How can defenders detect and remove a Netsh helper DLL persistence?

Detection is done by monitoring the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh` for unusual or modified entries. Note that `netsh show helper` does not list custom helper DLLs, so registry auditing is essential. Removal can be performed via `netsh delete helper <dllname>` or by deleting the corresponding registry value. Compare the default key values (which vary by system) to identify tampering.