T1546.007: Netsh Helper DLL
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_persistence: PT-CR-607: Persistence_Netsh_DLL: DLL registration using "netsh.exe" is detected
Detection
| ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs. |
|---|
| ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor the |
|---|
| ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
|---|
| ID | DS0009 | Data source and component | Process: Process Creation | Description | It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. |
|---|