsh.exe is a command-line scripting
  utility that allows you to, either locally or remotely, display or modify the network
  configuration of a computer that is currently running. Netsh can be used as a persistence
  proxy technique to execute a helper .dll when netsh.exe is executed. In this search,
  we are looking for processes spawned by netsh.exe that are executing commands via
  the command line.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, process, parent_process
        rule_description: A process, $process$, is spawned by netsh.exe. It is highly
          unlikely for netsh to have any child processes.
        rule_title: Process spawned by netsh.exe detected on $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 50
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count values(Processes.process) min(_time)
        as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where
        Processes.parent_process="C:\Windows\System32\

        etsh.exe" by Processes.parent_process Processes.process_name Processes.user
        Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`'
      suppress:
        suppress_fields: dest, process
        suppress_period: 86400s
eli5: 'This search looks for all processes with the parent process "c:\Windows\System32\

  etsh.exe" and returns the process, the command line used to execute it, the host
  name, and the user context under which it ran.'
entities:
  - dest
how_to_implement: To successfully implement this search, you must be ingesting logs
  with the process name, command-line arguments, and parent processes from your endpoints.
  If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
id: b89919ed-fe5f-492c-b139-95dbb162041e
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fecf2918-670d-4f1c-872b-3d7317a41bf9
    name: Get Parent Process Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: It is unusual for netsh.exe to have any child processes in
  most environments. It makes sense to investigate the child process and verify whether
  the process spawned is legitimate.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 8
  kill_chain_phases:
    - Actions on Objectives
  mitre_attack:
    - Execution
    - Command-Line Interface
    - Persistence
  nist:
    - PR.PT
    - DE.CM
modification_date: '2018-11-02'
name: Processes created by netsh
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'