Inspired by this tweet , this artifact enumerates all NetSh Helper DLLs to provide opportunities to find outliers and potential persistence mechanisms tied to netsh.exe
I have run this hunt across 6K+ systems and identified the most common entries and provided
the excludeCommon option to exclude these. In very large environments there will likely still be FPs,
but they should be far and few.
References:
name: Windows.Registry.NetshHelperDLLs
description: |
# Enumerate all NetSh Helper DLLs
Inspired by this [tweet](https://twitter.com/SecurePeacock/status/1532011932315680769?s=20&t=IFbej-qpkF6IB7ycewE31w),
this artifact enumerates all NetSh Helper DLLs to provide
opportunities to find outliers and potential persistence mechanisms
tied to [netsh.exe](https://lolbas-project.github.io/lolbas/Binaries/Netsh/)
I have run this hunt across 6K+ systems and identified the most common entries and provided
the `excludeCommon` option to exclude these. In very large environments there will likely still be FPs,
but they should be far and few.
References:
- https://attack.mitre.org/techniques/T1546/007/
- https://lolbas-project.github.io/lolbas/Binaries/Netsh/
parameters:
- name: SearchRegistryGlob
default: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh\**
description: Use a glob to define the files that will be searched.
- name: excludeCommon
description: "Exclude common well-known entries."
type: bool
author: Eric Capuano - @eric_capuano
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET filteredResults <=
SELECT Name, FullPath, Data.value AS HelperDLL, ModTime as Modified
FROM glob(globs=SearchRegistryGlob, accessor='registry')
// filter out entries found consistently across 1000s of systems in the wild
WHERE NOT (Name = "2" AND HelperDLL = "ifmon.dll")
AND NOT (Name = "4" AND HelperDLL = "rasmontr.dll")
AND NOT (Name = "WcnNetsh" AND HelperDLL = "WcnNetsh.dll")
AND NOT (Name = "authfwcfg" AND HelperDLL = "authfwcfg.dll")
AND NOT (Name = "dhcpclient" AND HelperDLL = "dhcpcmonitor.dll")
AND NOT (Name = "dot3cfg" AND HelperDLL = "dot3cfg.dll")
AND NOT (Name = "fwcfg" AND HelperDLL = "fwcfg.dll")
AND NOT (Name = "hnetmon" AND HelperDLL = "hnetmon.dll")
AND NOT (Name = "napmontr" AND HelperDLL = "napmontr.dll")
AND NOT (Name = "netiohlp" AND HelperDLL = "netiohlp.dll")
AND NOT (Name = "nettrace" AND HelperDLL = "nettrace.dll")
AND NOT (Name = "nshhttp" AND HelperDLL = "nshhttp.dll")
AND NOT (Name = "nshipsec" AND HelperDLL = "nshipsec.dll")
AND NOT (Name = "nshwfp" AND HelperDLL = "nshwfp.dll")
AND NOT (Name = "p2pnetsh" AND HelperDLL = "p2pnetsh.dll")
AND NOT (Name = "peerdistsh" AND HelperDLL = "peerdistsh.dll")
AND NOT (Name = "rpc" AND HelperDLL = "rpcnsh.dll")
AND NOT (Name = "whhelper" AND HelperDLL = "whhelper.dll")
AND NOT (Name = "wlancfg" AND HelperDLL = "wlancfg.dll")
AND NOT (Name = "wshelper" AND HelperDLL = "wshelper.dll")
AND NOT (Name = "wwancfg" AND HelperDLL = "wwancfg.dll")
LET Results <=
SELECT Name, FullPath, Data.value AS HelperDLL, ModTime as Modified
FROM glob(globs=SearchRegistryGlob, accessor='registry')
SELECT *
FROM if(condition=excludeCommon,
then={ SELECT * FROM filteredResults},
else={ SELECT * FROM Results})