Netsh Helper DLL

let NetshDllRegistration = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "SOFTWARE\\Microsoft\\NetSh"
| where ActionType in ("RegistryValueSet", "RegistryKeyCreated")
| extend NewDllPath = RegistryValueData
| extend IsSystemDll = RegistryValueData has_any (
    "C:\\Windows\\system32\\",
    "C:\\Windows\\SysWOW64\\"
  )
| where not IsSystemDll
| project RegistryTime=Timestamp, DeviceName, AccountName, RegistryKey,
         RegistryValueName, NewDllPath, IsSystemDll,
         InitiatingProcessFileName, InitiatingProcessCommandLine;
let NetshExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "netsh.exe"
| project NetshTime=Timestamp, DeviceName, AccountName, ProcessCommandLine,
         InitiatingProcessFileName;
NetshDllRegistration
| union (NetshExecution | extend RegistryTime=NetshTime, NewDllPath="", IsSystemDll=false,
         RegistryKey="netsh_execution", RegistryValueName="", RegistryValueData="")
| sort by RegistryTime desc

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval IsNetshReg=case(
    (EventCode=12 OR EventCode=13) AND match(TargetObject, "SOFTWARE\\\\Microsoft\\\\NetSh"), 1,
    1=1, 0
  )
| eval IsNetshExec=case(
    EventCode=1 AND match(Image, "netsh\.exe"), 1,
    EventCode=4688 AND match(NewProcessName, "netsh\.exe"), 1,
    1=1, 0
  )
| eval IsSuspiciousDll=if(
    IsNetshReg=1 AND NOT match(Details, "(?i)(windows\\\\system32|syswow64)"), 1, 0
  )
| where IsNetshReg=1 OR IsNetshExec=1
| eval DetectionType=case(
    IsSuspiciousDll=1, "NETSH_SUSPICIOUS_DLL_REGISTERED",
    IsNetshReg=1, "NETSH_DLL_REGISTERED",
    IsNetshExec=1, "NETSH_EXECUTED",
    1=1, "UNKNOWN"
  )
| table _time, host, User, EventCode, DetectionType, TargetObject, Details, Image, CommandLine
| sort - _time

any where (
  (event.category == "registry" and registry.path : "*\\SOFTWARE\\Microsoft\\NetSh*" and event.type in ("creation", "change") and not registry.data.strings : ("C:\\Windows\\system32\\*", "C:\\Windows\\SysWOW64\\*")) or
  (event.category == "process" and event.type == "start" and process.name : "netsh.exe")
)

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "TargetObject",
  "Details",
  "Image",
  "CommandLine",
  UTF8(payload) AS raw_payload
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (67, 352)
  AND (
    (
      eventid IN (12, 13, 14)
      AND "TargetObject" ILIKE '%SOFTWARE\\Microsoft\\NetSh%'
      AND "Details" NOT ILIKE '%windows\\system32%'
      AND "Details" NOT ILIKE '%syswow64%'
    )
    OR (
      eventid = 1
      AND "Image" ILIKE '%netsh.exe'
    )
    OR (
      eventid = 4688
      AND "NewProcessName" ILIKE '%netsh.exe'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

(_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security")
| where !
isnull(EventID)
| where (EventID in ("12", "13", "14") and TargetObject matches "*SOFTWARE\\Microsoft\\NetSh*")
    or (EventID = "1" and Image matches "*netsh.exe")
    or (EventID = "4688" and NewProcessName matches "*netsh.exe")
| eval IsSuspiciousDll = if(
    EventID in ("12", "13", "14")
    and !(Details matches "(?i).*windows\\\\system32.*" or Details matches "(?i).*syswow64.*"),
    "true",
    "false"
  )
| eval DetectionType = if(IsSuspiciousDll = "true", "NETSH_SUSPICIOUS_DLL_REGISTERED",
    if(EventID in ("12", "13", "14"), "NETSH_DLL_REGISTERED",
    if(EventID in ("1", "4688"), "NETSH_EXECUTED", "UNKNOWN")))
| fields _messagetime, Computer, User, EventID, DetectionType, TargetObject, Details, Image, CommandLine
| sort by _messagetime desc

rule netsh_helper_dll_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Netsh Helper DLL persistence (T1546.007) via registry modifications to HKLM\\SOFTWARE\\Microsoft\\NetSh with non-system DLL paths, or netsh.exe execution"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1546.007"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      // Sysmon registry events for NetSh key modifications with suspicious DLL paths
      ($e.metadata.event_type = "REGISTRY_MODIFICATION"
        and $e.target.registry.registry_key re `(?i).*SOFTWARE\\Microsoft\\NetSh.*`
        and not $e.target.registry.registry_value_data re `(?i).*windows\\system32.*`
        and not $e.target.registry.registry_value_data re `(?i).*syswow64.*`
      )
      or
      // netsh.exe process creation events
      ($e.metadata.event_type = "PROCESS_LAUNCH"
        and $e.target.process.file.full_path re `(?i).*\\netsh\.exe`
      )
    )
    and $e.principal.hostname = $hostname

  condition:
    $e
}

// Detect suspicious NetSh registry key modifications (non-system DLL)
#repo=base_sensor
(
  (#event_simpleName=RegSetValue OR #event_simpleName=RegCreateKey)
  | TargetObject = /SOFTWARE\\Microsoft\\NetSh/i
  | RegStringValue != /(?i)(windows\\system32|syswow64)/
  | DetectionType := "NETSH_SUSPICIOUS_DLL_REGISTERED"
)
OR
(
  #event_simpleName=ProcessRollup2
  | ImageFileName = /\\netsh\.exe$/i
  | DetectionType := "NETSH_EXECUTED"
)
| groupBy(
    [ComputerName, UserName, DetectionType, TargetObject, RegStringValue, ImageFileName, CommandLine],
    function=[
      count(aid, as=EventCount),
      min(@timestamp, as=FirstSeen),
      max(@timestamp, as=LastSeen)
    ]
  )
| sort(LastSeen, order=desc)