Skip to content

Netsh Helper DLL

Jump to bottom
Veramine edited this page Jul 7, 2017 · 3 revisions

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. You can learn more about this attacker tactic at https://attack.mitre.org/wiki/Technique/T1128.

Veramine's detection engine flags every new added Netsh Helper DLL. Here is an example detection:

The Veramine rules-based detection algorithm also alerts on all netsh.exe child processes, an additional detection suggestion from the MITRE wiki. That detection looks like this when it is encountered:

We have seen safe-looking conhost.exe false positive at one of our customers. Here is one example of that:

As you can see, this netsh.exe was launched as part of the Dropbox installation to modify the Windows firewall to enable file sharing on the local subnet. For whatever reason as part of that instantiation a conhost.exe also launched and immediately exited. Here are a another instance of netsh.exe launching a safe-looking conhost.exe process:

Each detection of this type (netsh.exe child process) will be bucketized by child process name. So you'll need to make one determination on trustworthiness per unique child process. In your environment, if conhost.exe appears to be a safe child process of netsh.exe, you might consider Hiding that single detection bucket to cause new instances of it to not appear in your detections feed by default.

You may find this Netsh Helper DLL useful to trigger the Veramine detection algorithms related to Netsh Helper DLLs: https://github.com/outflanknl/NetshHelperBeacon.

Clone this wiki locally