MITRE ATT&CK Technique
Description
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>. Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence) Proof of concept code exists to load Cobalt Strike's payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:31:40.168Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Netsh.exe (also referred to as Netshell) is a command-line '
'scripting utility used to interact with the network '
'configuration of a system. It contains functionality to add '
'helper DLLs for extending functionality of the utility. '
'(Citation: TechNet Netsh) The paths to registered netsh.exe '
'helper DLLs are entered into the Windows Registry at '
'<code>HKLM\\SOFTWARE\\Microsoft\\Netsh</code>.\n'
'\n'
'Adversaries can use netsh.exe with helper DLLs to proxy '
'execution of arbitrary code in a persistent manner when '
'netsh.exe is executed automatically with another Persistence '
'technique or if other persistent software is present on the '
'system that executes netsh.exe as part of its normal '
'functionality. Examples include some VPN software that invoke '
'netsh.exe. (Citation: Demaske Netsh Persistence)\n'
'\n'
"Proof of concept code exists to load Cobalt Strike's payload "
'using netsh.exe helper DLLs. (Citation: Github Netsh Helper '
'CS Beacon)',
'external_references': [{'external_id': 'T1128',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1128'},
{'description': 'Microsoft. (n.d.). Using Netsh. '
'Retrieved February 13, 2017.',
'source_name': 'TechNet Netsh',
'url': 'https://technet.microsoft.com/library/bb490939.aspx'},
{'description': 'Demaske, M. (2016, September 23). '
'USING NETSHELL TO EXECUTE EVIL DLLS '
'AND PERSIST ON A HOST. Retrieved '
'April 8, 2017.',
'source_name': 'Demaske Netsh Persistence',
'url': 'https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html'},
{'description': 'Smeets, M. (2016, September 26). '
'NetshHelperBeacon. Retrieved '
'February 13, 2017.',
'source_name': 'Github Netsh Helper CS Beacon',
'url': 'https://github.com/outflankbv/NetshHelperBeacon'}],
'id': 'attack-pattern--bb0e0cb5-f3e4-4118-a4cb-6bf13bfbc9f2',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:49:17.716Z',
'name': 'Netsh Helper DLL',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Matthew Demaske, Adaptforward'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.1'}