Skip to content

Commit 1043e9c

Browse files
rabbitstackrabbitstack
committed
feat(rules): New Suspicious Netsh Helper DLL execution rule
Identifies the execution of a suspicious Netsh Helper DLL. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe is a command-line scripting utility used to interact with the network configuration of a system. It supports the addition of custom DLLs to extend its functionality that attackers can weaponize.
1 parent a367399 commit 1043e9c

File tree

1 file changed

+35
-0
lines changed

1 file changed

+35
-0
lines changed

rules/persistence_suspicious_netsh_helper_dll_execution.yml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
name: Suspicious Netsh Helper DLL execution
2+
id: bd17781d-38ca-4b9a-a12a-f807a1eb45e0
3+
version: 1.0.0
4+
description: |
5+
Identifies the execution of a suspicious Netsh Helper DLL. Adversaries may establish persistence
6+
by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe is a command-line scripting
7+
utility used to interact with the network configuration of a system. It supports the addition of
8+
custom DLLs to extend its functionality that attackers can weaponize.
9+
labels:
10+
tactic.id: TA0003
11+
tactic.name: Persistence
12+
tactic.ref: https://attack.mitre.org/tactics/TA0003/
13+
technique.id: T1546
14+
technique.name: Event Triggered Execution
15+
technique.ref: https://attack.mitre.org/techniques/T1546/
16+
subtechnique.id: T1546.007
17+
subtechnique.name: Netsh Helper DLL
18+
subtechnique.ref: https://attack.mitre.org/techniques/T1546/007/
19+
references:
20+
- https://github.com/outflanknl/NetshHelperBeacon
21+
- https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
22+
23+
condition: >
24+
sequence
25+
maxspan 1m
26+
|spawn_process and (ps.child.name ~= 'netsh.exe' or ps.child.pe.file.name ~= 'netsh.exe')| by ps.child.uuid
27+
|create_thread and foreach(thread._callstack, $frame, $frame.symbol imatches '*!InitHelperDll'
28+
and ($frame.module.signature.is_signed = false or $frame.module.signature.is_trusted = false))
29+
| by ps.uuid
30+
31+
output: >
32+
Suspicious Netsh Helper DLL %2.thread.start_address.module executed
33+
severity: high
34+
35+
min-engine-version: 2.4.0

0 commit comments

Comments
 (0)