Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Sigma rule (View on GitHub)
1title: Potential Persistence Via Netsh Helper DLL - Registry
2id: c90362e0-2df3-4e61-94fe-b37615814cb1
3related:
4 - id: 56321594-9087-49d9-bf10-524fe8479452
5 type: similar
6 - id: e7b18879-676e-4a0e-ae18-27039185a8e7
7 type: similar
8status: test
9description: |
10 Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
11references:
12 - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
13 - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
14author: Anish Bogati
15date: 2023-11-28
16modified: 2025-10-08
17tags:
18 - attack.persistence
19 - attack.t1546.007
20logsource:
21 category: registry_set
22 product: windows
23detection:
24 selection:
25 TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
26 Details|contains: '.dll'
27 filter_main_poqexec:
28 Image: 'C:\Windows\System32\poqexec.exe'
29 Details:
30 - 'ipmontr.dll'
31 - 'iasmontr.dll'
32 - 'ippromon.dll'
33 condition: selection and not 1 of filter_main_*
34falsepositives:
35 - Legitimate helper added by different programs and the OS
36level: medium
References
-
-
Netsh is a Windows utility which can be used by administrators to perform tasks related to the network configuration of a system and perform modifications on the host based Windows firewall. Netsh …
Read More
Related rules
- New Netsh Helper DLL Registered From A Suspicious Location
- Potential Persistence Via Netsh Helper DLL
- Potential Suspicious Activity Using SeCEdit
- CurrentVersion Autorun Keys Modification
- CurrentVersion NT Autorun Keys Modification