T1546.007 Netsh Helper DLL
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh
.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.
Item |
Value |
ID |
T1546.007 |
Sub-techniques |
T1546.001, T1546.002, T1546.003, T1546.004, T1546.005, T1546.006, T1546.007, T1546.008, T1546.009, T1546.010, T1546.011, T1546.012, T1546.013, T1546.014, T1546.015, T1546.016 |
Tactics |
TA0004, TA0003 |
Platforms |
Windows |
Permissions required |
Administrator, SYSTEM |
Version |
1.0 |
Created |
24 January 2020 |
Last Modified |
20 April 2022 |
Procedure Examples
ID |
Name |
Description |
S0108 |
netsh |
netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. |
Detection
References