Detectionmediumtest

Potential Persistence Via Netsh Helper DLL - Registry

Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Anish BogatiCreated Tue Nov 28Updated Wed Oct 08c90362e0-2df3-4e61-94fe-b37615814cb1windows
Log Source
WindowsRegistry Set
ProductWindows← raw: windows
CategoryRegistry Set← raw: registry_set
Detection Logic
Detection Logic2 selectors
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
        Details|contains: '.dll'
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        Details:
            - 'ipmontr.dll'
            - 'iasmontr.dll'
            - 'ippromon.dll'
    condition: selection and not 1 of filter_main_*
False Positives

Legitimate helper added by different programs and the OS