security-content/stories/netsh_abuse.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
category:
  - Abuse
channel: ESCU
creation_date: '2017-01-04'
description: Detect activities and various techniques associated with the abuse of
  `netsh.exe`, which can disable local firewall settings or set up a remote connection
  to a host from an infected system.
detections:
  - detection_id: b89919ed-fe5f-492c-b139-95dbb162041e
    name: Processes created by netsh
    type: splunk
  - detection_id: b89919ed-fe5f-492c-b139-95dbb162040e
    name: Processes launching netsh
    type: splunk
id: 2b1800dd-92f9-47ec-a981-fdf1351e5f65
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
modification_date: '2017-01-05'
name: Netsh Abuse
narrative: 'It is a common practice for attackers of all types to leverage native
  Windows tools and functionality to execute commands for malicious reasons. One such
  tool on Windows OS is `netsh.exe`,a command-line scripting utility that allows you
  to--either locally or remotely--display or modify the network configuration of a
  computer that is currently running. `Netsh.exe` can be used to discover and disable
  local firewall settings. It can also be used to set up a remote connection to a
  host from an infected system.\

  To get started, run the detection search to identify parent processes of `netsh.exe`.'
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references:
  - https://technet.microsoft.com/library/bb490939.aspx
  - https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
  - http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
spec_version: 2
usecase: Advanced Threat Detection
version: '1.0'