Potential Persistence Via Netsh Helper DLL - Registry
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
detection:
selection:
TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
Details|contains: '.dll'
filter_main_poqexec:
Image: 'C:\Windows\System32\poqexec.exe'
Details:
- 'ipmontr.dll'
- 'iasmontr.dll'
- 'ippromon.dll'
condition: selection and not 1 of filter_main_*Legitimate helper added by different programs and the OS
Sub-techniques
Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
Detects similar activity. Both rules may fire on overlapping events.
New Netsh Helper DLL Registered From A Suspicious Location
Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Detects similar activity. Both rules may fire on overlapping events.