Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Sigma rule (View on GitHub)
1title: Potential Persistence Via Netsh Helper DLL - Registry
2id: c90362e0-2df3-4e61-94fe-b37615814cb1
3related:
4 - id: 56321594-9087-49d9-bf10-524fe8479452
5 type: similar
6 - id: e7b18879-676e-4a0e-ae18-27039185a8e7
7 type: similar
8status: test
9description: |
10 Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
11references:
12 - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
13 - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
14author: Anish Bogati
15date: 2023-11-28
16modified: 2025-10-08
17tags:
18 - attack.privilege-escalation
19 - attack.persistence
20 - attack.t1546.007
21logsource:
22 category: registry_set
23 product: windows
24detection:
25 selection:
26 TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
27 Details|contains: '.dll'
28 filter_main_poqexec:
29 Image: 'C:\Windows\System32\poqexec.exe'
30 Details:
31 - 'ipmontr.dll'
32 - 'iasmontr.dll'
33 - 'ippromon.dll'
34 condition: selection and not 1 of filter_main_*
35falsepositives:
36 - Legitimate helper added by different programs and the OS
37level: medium
References
-
-
Netsh is a Windows utility which can be used by administrators to perform tasks related to the network configuration of a system and perform modifications on the host based Windows firewall. Netsh …
Read More
Related rules
- New Netsh Helper DLL Registered From A Suspicious Location
- Potential Suspicious Activity Using SeCEdit
- Potential Persistence Via Netsh Helper DLL
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group