Potential Persistence Via Netsh Helper DLL

calendar Nov 28, 2023 · attack.privilege_escalation attack.persistence attack.t1546.007 attack.s0108  ·
Share on: linkedin copy

Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Netsh Helper DLL
 2id: 56321594-9087-49d9-bf10-524fe8479452
 3related:
 4    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
 5      type: similar
 6    - id: e7b18879-676e-4a0e-ae18-27039185a8e7
 7      type: similar
 8status: test
 9description: |
10        Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
11references:
12    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
13    - https://github.com/outflanknl/NetshHelperBeacon
14    - https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
15author: Victor Sergeev, oscd.community
16date: 2019/10/25
17modified: 2023/11/28
18tags:
19    - attack.privilege_escalation
20    - attack.persistence
21    - attack.t1546.007
22    - attack.s0108
23logsource:
24    category: process_creation
25    product: windows
26detection:
27    selection_img:
28        - OriginalFileName: 'netsh.exe'
29        - Image|endswith: '\netsh.exe'
30    selection_cli:
31        CommandLine|contains|all:
32            - 'add'
33            - 'helper'
34    condition: all of selection_*
35falsepositives:
36    - Unknown
37level: medium

References

Related rules

to-top