Detect Netsh Helper DLL in IBM QRadar
Adversaries may establish persistence by executing malicious content triggered by Netsh commands. Netsh.exe (also referred to as network shell) is a Windows command-line scripting utility that interacts with the network configuration of a system. Netsh contains functionality to add helper DLLs for extending functionality of the built-in tool. The paths to registered netsh helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\NetSh. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a trusted process (netsh.exe) whenever netsh.exe is executed, which may also provide privilege escalation if netsh.exe runs elevated.
MITRE ATT&CK
- Tactic
- Privilege Escalation Persistence
- Technique
- T1546 Event Triggered Execution
- Sub-technique
- T1546.007 Netsh Helper DLL
- Canonical reference
- https://attack.mitre.org/techniques/T1546/007/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
username,
sourceip,
QIDNAME(qid) AS event_name,
"TargetObject",
"Details",
"Image",
"CommandLine",
UTF8(payload) AS raw_payload
FROM events
WHERE
LOGSOURCETYPEID(logsourceid) IN (67, 352)
AND (
(
eventid IN (12, 13, 14)
AND "TargetObject" ILIKE '%SOFTWARE\\Microsoft\\NetSh%'
AND "Details" NOT ILIKE '%windows\\system32%'
AND "Details" NOT ILIKE '%syswow64%'
)
OR (
eventid = 1
AND "Image" ILIKE '%netsh.exe'
)
OR (
eventid = 4688
AND "NewProcessName" ILIKE '%netsh.exe'
)
)
ORDER BY starttime DESC
LAST 24 HOURSDetects Netsh Helper DLL persistence (T1546.007) by querying QRadar for Sysmon registry events (EventID 12/13/14) targeting the NetSh registry key with non-system DLL paths, and process creation events (Sysmon EID 1, Security EID 4688) for netsh.exe execution.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate network management software (e.g., Cisco AnyConnect, Palo Alto GlobalProtect) may register helper DLLs outside of System32 during installation or updates
- Custom enterprise network tools developed internally may place helper DLLs in application-specific directories, triggering this detection
- Network troubleshooting scripts run by IT staff that invoke netsh.exe with custom parameters will generate process execution alerts
Other platforms for T1546.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Register Malicious Helper DLL in NetSh Registry
Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject=HKLM\SOFTWARE\Microsoft\NetSh\ArgusTestHelper, Details=C:\Users\Public\argus_helper.dll. Security Event ID 4657 if registry auditing enabled. Process creation for reg.exe with add arguments.
- Test 2Register Helper via netsh Command
Expected signal: Process creation for netsh.exe with 'add helper' arguments. Sysmon Event ID 13 for the resulting registry modification to HKLM\SOFTWARE\Microsoft\NetSh. The netsh.exe itself making the registry change is a valid detection path.
- Test 3Create and Register Functional Helper DLL
Expected signal: Process creation for powershell.exe using Add-Type. File creation event for netsh_test_helper.dll in Public folder. Sysmon Event ID 13 for NetSh registry key modification. The DLL in a user-writable path (Public) registered in NetSh is the highest-confidence indicator.
References (4)
- https://attack.mitre.org/techniques/T1546/007/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://docs.microsoft.com/en-us/windows-server/networking/technologies/netsh/netsh-contexts
Unlock Pro Content
Get the full detection package for T1546.007 including response playbook, investigation guide, and atomic red team tests.