MaxPatrol SIEM

Detects cyberincidents that undermine cyber resilience of a company

T1546.007: Netsh Helper DLL

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_persistence: PT-CR-607: Persistence_Netsh_DLL: DLL registration using "netsh.exe" is detected

Detection

IDDS0011Data source and componentModule: Module LoadDescription

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

IDDS0009Data source and componentProcess: Process CreationDescription

It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior.

IDDS0024Data source and componentWindows Registry: Windows Registry Key ModificationDescription

Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may establish persistence by executing malicious content triggered by Netsh Helper DLLs.