Netsh Helper DLL

  1[metadata]
  2creation_date = "2023/08/29"
  3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its
 11functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed,
 12which can be done by administrators or a scheduled task.
 13"""
 14from = "now-9m"
 15index = [
 16    "logs-endpoint.events.registry-*",
 17    "endgame-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-windows.sysmon_operational-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Netsh Helper DLL"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Netsh Helper DLL
 31
 32Netsh, a command-line utility in Windows, allows for network configuration and diagnostics. It supports extensibility through Helper DLLs, which can be added to enhance its capabilities. However, attackers can exploit this by adding malicious DLLs, ensuring their code runs whenever netsh is executed. The detection rule monitors registry changes related to netsh DLLs, flagging unauthorized modifications that may indicate persistence tactics.
 33
 34### Possible investigation steps
 35
 36- Review the registry path specified in the alert to confirm the presence of any unauthorized or suspicious DLLs under "HKLM\\Software\\Microsoft\\netsh\\".
 37- Check the timestamp of the registry change event to determine when the modification occurred and correlate it with any other suspicious activities or events on the system.
 38- Investigate the origin of the DLL file by examining its properties, such as the file path, creation date, and digital signature, to assess its legitimacy.
 39- Analyze recent user activity and scheduled tasks to identify any potential execution of netsh.exe that could have triggered the malicious DLL.
 40- Cross-reference the alert with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify any related threats or indicators of compromise.
 41
 42### False positive analysis
 43
 44- Legitimate software installations or updates may add or modify Netsh Helper DLLs, triggering the detection rule. Users should verify if recent installations or updates coincide with the registry changes.
 45- Network management tools or scripts used by IT departments might legitimately extend netsh functionality. Identify and document these tools to create exceptions in the detection rule.
 46- Scheduled tasks or administrative scripts that configure network settings could cause expected changes. Review scheduled tasks and scripts to ensure they are authorized and adjust the rule to exclude these known activities.
 47- Security software or network monitoring solutions may interact with netsh for legitimate purposes. Confirm with the software vendor if their product modifies netsh settings and consider excluding these changes from the rule.
 48
 49### Response and remediation
 50
 51- Immediately isolate the affected system from the network to prevent further execution of the malicious DLL and potential lateral movement.
 52- Terminate any suspicious processes associated with netsh.exe to halt the execution of the malicious payload.
 53- Remove the unauthorized Netsh Helper DLL entry from the registry path identified in the alert to eliminate the persistence mechanism.
 54- Conduct a thorough scan of the affected system using an updated antivirus or endpoint detection and response (EDR) tool to identify and remove any additional malicious files or artifacts.
 55- Review and restore any altered system configurations to their original state to ensure system integrity.
 56- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 57- Implement enhanced monitoring and logging for registry changes related to Netsh Helper DLLs to detect similar threats in the future."""
 58risk_score = 21
 59rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
 60severity = "low"
 61tags = [
 62    "Domain: Endpoint",
 63    "OS: Windows",
 64    "Use Case: Threat Detection",
 65    "Tactic: Persistence",
 66    "Data Source: Elastic Endgame",
 67    "Data Source: Elastic Defend",
 68    "Data Source: Microsoft Defender for Endpoint",
 69    "Data Source: SentinelOne",
 70    "Data Source: Sysmon",
 71    "Resources: Investigation Guide",
 72]
 73timestamp_override = "event.ingested"
 74type = "eql"
 75
 76query = '''
 77registry where host.os.type == "windows" and event.type == "change" and
 78  registry.path : (
 79    "HKLM\\Software\\Microsoft\\netsh\\*",
 80    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*",
 81    "MACHINE\\Software\\Microsoft\\netsh\\*"
 82  )
 83'''
 84
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1546"
 90name = "Event Triggered Execution"
 91reference = "https://attack.mitre.org/techniques/T1546/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1546.007"
 94name = "Netsh Helper DLL"
 95reference = "https://attack.mitre.org/techniques/T1546/007/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1112"
107name = "Modify Registry"
108reference = "https://attack.mitre.org/techniques/T1112/"
109
110
111[rule.threat.tactic]
112id = "TA0005"
113name = "Defense Evasion"
114reference = "https://attack.mitre.org/tactics/TA0005/"