Netsh Helper DLL Persistence via Registry Modification
Attackers may establish persistence by adding a malicious DLL as a Netsh Helper, which executes whenever the Netsh utility is run, often abusing this mechanism to execute malicious payloads.
The Windows Netsh utility (netsh.exe) is a command-line tool used for configuring and managing network settings. It supports extensibility through Netsh Helper DLLs, which can be added to extend its functionality. Attackers can abuse this mechanism by adding malicious DLLs to execute arbitrary code whenever netsh.exe is executed. This can be done by legitimate administrators or via scheduled tasks. The registry keys associated with Netsh Helper DLLs are a known persistence location. This activity matters to defenders because it allows attackers to establish a persistent foothold on a compromised system, potentially leading to further malicious activities.
Attack Chain
- An attacker gains initial access to a Windows system (e.g., via phishing or exploiting a vulnerability).
- The attacker obtains necessary privileges to modify the registry.
- The attacker crafts a malicious DLL file to be used as a Netsh Helper.
- The attacker modifies the Windows Registry to add an entry under
HKLM\Software\Microsoft\netsh\pointing to the malicious DLL. - The attacker, or a legitimate administrator, executes
netsh.exe. - Upon execution,
netsh.exeloads the malicious DLL specified in the registry. - The malicious DLL executes its payload, achieving the attacker's objective.
- This execution persists across reboots and user logons, as
netsh.exeis commonly used by administrators and scheduled tasks.
Impact
A successful attack leveraging Netsh Helper DLL persistence allows attackers to execute arbitrary code on a compromised system. This can lead to a variety of malicious activities, including data theft, installation of malware, or further propagation within the network. While the risk score is low, the persistence mechanism makes it valuable to attackers.
Recommendation
- Enable Sysmon process-creation logging to capture
netsh.exeexecutions and correlate with registry modifications (see rule below). - Deploy the Sigma rule "Netsh Helper DLL Registry Modification" to your SIEM and tune for your environment.
- Implement enhanced monitoring and logging for registry changes related to Netsh Helper DLLs.
Detection coverage 2
Netsh Helper DLL Registry Modification
lowDetects modification of the Netsh Helper DLL registry keys.
Netsh Execution with Suspicious Arguments
mediumDetects netsh.exe execution with arguments indicative of malicious activity.
Detection queries are available on the platform. Get full rules →