Persistence via NetSh Key

The tool NetShell allows for the creation of helper DLLs, which are loaded into netsh.exe every time it executes. This is used by attackers to establish persistence.

id:5f9a71f4-f5ef-4d35-aff8-f67d63d3c896
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Persistence
techniques:T1128 Netsh Helper DLL

Query

registry where key_path == "*\\Software\\Microsoft\\NetSh\\*"

Contributors