Netsh Helper DLL

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its
11functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed,
12which can be done by administrators or a scheduled task.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Netsh Helper DLL"
19risk_score = 21
20rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
21severity = "low"
22tags = [
23    "Domain: Endpoint",
24    "OS: Windows",
25    "Use Case: Threat Detection",
26    "Tactic: Persistence",
27    "Data Source: Elastic Endgame",
28    "Data Source: Elastic Defend",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34registry where host.os.type == "windows" and event.type == "change" and
35  registry.path : (
36    "HKLM\\Software\\Microsoft\\netsh\\*",
37    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*"
38  )
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1546"
46name = "Event Triggered Execution"
47reference = "https://attack.mitre.org/techniques/T1546/"
48[[rule.threat.technique.subtechnique]]
49id = "T1546.007"
50name = "Netsh Helper DLL"
51reference = "https://attack.mitre.org/techniques/T1546/007/"
52
53
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1112"
63name = "Modify Registry"
64reference = "https://attack.mitre.org/techniques/T1112/"
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"