T1546.007: Netsh Helper DLL
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh
.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_persistence: PT-CR-607: Persistence_Netsh_DLL: DLL registration using "netsh.exe" is detected
Detection
ID | DS0011 | Data source and component | Module: Module Load | Description | Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. |
---|
ID | DS0009 | Data source and component | Process: Process Creation | Description | It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. |
---|
ID | DS0024 | Data source and component | Windows Registry: Windows Registry Key Modification | Description | Monitor the |
---|
ID | DS0017 | Data source and component | Command: Command Execution | Description | Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs. |
---|