Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_img:
- OriginalFileName: 'netsh.exe'
- Image|endswith: '\netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'add'
- 'helper'
condition: all of selection_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Sub-techniques
Software
Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Detects similar activity. Both rules may fire on overlapping events.
New Netsh Helper DLL Registered From A Suspicious Location
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Detects similar activity. Both rules may fire on overlapping events.