logo
SlackReddit

T1546.007

Event Triggered Execution: Netsh Helper DLL

Description from ATT&CK

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)

Source

Atomic Tests

Atomic Test #1: Netsh Helper DLL Registration

You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called. The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run.

Blog Sample DLL code

Supported Platforms: Windows

auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d

Inputs

NameDescriptionTypeDefault Value
helper_filePath to DLLpathPathToAtomicsFolder\T1546.007\bin\NetshHelper.dll

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

netsh.exe add helper "#{helper_file}"
taskkill /im notepad.exe /t /f > NUL 2>&1

Cleanup Commands

netsh.exe delete helper "#{helper_file}"

Dependencies: Run with powershell!

Description: Helper DLL must exist on disk at specified location (#{helper_file})
Check Prereq Commands
if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
Get Prereq Commands
New-Item -Type Directory (split-path "#{helper_file}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.007/bin/NetshHelper.dll" -OutFile "#{helper_file}"

Atomic test(s) for this technique last updated: 2023-09-22 16:47:25 UTC

T1546.005

Event Triggered Execution: Trap

T1546.008

Event Triggered Execution: Accessibility Features

On this page

Description from ATT&CK
Atomic Tests
Atomic Test #1: Netsh Helper DLL Registration