Under Review
over 1 year ago

Live Discovery Query - Netsh - is something or someone allowing access?

  REVIEWED by Sophos 

I can imagine the scenario where malware has executed and maybe looks to set up a communication channel.  In order to allow itself through the Windows firewall, it may well add an incoming rule using the command line tool netsh.  It therefore could be worthwhile considering who or what is opening-up the endpoint to receive traffic in this way.  It may even be an over-enthusiastic user you may equally want to know about.

Note: One thing to be mindful of, the netsh commands can be shortened, for example:

netsh advfirewall show allprofiles


netsh a sh a

...at least at the time of writing will do the same thing; therefore when constructing a query we would need to consider this. 

For example, one approach to allow RDP, i.e. incoming TCP connections to port 3389 would be:

netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow

This could equally be written as:

netsh a f a r name="RDP" protocol=TCP dir=in localport=3389 action=allow

To detect this `cmdline` we might have to write:

select parentsophospid, sophospid, datetime(processStartTime,'unixepoch') as ProcessStartTime, cmdline from sophos_process_journal where cmdline like '%netsh%action=allow%';

We know that netsh has to be in full but we can't assume any particular format for the command part just the parameters.  As any action to allow incoming ports would be interesting to follow up on this maybe a sufficient starting point.

To see the parent process information:

select sophospid, datetime(processStartTime,'unixepoch') as ProcessStartTime, sha256, cmdline from sophos_process_journal where sophospid=(select parentsophospid from sophos_process_journal where cmdline like '%netsh%action=allow%');

Hopefully this is something to consider when looking for possible suspicious behavior.