Netsh Helper DLL

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Microsoft Defender for Endpoint Data Source: SentinelOne Data Source: Sysmon  ·
Share on: linkedin copy

Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its
13functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed,
14which can be done by administrators or a scheduled task.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Netsh Helper DLL"
21risk_score = 21
22rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
23severity = "low"
24tags = [
25    "Domain: Endpoint",
26    "OS: Windows",
27    "Use Case: Threat Detection",
28    "Tactic: Persistence",
29    "Data Source: Elastic Endgame",
30    "Data Source: Elastic Defend",
31    "Data Source: Microsoft Defender for Endpoint",
32    "Data Source: SentinelOne",
33    "Data Source: Sysmon",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39registry where host.os.type == "windows" and event.type == "change" and
40  registry.path : (
41    "HKLM\\Software\\Microsoft\\netsh\\*",
42    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*",
43    "MACHINE\\Software\\Microsoft\\netsh\\*"
44  )
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1546"
52name = "Event Triggered Execution"
53reference = "https://attack.mitre.org/techniques/T1546/"
54[[rule.threat.technique.subtechnique]]
55id = "T1546.007"
56name = "Netsh Helper DLL"
57reference = "https://attack.mitre.org/techniques/T1546/007/"
58
59
60
61[rule.threat.tactic]
62id = "TA0003"
63name = "Persistence"
64reference = "https://attack.mitre.org/tactics/TA0003/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1112"
69name = "Modify Registry"
70reference = "https://attack.mitre.org/techniques/T1112/"
71
72
73[rule.threat.tactic]
74id = "TA0005"
75name = "Defense Evasion"
76reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top