sigma-rules/rules/windows/persistence_netsh_helper_dll.toml

[metadata]
creation_date = "2023/08/29"
integration = ["endpoint"]
maturity = "production"
updated_date = "2024/05/21"

[rule]
author = ["Elastic"]
description = """
Identifies the addition of a Netsh Helper DLL, netsh.exe supports the addition of these DLLs to extend its
functionality. Attackers may abuse this mechanism to execute malicious payloads every time the utility is executed,
which can be done by administrators or a scheduled task.
"""
from = "now-9m"
index = ["logs-endpoint.events.registry-*", "endgame-*"]
language = "eql"
license = "Elastic License v2"
name = "Netsh Helper DLL"
risk_score = 21
rule_id = "b0638186-4f12-48ac-83d2-47e686d08e82"
severity = "low"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Persistence",
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
registry where host.os.type == "windows" and event.type == "change" and
  registry.path : (
    "HKLM\\Software\\Microsoft\\netsh\\*",
    "\\REGISTRY\\MACHINE\\Software\\Microsoft\\netsh\\*"
  )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1546"
name = "Event Triggered Execution"
reference = "https://attack.mitre.org/techniques/T1546/"
[[rule.threat.technique.subtechnique]]
id = "T1546.007"
name = "Netsh Helper DLL"
reference = "https://attack.mitre.org/techniques/T1546/007/"



[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1112"
name = "Modify Registry"
reference = "https://attack.mitre.org/techniques/T1112/"


[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"