Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Sigma rule (View on GitHub)
1title: Potential Persistence Via Netsh Helper DLL - Registry
2id: c90362e0-2df3-4e61-94fe-b37615814cb1
3related:
4 - id: 56321594-9087-49d9-bf10-524fe8479452
5 type: similar
6 - id: e7b18879-676e-4a0e-ae18-27039185a8e7
7 type: similar
8status: test
9description: |
10 Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
11references:
12 - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
13 - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
14author: Anish Bogati
15date: 2023-11-28
16tags:
17 - attack.persistence
18 - attack.t1546.007
19logsource:
20 category: registry_set
21 product: windows
22detection:
23 selection:
24 TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
25 Details|contains: '.dll'
26 condition: selection
27falsepositives:
28 - Legitimate helper added by different programs and the OS
29level: medium
References
Related rules
- New Netsh Helper DLL Registered From A Suspicious Location
- Potential Persistence Via Netsh Helper DLL
- Potential Suspicious Activity Using SeCEdit
- Chromium Browser Instance Executed With Custom Extension
- Suspicious Chromium Browser Instance Executed With Custom Extension