Detectionmediumtest

Potential Persistence Via Netsh Helper DLL

Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Victor Sergeev, oscd.communityCreated Fri Oct 25Updated Tue Nov 2856321594-9087-49d9-bf10-524fe8479452windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - OriginalFileName: 'netsh.exe'
        - Image|endswith: '\netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'add'
            - 'helper'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.