New Netsh Helper DLL Registered From A Suspicious Location

 1title: New Netsh Helper DLL Registered From A Suspicious Location
 2id: e7b18879-676e-4a0e-ae18-27039185a8e7
 3related:
 4    - id: 56321594-9087-49d9-bf10-524fe8479452
 5      type: similar
 6    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
 7      type: similar
 8status: test
 9description: |
10        Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
11references:
12    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
13    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-11-28
16tags:
17    - attack.privilege-escalation
18    - attack.persistence
19    - attack.t1546.007
20logsource:
21    category: registry_set
22    product: windows
23detection:
24    selection_target:
25        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
26    selection_folders_1:
27        Details|contains:
28            - ':\Perflogs\'
29            - ':\Users\Public\'
30            - ':\Windows\Temp\'
31            - '\AppData\Local\Temp\'
32            - '\Temporary Internet'
33    selection_folders_2:
34        - Details|contains|all:
35              - ':\Users\'
36              - '\Favorites\'
37        - Details|contains|all:
38              - ':\Users\'
39              - '\Favourites\'
40        - Details|contains|all:
41              - ':\Users\'
42              - '\Contacts\'
43        - Details|contains|all:
44              - ':\Users\'
45              - '\Pictures\'
46    condition: selection_target and 1 of selection_folders_*
47falsepositives:
48    - Unknown
49level: high