Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Sigma rule (View on GitHub)
1title: Firewall Configuration Discovery Via Netsh.EXE
2id: 0e4164da-94bc-450d-a7be-a4b176179f1f
3status: test
4description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
7 - https://ss64.com/nt/netsh.html
8author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
9date: 2021-12-07
10modified: 2025-10-18
11tags:
12 - attack.discovery
13 - attack.t1016
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\netsh.exe'
20 - OriginalFileName: 'netsh.exe'
21 selection_cli:
22 CommandLine|contains|all:
23 - 'netsh'
24 - 'show '
25 - 'firewall '
26 CommandLine|contains:
27 - 'config '
28 - 'state '
29 - 'rule '
30 - 'name=all'
31 condition: all of selection_*
32falsepositives:
33 - Administrative activity
34level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
NETSH.exe (Network Shell) Configure Network Interfaces, Windows Firewall, Routing & remote access. Syntax NETSH [Context] [sub-Context] command Key The contexts and commands available vary by platf...
Read More
Related rules
- OpenCanary - SNMP OID Request
- Suspicious Network Connection to IP Lookup Service APIs
- Potential Pikabot Discovery Activity
- System Network Discovery - macOS
- Cisco Discovery