Techniques
Sample rules
Potential Persistence Via Netsh Helper DLL - Registry
- source: sigma
- technicques:
- t1546
- t1546.007
Description
Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_poqexec:
Details:
- ipmontr.dll
- iasmontr.dll
- ippromon.dll
Image: C:\Windows\System32\poqexec.exe
selection:
Details|contains: .dll
TargetObject|contains: \SOFTWARE\Microsoft\NetSh