T1546.007SubTechniqueprivilege-escalationpersistenceagent-callable

T1546.007Netsh Helper DLL

Sub-technique of T1546

Platforms: Windows

ATT&CK version: 14.1

What it is

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)

ATT&CK tactics· 2

Privilege EscalationPersistence

References

  1. https://attack.mitre.org/techniques/T1546/007
  2. https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
  3. https://technet.microsoft.com/library/bb490939.aspx
  4. https://github.com/outflankbv/NetshHelperBeacon
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1546.007: Netsh Helper DLL | SQUR Knowledge Base