Detect Netsh Helper DLL in Elastic Security
Adversaries may establish persistence by executing malicious content triggered by Netsh commands. Netsh.exe (also referred to as network shell) is a Windows command-line scripting utility that interacts with the network configuration of a system. Netsh contains functionality to add helper DLLs for extending functionality of the built-in tool. The paths to registered netsh helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\NetSh. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a trusted process (netsh.exe) whenever netsh.exe is executed, which may also provide privilege escalation if netsh.exe runs elevated.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.007 Netsh Helper DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1546/007/
Elastic Detection Query
any where (
(event.category == "registry" and registry.path : "*\\SOFTWARE\\Microsoft\\NetSh*" and event.type in ("creation", "change") and not registry.data.strings : ("C:\\Windows\\system32\\*", "C:\\Windows\\SysWOW64\\*")) or
(event.category == "process" and event.type == "start" and process.name : "netsh.exe")
)Detects Netsh Helper DLL persistence (T1546.007) by monitoring registry modifications to HKLM\SOFTWARE\Microsoft\NetSh that reference non-system DLL paths, and netsh.exe execution events. Non-system DLL registrations in the NetSh key indicate potential persistence via malicious helper DLL injection.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network configuration tools (e.g., VPN clients, enterprise network management software) may register helper DLLs in non-standard paths during installation
- System administrators using netsh.exe for legitimate network configuration tasks will trigger the process execution alert
- Software installers that bundle netsh helper DLLs in application directories (e.g., C:\Program Files\) rather than System32 will generate registry alerts
Other platforms for T1546.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register Malicious Helper DLL in NetSh Registry
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\NetSh\ArgusTestHelper, Details=C:\Users\Public\argus_helper.dll. Security Event ID 4657 if registry auditing enabled. Process creation for reg.exe with add arguments.
- Test 2Register Helper via netsh Command
Expected signal: Process creation for netsh.exe with 'add helper' arguments. Sysmon Event ID 13 for the resulting registry modification to HKLM\SOFTWARE\Microsoft\NetSh. The netsh.exe itself making the registry change is a valid detection path.
- Test 3Create and Register Functional Helper DLL
Expected signal: Process creation for powershell.exe using Add-Type. File creation event for netsh_test_helper.dll in Public folder. Sysmon Event ID 13 for NetSh registry key modification. The DLL in a user-writable path (Public) registered in NetSh is the highest-confidence indicator.
References (4)
- https://attack.mitre.org/techniques/T1546/007/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts
Unlock Pro Content
Get the full detection package for T1546.007 including response playbook, investigation guide, and atomic red team tests.