Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh
.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)
You can register a “helper dll” with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called. The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.
Supported Platforms: Windows
auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d
| Name | Description | Type | Default Value | |——|————-|——|—————| | helper_file | Path to DLL | path | PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll|
1
command_prompt
! Elevation Required (e.g. root or admin)netsh.exe add helper "#{helper_file}"
taskkill /im notepad.exe /t /f > NUL 2>&1
netsh.exe delete helper "#{helper_file}"
1
powershell
!1
if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
1
2
New-Item -Type Directory (split-path "#{helper_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"