{"id":9741,"date":"2024-12-25T23:15:42","date_gmt":"2024-12-25T23:15:42","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=9741"},"modified":"2024-12-26T01:01:17","modified_gmt":"2024-12-26T01:01:17","slug":"3-little-secrets-of-netsh-exe","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2024\/12\/25\/3-little-secrets-of-netsh-exe\/","title":{"rendered":"3 little secrets of netsh.exe"},"content":{"rendered":"\n<p>It is typical for many of us to discover &#8216;the cool thing&#8217;, and then quickly move on to research something else. Over the last few years my &#8216;<a href=\"https:\/\/www.hexacorn.com\/blog\/category\/little-known-secrets\/\" data-type=\"URL\" data-id=\"https:\/\/www.hexacorn.com\/blog\/category\/little-known-secrets\/\">little known secrets&#8217;<\/a> series exploited this phenomenon by showcasing scenarios that, admittedly, were available to many researchers before me, all of them &#8216;who were there first&#8217;, but&#8230; who then just stopped looking at other interesting things after they discovered, and then published about, &#8216;that one cool thing&#8217;.<\/p>\n\n\n\n<p>if it sounds cryptic&#8230; <\/p>\n\n\n\n<p>Take <em>netsh.exe<\/em> as an example. <\/p>\n\n\n\n<p>Its <a href=\"https:\/\/lolbas-project.github.io\/lolbas\/Binaries\/Netsh\/\">Lolbas<\/a> page describes only one lolbin usage that relies on the &#8216;<em>netsh.exe add<\/em>&#8216; command in which we load an arbitrary DLL into <em>netsh.exe<\/em> process.<\/p>\n\n\n\n<p>O-kay.<\/p>\n\n\n\n<p>A casual study of <em>netsh.exe <\/em><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/networking\/technologies\/netsh\/netsh-contexts\">command line syntax<\/a> offers two additional opportunities:<\/p>\n\n\n\n<ul>\n<li>-f &lt;scriptfile&gt;<\/li>\n\n\n\n<li>exec &lt;scriptfile&gt;<\/li>\n<\/ul>\n\n\n\n<p>These commands take a script name as an input and then process the commands stored inside the &lt;scriptfile&gt; file. It&#8217;s super basic, but it works.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh1.png\" alt=\"\" class=\"wp-image-9742\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh1.png 926w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh1-300x107.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh1-768x273.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh1-500x178.png 500w\" sizes=\"(max-width: 926px) 100vw, 926px\" \/><\/a><\/figure>\n\n\n\n<p>And it&#8217;s not the end.<\/p>\n\n\n\n<p>Turns out the Alias file processing works too:<\/p>\n\n\n\n<ul>\n<li>-a &lt;AliasFile&gt;<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh2.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh2.png\" alt=\"\" class=\"wp-image-9744\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh2.png 923w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh2-300x104.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh2-768x266.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh2-500x173.png 500w\" sizes=\"(max-width: 923px) 100vw, 923px\" \/><\/a><\/figure>\n\n\n\n<p>And it&#8217;s not the end either.<\/p>\n\n\n\n<p>Just trying to add a single alias leads to a DLL loading too! (and I don&#8217;t even know if this is a proper syntax!)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh3.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh3.png\" alt=\"\" class=\"wp-image-9745\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh3.png 994w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh3-300x48.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh3-768x124.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh3-500x80.png 500w\" sizes=\"(max-width: 994px) 100vw, 994px\" \/><\/a><\/figure>\n\n\n\n<p>And then it hits you&#8230;<\/p>\n\n\n\n<p>You are doing all these tests on the very same system, one by one, in a context of changes you have already introduced to the system. And these changes should not be ignored!<\/p>\n\n\n\n<p>The first test added a <em>netsh.exe<\/em> &#8216;plug-in&#8217; to the Registry:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\NetSh\\test=test.dll<\/pre>\n\n\n\n<p>As a result, any subsequent invocations of <em>netsh.exe<\/em> attempted to load that <em>test.dll<\/em>!<\/p>\n\n\n\n<p>Ouch. <\/p>\n\n\n\n<p>It&#8217;s a classic example of contamination of the evidence\/sample, and once it happens (and we miss it!), everything that follows, research-wise, is all wrong!<\/p>\n\n\n\n<p>And this is the moment when we come back to the basics, and test our hypothesis one by one, using _clean_ environment for all the tests we have ever thought of. <\/p>\n\n\n\n<p>And then, after careful testing, we can still prove that these are still very decent LOLBIN scenarios;<\/p>\n\n\n\n<ul>\n<li>-f &lt;scriptfile&gt;<\/li>\n\n\n\n<li>exec &lt;scriptfile&gt;<\/li>\n\n\n\n<li>-a &lt;AliasFile&gt;<\/li>\n<\/ul>\n\n\n\n<p>And if you enter the interactive mode of <em>netsh.exe<\/em>, you can add a DLL-loading alias like this, too:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh4-1.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh4-1.png\" alt=\"\" class=\"wp-image-9748\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh4-1.png 927w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh4-1-300x146.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh4-1-768x374.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh4-1-500x243.png 500w\" sizes=\"(max-width: 927px) 100vw, 927px\" \/><\/a><\/figure>\n\n\n\n<p>or<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh5.png\"><img decoding=\"async\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh5.png\" alt=\"\" class=\"wp-image-9749\" width=\"520\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh5.png 939w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh5-300x61.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh5-768x155.png 768w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2024\/12\/netsh5-500x101.png 500w\" sizes=\"(max-width: 939px) 100vw, 939px\" \/><\/a><\/figure>\n\n\n\n<p>The lesson here is that we always need to dig a bit more, but we also need to be careful, because some of our conclusions may be convenient, but also&#8230; incorrect&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It is typical for many of us to discover &#8216;the cool thing&#8217;, and then quickly move on to research something else. Over the last few years my &#8216;little known secrets&#8217; series exploited this phenomenon by showcasing scenarios that, admittedly, were &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2024\/12\/25\/3-little-secrets-of-netsh-exe\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[126,56,64],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9741"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=9741"}],"version-history":[{"count":7,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9741\/revisions"}],"predecessor-version":[{"id":9755,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/9741\/revisions\/9755"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=9741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=9741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=9741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}