Netsh Helper DLL

Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed, which can be done by administrators or a scheduled task.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2023/08/29"
  3integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its
 13functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed,
 14which can be done by administrators or a scheduled task.
 15"""
 16from = "now-9m"
 17index = ["logs-endpoint.events.registry-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "logs-windows.sysmon_operational-*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Netsh Helper DLL"
 21risk_score = 21
 22rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
 23severity = "low"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Persistence",
 29    "Data Source: Elastic Endgame",
 30    "Data Source: Elastic Defend",
 31    "Data Source: Microsoft Defender for Endpoint",
 32    "Data Source: SentinelOne",
 33    "Data Source: Sysmon",
 34    "Resources: Investigation Guide",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40registry where host.os.type == "windows" and event.type == "change" and
 41  registry.path : (
 42    "HKLM\\Software\\Microsoft\\netsh\\*",
 43    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*",
 44    "MACHINE\\Software\\Microsoft\\netsh\\*"
 45  )
 46'''
 47note = """## Triage and analysis
 48
 49> **Disclaimer**:
 50> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 51
 52### Investigating Netsh Helper DLL
 53
 54Netsh, a command-line utility in Windows, allows for network configuration and diagnostics. It supports extensibility through Helper DLLs, which can be added to enhance its capabilities. However, attackers can exploit this by adding malicious DLLs, ensuring their code runs whenever netsh is executed. The detection rule monitors registry changes related to netsh DLLs, flagging unauthorized modifications that may indicate persistence tactics.
 55
 56### Possible investigation steps
 57
 58- Review the registry path specified in the alert to confirm the presence of any unauthorized or suspicious DLLs under "HKLM\\Software\\Microsoft\\netsh\\".
 59- Check the timestamp of the registry change event to determine when the modification occurred and correlate it with any other suspicious activities or events on the system.
 60- Investigate the origin of the DLL file by examining its properties, such as the file path, creation date, and digital signature, to assess its legitimacy.
 61- Analyze recent user activity and scheduled tasks to identify any potential execution of netsh.exe that could have triggered the malicious DLL.
 62- Cross-reference the alert with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify any related threats or indicators of compromise.
 63
 64### False positive analysis
 65
 66- Legitimate software installations or updates may add or modify Netsh Helper DLLs, triggering the detection rule. Users should verify if recent installations or updates coincide with the registry changes.
 67- Network management tools or scripts used by IT departments might legitimately extend netsh functionality. Identify and document these tools to create exceptions in the detection rule.
 68- Scheduled tasks or administrative scripts that configure network settings could cause expected changes. Review scheduled tasks and scripts to ensure they are authorized and adjust the rule to exclude these known activities.
 69- Security software or network monitoring solutions may interact with netsh for legitimate purposes. Confirm with the software vendor if their product modifies netsh settings and consider excluding these changes from the rule.
 70
 71### Response and remediation
 72
 73- Immediately isolate the affected system from the network to prevent further execution of the malicious DLL and potential lateral movement.
 74- Terminate any suspicious processes associated with netsh.exe to halt the execution of the malicious payload.
 75- Remove the unauthorized Netsh Helper DLL entry from the registry path identified in the alert to eliminate the persistence mechanism.
 76- Conduct a thorough scan of the affected system using an updated antivirus or endpoint detection and response (EDR) tool to identify and remove any additional malicious files or artifacts.
 77- Review and restore any altered system configurations to their original state to ensure system integrity.
 78- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 79- Implement enhanced monitoring and logging for registry changes related to Netsh Helper DLLs to detect similar threats in the future."""
 80
 81
 82[[rule.threat]]
 83framework = "MITRE ATT&CK"
 84[[rule.threat.technique]]
 85id = "T1546"
 86name = "Event Triggered Execution"
 87reference = "https://attack.mitre.org/techniques/T1546/"
 88[[rule.threat.technique.subtechnique]]
 89id = "T1546.007"
 90name = "Netsh Helper DLL"
 91reference = "https://attack.mitre.org/techniques/T1546/007/"
 92
 93
 94
 95[rule.threat.tactic]
 96id = "TA0003"
 97name = "Persistence"
 98reference = "https://attack.mitre.org/tactics/TA0003/"
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1112"
103name = "Modify Registry"
104reference = "https://attack.mitre.org/techniques/T1112/"
105
106
107[rule.threat.tactic]
108id = "TA0005"
109name = "Defense Evasion"
110reference = "https://attack.mitre.org/tactics/TA0005/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Netsh Helper DLL

Netsh, a command-line utility in Windows, allows for network configuration and diagnostics. It supports extensibility through Helper DLLs, which can be added to enhance its capabilities. However, attackers can exploit this by adding malicious DLLs, ensuring their code runs whenever netsh is executed. The detection rule monitors registry changes related to netsh DLLs, flagging unauthorized modifications that may indicate persistence tactics.

Possible investigation steps

  • Review the registry path specified in the alert to confirm the presence of any unauthorized or suspicious DLLs under "HKLM\Software\Microsoft\netsh".
  • Check the timestamp of the registry change event to determine when the modification occurred and correlate it with any other suspicious activities or events on the system.
  • Investigate the origin of the DLL file by examining its properties, such as the file path, creation date, and digital signature, to assess its legitimacy.
  • Analyze recent user activity and scheduled tasks to identify any potential execution of netsh.exe that could have triggered the malicious DLL.
  • Cross-reference the alert with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify any related threats or indicators of compromise.

False positive analysis

  • Legitimate software installations or updates may add or modify Netsh Helper DLLs, triggering the detection rule. Users should verify if recent installations or updates coincide with the registry changes.
  • Network management tools or scripts used by IT departments might legitimately extend netsh functionality. Identify and document these tools to create exceptions in the detection rule.
  • Scheduled tasks or administrative scripts that configure network settings could cause expected changes. Review scheduled tasks and scripts to ensure they are authorized and adjust the rule to exclude these known activities.
  • Security software or network monitoring solutions may interact with netsh for legitimate purposes. Confirm with the software vendor if their product modifies netsh settings and consider excluding these changes from the rule.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further execution of the malicious DLL and potential lateral movement.
  • Terminate any suspicious processes associated with netsh.exe to halt the execution of the malicious payload.
  • Remove the unauthorized Netsh Helper DLL entry from the registry path identified in the alert to eliminate the persistence mechanism.
  • Conduct a thorough scan of the affected system using an updated antivirus or endpoint detection and response (EDR) tool to identify and remove any additional malicious files or artifacts.
  • Review and restore any altered system configurations to their original state to ensure system integrity.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Implement enhanced monitoring and logging for registry changes related to Netsh Helper DLLs to detect similar threats in the future.

Related rules

to-top