title: Netsh Helper DLL (T1546.007)
id: df00tech-t1546-007
status: experimental
description: "Adversaries may establish persistence by executing malicious content triggered by Netsh commands. Netsh.exe (also referred to as network shell) is a Windows command-line scripting utility that interacts with the network configuration of a system. Netsh contains functionality to add helper DLLs for extending functionality of the built-in tool. The paths to registered netsh helper DLLs are entered into the Windows Registry at HKLM\\SOFTWARE\\Microsoft\\NetSh. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a trusted process (netsh.exe) whenever netsh.exe is executed, which may also provide privilege escalation if netsh.exe runs elevated."
references:
  - https://attack.mitre.org/techniques/T1546/007/
  - https://df00tech.com/detections/T1546.007
author: df00tech
date: 2026/04/20
tags:
  - attack.t1546.007
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Third-party network management software that legitimately extends netsh functionality with custom helper DLLs (rare but possible for enterprise network tools)
  - Windows network configuration components that register helper DLLs during system updates or feature installations (these should be in System32)
  - Security monitoring products that hook netsh as a monitoring mechanism
  - VPN or network filter driver software that adds netsh helpers for network configuration commands
level: high