New Netsh Helper DLL Registered From A Suspicious Location

 1title: New Netsh Helper DLL Registered From A Suspicious Location
 2id: e7b18879-676e-4a0e-ae18-27039185a8e7
 3related:
 4    - id: 56321594-9087-49d9-bf10-524fe8479452
 5      type: similar
 6    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
 7      type: similar
 8status: test
 9description: |
10        Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
11references:
12    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
13    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-11-28
16tags:
17    - attack.persistence
18    - attack.t1546.007
19logsource:
20    category: registry_set
21    product: windows
22detection:
23    selection_target:
24        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
25    selection_folders_1:
26        Details|contains:
27            - ':\Perflogs\'
28            - ':\Users\Public\'
29            - ':\Windows\Temp\'
30            - '\AppData\Local\Temp\'
31            - '\Temporary Internet'
32    selection_folders_2:
33        - Details|contains|all:
34              - ':\Users\'
35              - '\Favorites\'
36        - Details|contains|all:
37              - ':\Users\'
38              - '\Favourites\'
39        - Details|contains|all:
40              - ':\Users\'
41              - '\Contacts\'
42        - Details|contains|all:
43              - ':\Users\'
44              - '\Pictures\'
45    condition: selection_target and 1 of selection_folders_*
46falsepositives:
47    - Unknown
48level: high