operator
ChainsTTPsBlogLogin
menu
Prelude chain browser

Netsh Helper DLL

Unhook EDR hooks in ntdll.dll on the target system then ingress an agent configuration file and agent DLL. Store a custom key in the registry then install a Netsh helper DLL. The helper DLL uses SysWhispers to perform direct system calls to NtCreateThreadEx against the stored registry key entry.

2021-08-10

/static/assets/windows-logo.svg
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.info
Authors:khyberspache, nicholas spagnola (@makosec), mantvydas baranauskas (@spotheplanet), oddvar moe @oddvarmoe, freddie barr-smith, riccardo spolaor, mariano graziano, xabier ugarte-pedrero

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Unhook ntdll.dll EDR hooks via remapping
Create specific registry key in HKLM
Stage agent configuration file
Ingress Pneuma DLL with exported LaunchPneuma function
Netsh helper dll persistence

Tags

kaseya vsa attack

Tactics

About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.
twitterFollow @preludeorg on Twitter for new chains and more.
discordJoin the Prelude Discord to discuss chains and more.
githubKeep up to date with code changes and community activity on Github
operator
preludesecurity.comCareersTactics & TechniquesAttack themes
Privacy Policysupport@preludesecurity.com© 2023 Prelude Research, Inc.All rights reserved. Prelude, its logo and other trademarks are trademarks of Prelude Research, Inc. and may not be used without permission.