From 1043e9c5fe577b54f0be633cea1c94e023f486cc Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Tue, 1 Apr 2025 19:30:54 +0200
Subject: [PATCH] feat(rules): New Suspicious Netsh Helper DLL execution rule

Identifies the execution of a suspicious Netsh Helper DLL. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe is a command-line scripting utility used to interact with the network configuration of a system. It supports the addition of custom DLLs to extend its functionality that attackers can weaponize.
---
 ..._suspicious_netsh_helper_dll_execution.yml | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 rules/persistence_suspicious_netsh_helper_dll_execution.yml

diff --git a/rules/persistence_suspicious_netsh_helper_dll_execution.yml b/rules/persistence_suspicious_netsh_helper_dll_execution.yml
new file mode 100644
index 000000000..c61f1b686
--- /dev/null
+++ b/rules/persistence_suspicious_netsh_helper_dll_execution.yml
@@ -0,0 +1,35 @@
+name: Suspicious Netsh Helper DLL execution
+id: bd17781d-38ca-4b9a-a12a-f807a1eb45e0
+version: 1.0.0
+description: |
+  Identifies the execution of a suspicious Netsh Helper DLL. Adversaries may establish persistence 
+  by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe is a command-line scripting 
+  utility used to interact with the network configuration of a system. It supports the addition of 
+  custom DLLs to extend its functionality that attackers can weaponize.
+labels:
+  tactic.id: TA0003
+  tactic.name: Persistence
+  tactic.ref: https://attack.mitre.org/tactics/TA0003/
+  technique.id: T1546
+  technique.name: Event Triggered Execution
+  technique.ref: https://attack.mitre.org/techniques/T1546/
+  subtechnique.id: T1546.007
+  subtechnique.name: Netsh Helper DLL
+  subtechnique.ref: https://attack.mitre.org/techniques/T1546/007/
+references:
+  - https://github.com/outflanknl/NetshHelperBeacon
+  - https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
+
+condition: >
+  sequence
+  maxspan 1m
+    |spawn_process and (ps.child.name ~= 'netsh.exe' or ps.child.pe.file.name ~= 'netsh.exe')| by ps.child.uuid
+    |create_thread and foreach(thread._callstack, $frame, $frame.symbol imatches '*!InitHelperDll' 
+                               and ($frame.module.signature.is_signed = false or $frame.module.signature.is_trusted = false))
+    | by ps.uuid
+
+output: >
+  Suspicious Netsh Helper DLL %2.thread.start_address.module executed
+severity: high
+
+min-engine-version: 2.4.0