Skip to content
Example DLL to load from Windows NetShell
Branch: master
Clone or download
Latest commit d4b9994 Sep 26, 2016
Type Name Latest commit message Commit time
Failed to load latest commit information.
NetshHelperBeacon x64 fix Sep 26, 2016
Release x64 fix Sep 26, 2016
x64/Release x64 fix Sep 26, 2016


DLL to load from Windows NetShell. Will pop calc and execute shellcode.


It turns out Windows NetShell (netsh) allows loading of external DLLs. But you cant just load any regular DLL. For successful loading netsh requires the InitHelperDll entry point to exist. Once loaded, the DLL will be execute every time netsh is executed.

I got the idea after reading a blogpost(1) and wanted to verify and test its usefulness by making a PoC that executes Cobalt Strike beacon code.

How to use

  • Yolo mode: load (x64)Release\NetshHelperBeacon.dll on your production machine
  • Fire up Visual studio and import the project
  • Read code, modify shellcode, build for your architecture
  • Copy (x64)Release\NetshHelpderBeacon.dll to your desired location (c:\windows\system32 is the regular path for netsh DLLs)
  • run netsh add helper $PathToYourDll - should return OK and pop calc, but shellcode not yet executed
  • run netsh - should pop calc and run your shellcode


  • Currently spawns a new thread (so netsh remains useful) but will not spawn new process. This means your shellcode will be killed once the netsh process is stopped.
  • Only loosely compliant to Microsoft netsh DLL rules. For example the DLL is not registered with a GUID.
  • To make it useful for persistence you need to find a way for netsh to run after reboot.


You can’t perform that action at this time.