anavem.
High RiskWindowsLegitimateCommonly Abused
netsh.exeSYSTEM UTILITY

netsh.exe - Network Shell Security Analysis

netsh.exe (Network Shell) configures **Windows network settings**. Attackers abuse netsh for **firewall rule manipulation**, **port forwarding** (proxy pivoting), **Wi-Fi credential extraction**, and as a **LOLBin helper for persistence**. Firewall modifications are common in attack chains.

Risk Summary

HIGH priority for SOC triage. netsh.exe can modify firewall rules, enable port forwarding, and extract Wi-Fi passwords. Monitor for firewall rule additions, wlan profile exports, and portproxy configurations.

Overview

What is netsh.exe?

netsh.exe is the Windows network configuration command-line utility.

Core Functions

Network Configuration:

  • Firewall rules
  • IP configuration
  • Interface settings
  • Port proxy/forwarding

Security Significance

  • Firewall Control: Add/remove rules
  • Port Forwarding: Pivot through systems
  • Credential Extraction: Wi-Fi passwords
  • Persistence Helper: DLL loading capability

Normal Behavior

Normal Behavior

Expected Process State

PropertyExpected Value
PathC:\Windows\System32\netsh.exe
Parentcmd.exe, powershell.exe
UserAdministrator
ContextNetwork administration

Legitimate Usage

netsh interface show interface
netsh wlan show profiles
netsh advfirewall show currentprofile

Common Locations

C:\Windows\System32\netsh.exeC:\Windows\SysWOW64\netsh.exe

Suspicious Indicators

Legitimate vs Suspicious

LEGITIMATE

Command:     netsh interface show...
             netsh advfirewall show...
             netsh wlan show profiles
Context:     Network troubleshooting

SUSPICIOUS

Command:     netsh advfirewall firewall add rule
             netsh interface portproxy add
             netsh wlan show profile key=clear
             netsh advfirewall set allprofiles state off
Context:     Firewall modification
             Port forwarding setup
             Wi-Fi credential theft

High-Risk Commands

CommandRiskPurpose
firewall add ruleHIGHFirewall bypass
portproxy addCRITICALPivoting
wlan ... key=clearHIGHCredential theft
state offCRITICALDisable firewall

Abuse Techniques

Attack Techniques

Technique #1: Firewall Rule Addition (T1562.004)

Allow Malware Traffic:

netsh advfirewall firewall add rule name="Windows Update" dir=in action=allow program="C:\malware\backdoor.exe"

Technique #2: Port Forwarding/Pivoting (T1090.001)

Create Port Proxy:

netsh interface portproxy add v4tov4 listenport=4444 listenaddress=0.0.0.0 connectport=3389 connectaddress=192.168.1.100

Technique #3: Wi-Fi Credential Extraction (T1552.002)

Extract Wi-Fi Passwords:

netsh wlan show profile name="WiFiName" key=clear

Technique #4: Disable Firewall (T1562.004)

netsh advfirewall set allprofiles state off

Detection Guidance

Detection Strategies

Priority #1: Firewall Rule Modification

Process = "netsh.exe" AND
CommandLine CONTAINS "firewall" AND
CommandLine CONTAINS ["add rule", "delete rule", "state off"]
→ ALERT: HIGH

Priority #2: Port Proxy Configuration

Process = "netsh.exe" AND
CommandLine CONTAINS "portproxy"
→ ALERT: CRITICAL - Pivoting attempt

Priority #3: Wi-Fi Credential Theft

Process = "netsh.exe" AND
CommandLine CONTAINS "wlan" AND
CommandLine CONTAINS "key=clear"
→ ALERT: HIGH - Credential extraction

Sigma Rule:

title: Netsh Port Forwarding
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\netsh.exe'
    CommandLine|contains: 'portproxy'
  condition: selection
level: critical

Remediation Steps

Protection and Remediation

Defense: Monitor Firewall Changes

Enable Windows Firewall logging and change auditing.

Defense: List Port Proxies

netsh interface portproxy show all

If Compromise Suspected

  1. Review firewall rules
  2. Check for port proxies
  3. Remove unauthorized rules
  4. Verify firewall is enabled
  5. Change Wi-Fi passwords if extracted

Investigation Checklist

Investigation Checklist

  • Review full command line
  • Check for firewall rule changes
  • List all port proxies
  • Check for Wi-Fi credential access
  • Verify firewall is enabled
  • Review recently added rules
  • Check for disabled profiles

MITRE ATT&CK Techniques

T1562.004T1090.001T1552.002T1546.007

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026