Netsh helper dll persistence

/static/assets/windows-logo.svg
Download a custom DLL that can be attached to netsh as a helper that will call a value stored in the registry whenever netsh is run. The DLL will make a system() call for whatever value is stored in the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Prelude\Operator key with the name `bin_path` (so bin_path with a string `C:\\Windows\\System32\\cmd.exe` for example). The DLL itself uses the SysWhispers project to create a customer wrapper to NtCreateThreadEx to bypass API hooks by EDR products. Persistence triggers any time netsh is run.
locked
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.

Login

Test this TTP

Download Operator (1.7.0)
Test this TTP using one of our Operator chains
Netsh Helper DLL

2021-08-10

/static/assets/windows-logo.svg
Create a Netsh helper DLL persistence.