← Back to Explore
sigmalowHunting
Firewall Configuration Discovery Via Netsh.EXE
Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
Detection Query
selection_img:
- Image|endswith: \netsh.exe
- OriginalFileName: netsh.exe
selection_cli:
CommandLine|contains|all:
- netsh
- "show "
- "firewall "
CommandLine|contains:
- "config "
- "state "
- "rule "
- name=all
condition: all of selection_*
Author
frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
Created
2021-12-07
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.discoveryattack.t1016
Raw Content
title: Firewall Configuration Discovery Via Netsh.EXE
id: 0e4164da-94bc-450d-a7be-a4b176179f1f
status: test
description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-2---list-windows-firewall-rules
- https://ss64.com/nt/netsh.html
author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io'
date: 2021-12-07
modified: 2025-10-18
tags:
- attack.discovery
- attack.t1016
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\netsh.exe'
- OriginalFileName: 'netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'netsh'
- 'show '
- 'firewall '
CommandLine|contains:
- 'config '
- 'state '
- 'rule '
- 'name=all'
condition: all of selection_*
falsepositives:
- Administrative activity
level: low