Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1546.007: Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.[1] The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.[2][3]

EnterpriseT1546.007Sub-techniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Netsh Helper DLL persistence matters because it turns a legitimate Windows networking utility into an event-triggered execution point. If a malicious helper DLL is registered, code can run whenever netsh.exe is invoked, including by administrators, scripts, or software such as VPN tooling that uses netsh as part of normal operations. For leaders, the risk is not just malware on one host; it is a persistence mechanism that can hide inside normal Windows network administration behavior.

Executive priority

Prioritize this as a Windows persistence and privilege-escalation validation item. Security leaders should ask whether the organization can prove what is registered under HKLM\SOFTWARE\Microsoft\Netsh, whether changes to that registry location are monitored, and whether netsh.exe executions are visible during incident response. This is useful audit and resilience evidence because it tests whether endpoint logging, registry monitoring, and SOC triage can distinguish expected network administration from suspicious persistence.

Technical view

ATT&CK lists this as a Windows sub-technique of Event Triggered Execution for persistence and privilege escalation. The key local artifact is the Windows Registry path HKLM\SOFTWARE\Microsoft\Netsh, which stores registered netsh.exe helper DLL paths. Because official ATT&CK detection text is not provided, defenders should use the related detection strategy context: monitor registry changes to the Netsh helper location and correlate with netsh.exe execution and child-process behavior. IR teams should validate registered helper DLL paths, file provenance, recent registry modification times, and whether netsh.exe execution aligns with known administrative, VPN, or system activity.

Likely telemetry

  • Windows Registry auditing or EDR registry telemetry for HKLM\SOFTWARE\Microsoft\Netsh
  • Process execution telemetry for netsh.exe
  • Parent/child process telemetry involving netsh.exe
  • DLL/file metadata and path information for registered helper DLLs
  • Endpoint timeline data showing registry modification and subsequent netsh.exe execution

Detection direction

  • Baseline legitimate Netsh helper DLL registrations on Windows endpoints and alert on new, unexpected, or recently modified entries under HKLM\SOFTWARE\Microsoft\Netsh.
  • Correlate registry modification events with later netsh.exe execution rather than relying only on process name alerts.
  • Tune for legitimate network administration and software that may invoke netsh.exe, including VPN-related activity mentioned in the ATT&CK description.
  • During triage, compare helper DLL paths against expected system or approved software locations and investigate unusual user context, timing, or unsigned/unfamiliar DLLs where such evidence is available.
  • Account for the ATT&CK limitation that no official detection text is provided; local logging quality and EDR visibility determine practical coverage.

Mitigation priorities

  • Restrict administrative ability to modify HKLM registry locations to authorized users and managed processes.
  • Maintain an approved baseline of Netsh helper DLL registrations for Windows systems where netsh usage is expected.
  • Ensure endpoint controls collect registry, process, and file metadata needed to investigate this persistence mechanism.
  • Review operational software that invokes netsh.exe so the SOC can separate expected behavior from suspicious helper DLL loading context.
  • Include this registry location and netsh.exe execution pattern in incident response persistence checks for Windows hosts.
Analyst notes and limits

The most decision-useful relationship is DET0575, which explicitly points to registry and child-process monitoring for Netsh Helper DLL persistence. The revoked ATT&CK technique T1128 was replaced by this sub-technique, so teams should map older detections, reports, and playbooks to T1546.007. The related software object S0108 confirms netsh is a legitimate Windows scripting utility, which is why context and baselining are important.

The supplied ATT&CK object does not provide official detection guidance, mitigations, procedures, active exploitation claims, or actor attribution. This take is therefore limited to the Windows platform, persistence and privilege-escalation tactics, the documented registry location, netsh.exe execution behavior, external references, and the provided detection-strategy relationship. Local validation is required to determine actual exposure and detection coverage.

Official MITRE ATT&CK definition

Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.[1] The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.[2][3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1128 Netsh Helper DLL Netsh Helper DLL revoked by this object.
Enterprise T1546 Event Triggered Execution This object subtechnique of Event Triggered Execution.
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0108: netsh

netsh is a scripting utility used to interact with networking components on local or remote systems. [1]

Windows
Relationship explorer

All related ATT&CK context

revoked by · Technique T1128: Netsh Helper DLL Enterprise uses · Tool S0108: netsh Enterprise detects · Detection Strategy DET0575: Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows) Enterprise subtechnique of · Technique T1546: Event Triggered Execution Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
9b460318ecf07511...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 9b460318ecf0…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TechNet Netsh

    Microsoft. (n.d.). Using Netsh. Retrieved February 13, 2017.

    Open source URL
  2. [2]
    Github Netsh Helper CS Beacon

    Smeets, M. (2016, September 26). NetshHelperBeacon. Retrieved February 13, 2017.

    Open source URL
  3. [3]
    Demaske Netsh Persistence

    Demaske, M. (2016, September 23). USING NETSHELL TO EXECUTE EVIL DLLS AND PERSIST ON A HOST. Retrieved April 8, 2017.

    Open source URL
  4. [4]
    mitre-attack T1546.007
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use