Using Netsh for Easier Network Setup in a Malware Lab

Windows' netsh tool can save and restore network configurations, useful for malware analysis labs that frequently switch between isolated segments and Internet-connected networks. Save configurations with "netsh interface dump" and restore with "netsh -f", creating shortcuts for quick profile switching.

When performing behavioral analysis of malware, it’s not uncommon to switch between networks. You might need to be connected to the Internet for some tasks, such as investigating a suspicious website. For others, such as interacting with a malicious program, you may need to be on a fully isolated segment. The “netsh” tool, built into Windows, can help you quickly switch the laboratory system’s network configuration profiles.

Saving and Restoring Network Configuration with Netsh

Use the “netsh interface dump” command on Windows to view your current network configuration details in a Netsh-compatible script format. You’ll want to save the output of the tool to a text configuration file, such as:

netsh interface dump > netsh-config1.txt

The saved configuration might look something like this (click the image for the full sample file):

To apply the saved configuration script, use the “netsh -f” command like this:

netsh -f netsh-config1.txt

Netsh for the Malware Lab

Now that you know how to save and restore the Windows system’s network configuration, you can use Netsh to easily switch between network configuration profiles. For instance, one of your profiles might hard-code IP address, default gateway and DNS server details. Save that profile as netsh-config-static1.txt. In another profile you might want to use DHCP; configure your system in the desired way and save that configuration as “netsh-config-dhcp1.txt”. Then create shortcuts to easily switch between profiles. One shortcut would run “netsh -f netsh-config-static1.txt”; the other “netsh -f netsh-config-dhcp1.txt”. Hand-picked related items:

Just so you know, I teach the malware analysis course at SANS Institute.

About the Author

Lenny Zeltser is a cybersecurity executive with deep technical roots, product management experience, and a business mindset. As CISO at Axonius, he leads the security and IT program, focusing on trust and growth. He is also a Faculty Fellow at SANS Institute and the creator of REMnux, a popular Linux toolkit for malware analysis. Lenny shares his perspectives on security leadership and technology at zeltser.com.

Learn more →