← Back to Explore
sigmamediumHunting
Potential Persistence Via Netsh Helper DLL
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
Detection Query
selection_img:
- OriginalFileName: netsh.exe
- Image|endswith: \netsh.exe
selection_cli:
CommandLine|contains|all:
- add
- helper
condition: all of selection_*
Author
Victor Sergeev, oscd.community
Created
2019-10-25
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
- https://github.com/outflanknl/NetshHelperBeacon
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
Tags
attack.privilege-escalationattack.persistenceattack.t1546.007attack.s0108
Raw Content
title: Potential Persistence Via Netsh Helper DLL
id: 56321594-9087-49d9-bf10-524fe8479452
related:
- id: c90362e0-2df3-4e61-94fe-b37615814cb1
type: similar
- id: e7b18879-676e-4a0e-ae18-27039185a8e7
type: similar
status: test
description: |
Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
- https://github.com/outflanknl/NetshHelperBeacon
- https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
author: Victor Sergeev, oscd.community
date: 2019-10-25
modified: 2023-11-28
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546.007
- attack.s0108
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'netsh.exe'
- Image|endswith: '\netsh.exe'
selection_cli:
CommandLine|contains|all:
- 'add'
- 'helper'
condition: all of selection_*
falsepositives:
- Unknown
level: medium