Using Netsh for Easier Network Setup in a Malware Lab

When performing behavioral analysis of malware, it’s not uncommon to switch between networks. You might need to be connected to the Internet for some tasks, such as investigating a suspicious website. For others, such as interacting with a malicious program, you may need to be on a fully isolated segment. The “netsh” tool, built into Windows, can help you quickly switch the laboratory system’s network configuration profiles.

Saving and Restoring Network Configuration with Netsh

Use the “netsh interface dump” command on Windows to view your current network configuration details in a Netsh-compatible script format. You’ll want to save the output of the tool to a text configuration file, such as:

netsh interface dump > netsh-config1.txt

The saved configuration might look something like this (click the image for the full sample file):

To apply the saved configuration script, use the “netsh -f” command like this:

netsh -f netsh-config1.txt

Netsh for the Malware Lab

Now that you know how to save and restore the Windows system’s network configuration, you can use Netsh to easily switch between network configuration profiles.

For instance, one of your profiles might hard-code IP address, default gateway and DNS server details. Save that profile as netsh-config-static1.txt. In another profile you might want to use DHCP; configure your system in the desired way and save that configuration as “netsh-config-dhcp1.txt”. Then create shortcuts to easily switch between profiles. One shortcut would run “netsh -f netsh-config-static1.txt”; the other “netsh -f netsh-config-dhcp1.txt”.

Hand-picked related items:

Just so you know, I teach the malware analysis course at SANS Institute.

Updated

About the Author

Lenny Zeltser develops teams, products, and programs that use information security to achieve business results. Over the past two decades, Lenny has been leading efforts to establish resilient security practices and solve hard security problems. As a respected author and speaker, he has been advancing cybersecurity tradecraft and contributing to the community. His insights build upon 20 years of real-world experiences, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more