Netsh helper dll persistence

Download a custom DLL that can be attached to netsh as a helper that will call a value stored in the registry whenever netsh is run. The DLL will make a system() call for whatever value is stored in the Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Prelude\Operator key with the name `bin_path` (so bin_path with a string `C:\\Windows\\System32\\cmd.exe` for example). The DLL itself uses the SysWhispers project to create a customer wrapper to NtCreateThreadEx to bypass API hooks by EDR products. Persistence triggers any time netsh is run.
View Command

To view this TTPs command, you must be logged in with a professional or enterprise license.


Test this TTP

Download Operator (1.7.0)
Test this TTP using one of our Operator chains
Netsh Helper DLL


Create a Netsh helper DLL persistence.