netsh.exe extensions

Location:

HKLM\SOFTWARE\Microsoft\NetSh

Classification:

Criteria	Value
Permissions	Admin
Security context	User
Persistence type	Registry
Code type	DLL
Launch type	User initiated¹
Impact	Non-destructive²
OS Version	All OS versions
Dependencies	OS only
Toolset	Scriptable

Description:

Netsh.exe can launch different modules. If you add your own module DLL it will be loaded when netsh.exe starts. DllMain() and InitHelperDll() are called automatically. Effectively it leads to DLL sideloading.

References:

https://twitter.com/0gtweet/status/1672274872163074051

Credits:

Well known key

Remarks:

User must launch netsh.exe ↩
Lack of InitHelperDll() leads to an error message within netsh.exe but the tool and DLL still work. ↩

persistence-info.github.io