- Tactics
- Privilege Escalation , Persistence
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1546.007
Description
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the Privilege Escalation, Persistence tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1068 — Exploitation for Privilege Escalation
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1134 — Access Token Manipulation
- T1136 — Create Account
- T1137 — Office Application Startup
- T1176 — Software Extensions