Netsh Helper DLL
Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/29"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its
11functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed,
12which can be done by administrators or a scheduled task.
13"""
14from = "now-9m"
15index = ["logs-endpoint.events.registry-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Netsh Helper DLL"
19risk_score = 21
20rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
21severity = "low"
22tags = [
23 "Domain: Endpoint",
24 "OS: Windows",
25 "Use Case: Threat Detection",
26 "Tactic: Persistence",
27 "Data Source: Elastic Endgame",
28 "Data Source: Elastic Defend",
29]
30timestamp_override = "event.ingested"
31type = "eql"
32
33query = '''
34registry where host.os.type == "windows" and event.type == "change" and
35 registry.path : (
36 "HKLM\\Software\\Microsoft\\netsh\\*",
37 "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*"
38 )
39'''
40
41
42[[rule.threat]]
43framework = "MITRE ATT&CK"
44[[rule.threat.technique]]
45id = "T1546"
46name = "Event Triggered Execution"
47reference = "https://attack.mitre.org/techniques/T1546/"
48[[rule.threat.technique.subtechnique]]
49id = "T1546.007"
50name = "Netsh Helper DLL"
51reference = "https://attack.mitre.org/techniques/T1546/007/"
52
53
54
55[rule.threat.tactic]
56id = "TA0003"
57name = "Persistence"
58reference = "https://attack.mitre.org/tactics/TA0003/"
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1112"
63name = "Modify Registry"
64reference = "https://attack.mitre.org/techniques/T1112/"
65
66
67[rule.threat.tactic]
68id = "TA0005"
69name = "Defense Evasion"
70reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Adding Hidden File Attribute via Attrib
- Component Object Model Hijacking
- Creation of a Hidden Local User Account
- Execution of Persistent Suspicious Program
- Execution via MSSQL xp_cmdshell Stored Procedure