Skip to content

T1546.007 Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.2 The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.31

Item Value
ID T1546.007
Sub-techniques T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016
Tactics TA0004, TA0003
Platforms Windows
Permissions required Administrator, SYSTEM
Version 1.0
Created 24 January 2020
Last Modified 20 April 2022

Procedure Examples

ID Name Description
S0108 netsh netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.1

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0011 Module Module Load
DS0009 Process Process Creation
DS0024 Windows Registry Windows Registry Key Modification

References

  1. Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017. 

  2. Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017. 

  3. Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved February 13, 2017.