{ "id": "c66c5b50-7934-4af1-8689-506064b99c30", "created_at": "2026-04-06T15:52:22.352318Z", "updated_at": "2026-04-10T13:13:07.751392Z", "deleted_at": null, "sha1_hash": "9aa62ed1ddf20c4271becb2be7266c81cc1e327d", "title": "GitHub - outflanknl/NetshHelperBeacon: Example DLL to load from Windows NetShell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 40857, "plain_text": "GitHub - outflanknl/NetshHelperBeacon: Example DLL to load\r\nfrom Windows NetShell\r\nBy Marc Smeets\r\nArchived: 2026-04-06 15:36:42 UTC\r\nDLL to load from Windows NetShell. Will pop calc and execute shellcode.\r\nBackground\r\nIt turns out Windows NetShell (netsh) allows loading of external DLLs. But you cant just load any regular DLL.\r\nFor successful loading netsh requires the InitHelperDll entry point to exist. Once loaded, the DLL will be execute\r\nevery time netsh is executed.\r\nI got the idea after reading a blogpost(1) and wanted to verify and test its usefulness by making a PoC that\r\nexecutes Cobalt Strike beacon code.\r\nHow to use\r\nYolo mode: load (x64)Release\\NetshHelperBeacon.dll on your production machine\r\nFire up Visual studio and import the project\r\nRead code, modify shellcode, build for your architecture\r\nCopy (x64)Release\\NetshHelpderBeacon.dll to your desired location (c:\\windows\\system32 is the regular\r\npath for netsh DLLs)\r\nrun netsh add helper $PathToYourDll - should return OK and pop calc, but shellcode not yet executed\r\nrun netsh - should pop calc and run your shellcode\r\nDrawbacks\r\nCurrently spawns a new thread (so netsh remains useful) but will not spawn new process. This means your\r\nshellcode will be killed once the netsh process is stopped.\r\nOnly loosely compliant to Microsoft netsh DLL rules. For example the DLL is not registered with a GUID.\r\nTo make it useful for persistence you need to find a way for netsh to run after reboot.\r\n1: http://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/\r\nSource: https://github.com/outflankbv/NetshHelperBeacon\r\nhttps://github.com/outflankbv/NetshHelperBeacon\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://github.com/outflankbv/NetshHelperBeacon" ], "report_names": [ "NetshHelperBeacon" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775490742, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9aa62ed1ddf20c4271becb2be7266c81cc1e327d.pdf", "text": "https://archive.orkl.eu/9aa62ed1ddf20c4271becb2be7266c81cc1e327d.txt", "img": "https://archive.orkl.eu/9aa62ed1ddf20c4271becb2be7266c81cc1e327d.jpg" } }