Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
NetSh Helper DLL
Persistence, code execution using netsh helper arbitrary libraries.

Execution

​NetshHelperBeacon helper DLL will be used to test out this technique. A compiled x64 DLL can be downloaded below:
NetshHelperBeacon.dll
43KB
Binary
NetshHelperBeacon
The helper library, once loaded, will start calc.exe:
[email protected]
1
.\netsh.exe add helper C:\tools\NetshHelperBeacon.dll
Copied!

Observations

Adding a new helper via commandline modifies registry, so as a defender you may want to monitor for registry changes in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh:
When netsh is started, Procmon captures how InitHelperDLL expored function of our malicious DLL is called:
As usual, monitoring command line arguments is a good idea that may help uncover suspicious activity:

Interesting

Loading the malicious helper DLL crashed netsh. Inspecting the calc.exe process after the crash with Process Explorer reveals that the parent process is svchost, although the sysmon logs showed cmd.exe as its parent:

References

Event Triggered Execution: Netsh Helper DLL, Sub-technique T1546.007 - Enterprise | MITRE ATT&CK®
Previous
AddMonitor()
Next
Abusing Windows Managent Instrumentation
Last modified 3yr ago
Copy link
Contents
Execution
Observations
Interesting
References