Detecting Netsh attacks
You are an analyst responsible for your organization's overall security posture. You need to be able to detect activities and various techniques associated with the abuse of Netsh, through which netsh.exe can disable local firewall settings or set up a remote connection to a host from an infected system.
It is a common practice for attackers of all types to leverage native Windows tools and functionality to execute commands for malicious reasons, and Netsh.exe is one of these tools with abuse potential. It can be used locally or remotely as a command-line scripting utility to display or modify the network configuration of a computer that is currently running.
Required data
- Microsoft: Windows process launch logs and Sysmon
How to use Splunk software for this use case
Processes created by netsh.exe
To run this search, you need to ingest data that records process activity from your hosts.
This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.
In this search, you are looking for processes spawned by netsh.exe and executing commands via the command line.
False positives from this search may occur since some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.
| tstats allow_old_summaries=true count, values("Processes.process") AS "Processes.process", min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE "Processes.process"=*netsh* BY "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.user", "Processes.dest" | rename "Processes.*" AS "*" | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Parent processes running on a host
To run this search, you'll need to populate the Endpoint data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
This search queries the Endpoint data model to give you details about the parent process of a process running on a host which is under investigation. Enter the values of the process name in question and the destination IP address.
| tstats summariesonly=true allow_old_summaries=true count, values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.dest" | rename "Processes.*" AS "*" | search (dest=<field on the host where the process is running> parent_process_name=<parent_process_name>) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Processes running on a host
To run this search, you'll need to populate the Endpoint data model. Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
This search queries the Endpoint data model to give you details about the process running on a host which is under investigation. To gather the process information, enter the values for the process name in question and the destination IP address.
| tstats summariesonly=true allow_old_summaries=true count, values("Processes.process") AS process, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes BY "Processes.user", "Processes.parent_process_name", "Processes.process_name", "Processes.dest" | rename "Processes.*" AS "*" | search (dest=<field on the host where the process is running> process_name=<process_name>) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime
Next steps
The content in this article comes from Splunk Enterprise Security (ES). As a Splunk premium security solution, ES solves a wide range of security analytics and operations use cases including continuous security monitoring, advanced threat detection, compliance, incident investigation, forensics and incident response. Splunk ES delivers an end-to-end view of an organization's security posture with flexible investigations, unmatched performance, and the most flexible deployment options offered in the cloud, on-premises, or hybrid deployment models. If you have questions about this use case, see the Security Research team's support options on GitHub.
In addition, these Splunk resources might help you understand and implement this use case:Detecting host redirection attacks