Netsh Helper DLL

calendar Apr 16, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/08/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/05"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality.
13Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done
14by administrators or a scheduled task.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.registry-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Netsh Helper DLL"
21risk_score = 21
22rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
23severity = "low"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29registry where host.os.type == "windows" and event.type == "change" and
30  registry.path : (
31    "HKLM\\Software\\Microsoft\\netsh\\*",
32    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*"
33  )
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1546"
41name = "Event Triggered Execution"
42reference = "https://attack.mitre.org/techniques/T1546/"
43[[rule.threat.technique.subtechnique]]
44id = "T1546.007"
45name = "Netsh Helper DLL"
46reference = "https://attack.mitre.org/techniques/T1546/007/"
47
48
49[rule.threat.tactic]
50id = "TA0003"
51name = "Persistence"
52reference = "https://attack.mitre.org/tactics/TA0003/"
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1112"
59name = "Modify Registry"
60reference = "https://attack.mitre.org/techniques/T1112/"
61
62
63[rule.threat.tactic]
64id = "TA0005"
65name = "Defense Evasion"
66reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top