Netsh Helper DLL Persistence

The netsh.exe utility in Windows supports the addition of Helper DLLs to extend its functionality. An attacker can abuse this mechanism to establish persistence by adding a malicious DLL. When netsh.exe is executed, the malicious DLL is loaded and executed, allowing the attacker to run arbitrary code with the privileges of the user or process that initiated netsh.exe. This can be done by administrators or scheduled tasks, making it a stealthy and effective persistence technique. The registry key targeted by this technique is HKLM\Software\Microsoft\netsh\.

Attack Chain

1. Attacker gains initial access to the target system through unspecified means.
2. Attacker creates a malicious DLL to be used as a Netsh Helper DLL.
3. Attacker modifies the Windows Registry to add the malicious DLL as a Netsh Helper DLL under HKLM\Software\Microsoft\netsh\.
4. The system administrator or a scheduled task executes netsh.exe.
5. netsh.exe loads and executes the malicious DLL, granting the attacker code execution.
6. The malicious DLL performs its intended actions, such as establishing a reverse shell or deploying additional malware.
7. The attacker maintains persistence on the system through the malicious Netsh Helper DLL.

Impact

Successful exploitation allows attackers to establish persistent access to a compromised system. This can lead to data theft, system compromise, and further malicious activities. While the risk score is low, the persistence mechanism can allow attackers to maintain a foothold for extended periods, increasing the potential for significant damage.

Recommendation

• Monitor registry modifications under the HKLM\Software\Microsoft\netsh\ path for suspicious DLL additions using the “Netsh Helper DLL Registry Modification” Sigma rule.
• Enable Sysmon registry event logging to collect the necessary data for the Sigma rule.
• Investigate any alerts generated by the Sigma rule by reviewing the DLL file properties, timestamps, and related processes.