New Netsh Helper DLL Registered From A Suspicious Location
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Sigma rule (View on GitHub)
1title: New Netsh Helper DLL Registered From A Suspicious Location
2id: e7b18879-676e-4a0e-ae18-27039185a8e7
3related:
4 - id: 56321594-9087-49d9-bf10-524fe8479452
5 type: similar
6 - id: c90362e0-2df3-4e61-94fe-b37615814cb1
7 type: similar
8status: test
9description: |
10 Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
11references:
12 - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
13 - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-11-28
16tags:
17 - attack.persistence
18 - attack.t1546.007
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection_target:
24 TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
25 selection_folders_1:
26 Details|contains:
27 - ':\Perflogs\'
28 - ':\Users\Public\'
29 - ':\Windows\Temp\'
30 - '\AppData\Local\Temp\'
31 - '\Temporary Internet'
32 selection_folders_2:
33 - Details|contains|all:
34 - ':\Users\'
35 - '\Favorites\'
36 - Details|contains|all:
37 - ':\Users\'
38 - '\Favourites\'
39 - Details|contains|all:
40 - ':\Users\'
41 - '\Contacts\'
42 - Details|contains|all:
43 - ':\Users\'
44 - '\Pictures\'
45 condition: selection_target and 1 of selection_folders_*
46falsepositives:
47 - Unknown
48level: high
References
Related rules
- Potential Persistence Via Netsh Helper DLL - Registry
- Potential Persistence Via Netsh Helper DLL
- Potential Suspicious Activity Using SeCEdit
- Chromium Browser Instance Executed With Custom Extension
- Suspicious Chromium Browser Instance Executed With Custom Extension