Event Triggered Execution: Netsh Helper DLL (T1546.007)
Tactics: Privilege Escalation, Persistence · Platforms: Windows
The interactive view maps 1 detection strategy, 1 software entry to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Event Triggered Execution (T1546).
Overview
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.