Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Event Triggered Execution: Netsh Helper DLL

Other sub-techniques of Event Triggered Execution (16)

ID	Name
.001	Change Default File Association
.002	Screensaver
.003	Windows Management Instrumentation Event Subscription
.004	Unix Shell Configuration Modification
.005	Trap
.006	LC_LOAD_DYLIB Addition
.007	Netsh Helper DLL
.008	Accessibility Features
.009	AppCert DLLs
.010	AppInit DLLs
.011	Application Shimming
.012	Image File Execution Options Injection
.013	PowerShell Profile
.014	Emond
.015	Component Object Model Hijacking
.016	Installer Packages

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility.(Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at HKLM\SOFTWARE\Microsoft\Netsh. Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality.(Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)

ID: T1546.007

Sub-technique of: T1546

Tactic(s): Persistence, Privilege Escalation

Platforms: Windows

Permissions Required: Administrator, SYSTEM

Data Sources: Command: Command Execution, Module: Module Load, Process: Process Creation, Windows Registry: Windows Registry Key Modification

Version: 1.0

Created: 24 Jan 2020

Last Modified: 20 Apr 2022

Name	Description
Procedure Examples
netsh	netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.(Citation: Demaske Netsh Persistence)

Detection

It is likely unusual for netsh.exe to have any child processes in most environments. Monitor process executions and investigate any child processes spawned by netsh.exe for malicious behavior. Monitor the HKLM\SOFTWARE\Microsoft\Netsh registry key for any new or suspicious entries that do not correlate with known system files or benign software.(Citation: Demaske Netsh Persistence)

References

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.