Using Netsh for Easier Network Setup in a Malware Lab

When performing behavioral analysis of malware, it’s not uncommon to switch between networks. You might need to be connected to the Internet for some tasks, such as investigating a suspicious website. For others, such as interacting with a malicious program, you may need to be on a fully isolated segment. The “netsh” tool, built into Windows, can help you quickly switch the laboratory system’s network configuration profiles.

Saving and Restoring Network Configuration with Netsh

Use the “netsh interface dump” command on Windows to view your current network configuration details in a Netsh-compatible script format. You’ll want to save the output of the tool to a text configuration file, such as:

netsh interface dump > netsh-config1.txt

The saved configuration might look something like this (click the image for the full sample file):

To apply the saved configuration script, use the “netsh -f” command like this:

netsh -f netsh-config1.txt

Netsh for the Malware Lab

Now that you know how to save and restore the Windows system’s network configuration, you can use Netsh to easily switch between network configuration profiles.

For instance, one of your profiles might hard-code IP address, default gateway and DNS server details. Save that profile as netsh-config-static1.txt. In another profile you might want to use DHCP; configure your system in the desired way and save that configuration as “netsh-config-dhcp1.txt”. Then create shortcuts to easily switch between profiles. One shortcut would run “netsh -f netsh-config-static1.txt”; the other “netsh -f netsh-config-dhcp1.txt”.

Hand-picked related items:

Just so you know, I teach the malware analysis course at SANS Institute.


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more