Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Privilege Escalation
  4. >ATTACK-T1546.007
ATTACK-T1546.007Active

Netsh Helper DLL

Statement

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)

Location

Tactic
Privilege Escalation

Technique Details

Identifier
ATTACK-T1546.007
Parent Technique
ATTACK-T1546
ATT&CK Page
View on MITRE

Tactics

Privilege EscalationPersistence

Platforms

Windows

Detection

Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows)

No cross-framework mappings available

← Back to Privilege Escalation
Privilege Escalation25 controls
ATTACK-T1068Exploitation for Privilege EscalationATTACK-T1546Event Triggered ExecutionATTACK-T1546.001Change Default File AssociationATTACK-T1546.002ScreensaverATTACK-T1546.003Windows Management Instrumentation Event SubscriptionATTACK-T1546.004Unix Shell Configuration ModificationATTACK-T1546.005TrapATTACK-T1546.006LC_LOAD_DYLIB AdditionATTACK-T1546.007Netsh Helper DLLATTACK-T1546.008Accessibility FeaturesATTACK-T1546.009AppCert DLLsATTACK-T1546.010AppInit DLLsATTACK-T1546.011Application ShimmingATTACK-T1546.012Image File Execution Options InjectionATTACK-T1546.013PowerShell ProfileATTACK-T1546.014EmondATTACK-T1546.015Component Object Model HijackingATTACK-T1546.016Installer PackagesATTACK-T1548Abuse Elevation Control MechanismATTACK-T1548.001Setuid and SetgidATTACK-T1548.002Bypass User Account ControlATTACK-T1548.003Sudo and Sudo CachingATTACK-T1548.004Elevated Execution with PromptATTACK-T1548.005Temporary Elevated Cloud AccessATTACK-T1611Escape to Host