Netsh Helper DLL
Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/29"
3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its
13functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed,
14which can be done by administrators or a scheduled task.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Netsh Helper DLL"
21risk_score = 21
22rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
23severity = "low"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Persistence",
29 "Data Source: Elastic Endgame",
30 "Data Source: Elastic Defend",
31 "Data Source: Microsoft Defender for Endpoint",
32 "Data Source: SentinelOne",
33 "Data Source: Sysmon",
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39registry where host.os.type == "windows" and event.type == "change" and
40 registry.path : (
41 "HKLM\\Software\\Microsoft\\netsh\\*",
42 "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*",
43 "MACHINE\\Software\\Microsoft\\netsh\\*"
44 )
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1546"
52name = "Event Triggered Execution"
53reference = "https://attack.mitre.org/techniques/T1546/"
54[[rule.threat.technique.subtechnique]]
55id = "T1546.007"
56name = "Netsh Helper DLL"
57reference = "https://attack.mitre.org/techniques/T1546/007/"
58
59
60
61[rule.threat.tactic]
62id = "TA0003"
63name = "Persistence"
64reference = "https://attack.mitre.org/tactics/TA0003/"
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1112"
69name = "Modify Registry"
70reference = "https://attack.mitre.org/techniques/T1112/"
71
72
73[rule.threat.tactic]
74id = "TA0005"
75name = "Defense Evasion"
76reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Adding Hidden File Attribute via Attrib
- Adobe Hijack Persistence
- Browser Extension Install
- Creation of a Hidden Local User Account
- Creation or Modification of a new GPO Scheduled Task or Service