From 6bcbd61fb836ceed5c8bdcc30773fb9ed5dbbd9a Mon Sep 17 00:00:00 2001
From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
Date: Tue, 28 Nov 2023 16:24:00 +0100
Subject: [PATCH] Merge PR #4602 from @nasbench - Update Netsh DLL Helper Abuse
 Rules

update: Potential Persistence Via Netsh Helper DLL - Reduced severity and enhance metadata information
new: New Netsh Helper DLL Registered From A Suspicious Location
new: Potential Persistence Via Netsh Helper DLL - Registry

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
---
 ...ation_win_netsh_helper_dll_persistence.yml | 28 ++++++-----
 ...tsh_help_dll_persistence_susp_location.yml | 48 +++++++++++++++++++
 ...netsh_helper_dll_potential_persistence.yml | 29 +++++++++++
 3 files changed, 93 insertions(+), 12 deletions(-)
 create mode 100644 rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml
 create mode 100644 rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml

diff --git a/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml b/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml
index fea18e759..a44246c34 100644
--- a/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml
+++ b/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml
@@ -1,13 +1,20 @@
 title: Potential Persistence Via Netsh Helper DLL
 id: 56321594-9087-49d9-bf10-524fe8479452
+related:
+    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
+      type: similar
+    - id: e7b18879-676e-4a0e-ae18-27039185a8e7
+      type: similar
 status: test
-description: Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
+description: |
+    Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
-    - https://attack.mitre.org/software/S0108/
+    - https://github.com/outflanknl/NetshHelperBeacon
+    - https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
 author: Victor Sergeev, oscd.community
 date: 2019/10/25
-modified: 2023/02/14
+modified: 2023/11/28
 tags:
     - attack.privilege_escalation
     - attack.persistence
@@ -17,17 +24,14 @@ logsource:
     category: process_creation
     product: windows
 detection:
-    selection:
-        Image|endswith: '\netsh.exe'
+    selection_img:
+        - OriginalFileName: 'netsh.exe'
+        - Image|endswith: '\netsh.exe'
+    selection_cli:
         CommandLine|contains|all:
             - 'add'
             - 'helper'
-    condition: selection
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
+    condition: all of selection_*
 falsepositives:
     - Unknown
-level: high
+level: medium
diff --git a/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml
new file mode 100644
index 000000000..f6fa8daf7
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml
@@ -0,0 +1,48 @@
+title: New Netsh Helper DLL Registered From A Suspicious Location
+id: e7b18879-676e-4a0e-ae18-27039185a8e7
+related:
+    - id: 56321594-9087-49d9-bf10-524fe8479452
+      type: similar
+    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
+      type: similar
+status: experimental
+description: |
+    Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
+references:
+    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
+    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/11/28
+tags:
+    - attack.persistence
+    - attack.t1546.007
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection_target:
+        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
+    selection_folders_1:
+        Details|contains:
+            - ':\Perflogs\'
+            - ':\Users\Public\'
+            - ':\Windows\Temp\'
+            - '\AppData\Local\Temp\'
+            - '\Temporary Internet'
+    selection_folders_2:
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Favorites\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Favourites\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Contacts\'
+        - Details|contains|all:
+              - ':\Users\'
+              - '\Pictures\'
+    condition: selection_target and 1 of selection_folders_*
+falsepositives:
+    - Unknown
+level: high
diff --git a/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml
new file mode 100644
index 000000000..61c0586bc
--- /dev/null
+++ b/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml
@@ -0,0 +1,29 @@
+title: Potential Persistence Via Netsh Helper DLL - Registry
+id: c90362e0-2df3-4e61-94fe-b37615814cb1
+related:
+    - id: 56321594-9087-49d9-bf10-524fe8479452
+      type: similar
+    - id: e7b18879-676e-4a0e-ae18-27039185a8e7
+      type: similar
+status: experimental
+description: |
+    Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
+references:
+    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
+    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
+author: Anish Bogati
+date: 2023/11/28
+tags:
+    - attack.persistence
+    - attack.t1546.007
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection:
+        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
+        Details|contains: '.dll'
+    condition: selection
+falsepositives:
+    - Legitimate helper added by different programs and the OS
+level: medium