Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry atHKLM\SOFTWARE\Microsoft\Netsh.Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence)
Proof of concept code exists to load Cobalt Strike's payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon)
Detection: It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the
HKLM\SOFTWARE\Microsoft\Netshregistry key for any new or suspicious entries that do not correlate with known system files or benign software. (Citation: Demaske Netsh Persistence)Platforms: Windows
Data Sources: Process monitoring, DLL monitoring, Windows Registry
Permissions Required: Administrator, SYSTEM
System Requirements: netsh
Contributors: Matthew Demaske, Adaptforward
Netsh interacts with other operating system components using dynamic-link library (DLL) files
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| helper_file | Path to DLL | Path | C:\Path\file.dll |
netsh.exe add helper #{helper_file}