Netsh Helper DLL

From enterprise
Jump to: navigation, search
Netsh Helper DLL
Technique
ID T1128
Tactic Persistence
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10
System Requirements netsh
Permissions Required Administrator, SYSTEM
Data Sources Process monitoring, DLL monitoring, Windows Registry
Contributors Matthew Demaske, Adaptforward

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.1 The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe.2

Proof of concept code exists to load Cobalt Strike's payload using netsh.exe helper DLLs.3

Examples

  • netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.2

Mitigation

Identify and block potentially malicious software that may persist in this manner by using whitelisting4 tools capable of monitoring DLL loads by Windows utilities like AppLocker.56

Detection

It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software.2