Esc
Netsh Helper DLL - T1546.007
(ATT&CK® Technique)
Definition
Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1546007["Netsh Helper DLL"] --> |produces| Process["Process"]; class T1546007 OffensiveTechniqueNode;
class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process";
click T1546007 href "/offensive-technique/attack/T1546.007/"; click Process href "/dao/artifact/d3f:Process"; T1546007["Netsh Helper DLL"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546007 OffensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord";
click T1546007 href "/offensive-technique/attack/T1546.007/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; ProcessSuspension["Process Suspension"] -->
| suspends | Process["Process"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1546007["Netsh Helper DLL"] ;
class ProcessSuspension DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | Process["Process"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1546007["Netsh Helper DLL"] ;
class HostShutdown DefensiveTechniqueNode;
class Process ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | Process["Process"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1546007["Netsh Helper DLL"] ;
class ProcessTermination DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | Process["Process"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1546007["Netsh Helper DLL"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | Process["Process"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1546007["Netsh Helper DLL"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | Process["Process"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1546007["Netsh Helper DLL"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | Process["Process"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1546007["Netsh Helper DLL"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class Process ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; RestoreConfiguration["Restore Configuration"] -->
| restores | SystemConfigurationDatabaseRecord["System Configuration Database Record"];
RestoreConfiguration["Restore Configuration"] -.->
| may-restore | T1546007["Netsh Helper DLL"] ;
class RestoreConfiguration DefensiveTechniqueNode;
class SystemConfigurationDatabaseRecord ArtifactNode;
click RestoreConfiguration href "/technique/d3f:RestoreConfiguration"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | Process["Process"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1546007["Netsh Helper DLL"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class Process ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; HostReboot["Host Reboot"] -->
| terminates | Process["Process"];
HostReboot["Host Reboot"] -.->
| may-evict | T1546007["Netsh Helper DLL"] ;
class HostReboot DefensiveTechniqueNode;
class Process ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot"; MandatoryAccessControl["Mandatory Access Control"] -->
| isolates | Process["Process"];
MandatoryAccessControl["Mandatory Access Control"] -.->
| may-isolate | T1546007["Netsh Helper DLL"] ;
class MandatoryAccessControl DefensiveTechniqueNode;
class Process ArtifactNode;
click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl";