Event Triggered Execution: Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.[1] The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

攻撃者は、Netsh Helper DLL をトリガーとして悪意のあるコンテンツを実行することで、永続性を確立することができます。Netsh.exe (Netshell とも呼ばれる) は、システムのネットワーク構成と対話するために使用されるコマンドラインスクリプティングユーティリティです。netsh.exeに登録されているヘルパーDLLのパスは、WindowsレジストリのHKLM\SOFTWARE\Microsoft\Netshに登録されます[1]。

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.[2][3]

攻撃者は netsh.exe のヘルパー DLL を使って、任意のコードの実行を永続的に引き起こすことができます。この実行は、netsh.exe が実行されるたびに行われます。これは、自動的、または別の永続化テクニックで実行され、あるいは、通常の機能の一部として netsh.exe を実行する他のソフトウェア(例えば VPN)がシステム上に存在する場合に起こる可能性があります 。[2] [3]


ID: T1546.007
Sub-technique of:  T1546
Platforms: Windows
Permissions Required: Administrator, SYSTEM
Contributors: Matthew Demaske, Adaptforward
Version: 1.0
Created: 24 January 2020
Last Modified: 20 April 2022

Procedure Examples

ID Name Description
S0108 netsh

netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.[3]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs.

DS0011 Module Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0009 Process Process Creation

It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior.

DS0024 Windows Registry Windows Registry Key Modification

Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software. [3]