title: New Netsh Helper DLL Registered From A Suspicious Location
id: e7b18879-676e-4a0e-ae18-27039185a8e7
related:
    - id: 56321594-9087-49d9-bf10-524fe8479452
      type: similar
    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
      type: similar
status: test
description: |
    Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-11-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.007
logsource:
    category: registry_set
    product: windows
detection:
    selection_target:
        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
    selection_folders_1:
        Details|contains:
            - ':\Perflogs\'
            - ':\Users\Public\'
            - ':\Windows\Temp\'
            - '\AppData\Local\Temp\'
            - '\Temporary Internet'
    selection_folders_2:
        - Details|contains|all:
              - ':\Users\'
              - '\Favorites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Favourites\'
        - Details|contains|all:
              - ':\Users\'
              - '\Contacts\'
        - Details|contains|all:
              - ':\Users\'
              - '\Pictures\'
    condition: selection_target and 1 of selection_folders_*
falsepositives:
    - Unknown
level: high

title: Potential Persistence Via Netsh Helper DLL
id: 56321594-9087-49d9-bf10-524fe8479452
related:
    - id: c90362e0-2df3-4e61-94fe-b37615814cb1
      type: similar
    - id: e7b18879-676e-4a0e-ae18-27039185a8e7
      type: similar
status: test
description: |
    Detects the execution of netsh with "add helper" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md
    - https://github.com/outflanknl/NetshHelperBeacon
    - https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/
author: Victor Sergeev, oscd.community
date: 2019-10-25
modified: 2023-11-28
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.007
    - attack.s0108
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - OriginalFileName: 'netsh.exe'
        - Image|endswith: '\netsh.exe'
    selection_cli:
        CommandLine|contains|all:
            - 'add'
            - 'helper'
    condition: all of selection_*
falsepositives:
    - Unknown
level: medium

title: Potential Persistence Via Netsh Helper DLL - Registry
id: c90362e0-2df3-4e61-94fe-b37615814cb1
related:
    - id: 56321594-9087-49d9-bf10-524fe8479452
      type: similar
    - id: e7b18879-676e-4a0e-ae18-27039185a8e7
      type: similar
status: test
description: |
    Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
references:
    - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
    - https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
author: Anish Bogati
date: 2023-11-28
modified: 2025-10-08
tags:
    - attack.privilege-escalation
    - attack.persistence
    - attack.t1546.007
logsource:
    category: registry_set
    product: windows
detection:
    selection:
        TargetObject|contains: '\SOFTWARE\Microsoft\NetSh'
        Details|contains: '.dll'
    filter_main_poqexec:
        Image: 'C:\Windows\System32\poqexec.exe'
        Details:
            - 'ipmontr.dll'
            - 'iasmontr.dll'
            - 'ippromon.dll'
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Legitimate helper added by different programs and the OS
level: medium

title: Potential Suspicious Activity Using SeCEdit
id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb
status: test
description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy
references:
    - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d
    - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit
author: Janantha Marasinghe
date: 2022-11-18
modified: 2022-12-30
tags:
    - attack.collection
    - attack.discovery
    - attack.persistence
    - attack.credential-access
    - attack.privilege-escalation
    - attack.execution
    - attack.stealth
    - attack.defense-impairment
    - attack.t1685.001
    - attack.t1547.001
    - attack.t1505.005
    - attack.t1556.002
    - attack.t1685
    - attack.t1574.007
    - attack.t1564.002
    - attack.t1546.008
    - attack.t1546.007
    - attack.t1547.014
    - attack.t1547.010
    - attack.t1547.002
    - attack.t1557
    - attack.t1082
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\secedit.exe'
        - OriginalFileName: 'SeCEdit'
    selection_flags_discovery:
        CommandLine|contains|all:
            - '/export'
            - '/cfg'
    selection_flags_configure:
        CommandLine|contains|all:
            - '/configure'
            - '/db'
    # filter:
    #     SubjectUserName|endswith: '$'  SubjectUserName is from event ID 4719 in the Windows Security log
    condition: selection_img and (1 of selection_flags_*)
falsepositives:
    - Legitimate administrative use
level: medium