← Back to SOC feed Coverage →

New Netsh Helper DLL Registered From A Suspicious Location

sigma HIGH SigmaHQ
T1546.007
imRegistry
persistence
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-27T11:00:00Z · Confidence: medium

Hunt Hypothesis

Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious N

Detection Rule

Sigma (Original)

title: New Netsh Helper DLL Registered From A Suspicious Location
id: e7b18879-676e-4a0e-ae18-27039185a8e7
related:
    - id: 56321594-9087-49d9-bf10-524fe8479452
      type: similar
    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
      type: similar
status: test
description: |
    Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.007
logsource:
    category: registry_set
    product: windows
detection:
    selection_target:
        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
    selection_folders_1:
        Details|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\Temporary Internet'
    selection_folders_2:
        - Details|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Details|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: selection_target and 1 of selection_folders_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh" and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\")))

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey contains "\\SOFTWARE\\Microsoft\\NetSh" and ((RegistryValueData contains ":\\Perflogs\\" or RegistryValueData contains ":\\Users\\Public\\" or RegistryValueData contains ":\\Windows\\Temp\\" or RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "\\Temporary Internet") or ((RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favorites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Favourites\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Contacts\\") or (RegistryValueData contains ":\\Users\\" and RegistryValueData contains "\\Pictures\\")))

Required Data Sources

Sentinel TableNotes
imRegistryEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml