Detection focuses on monitoring registry modifications under HKLM\SOFTWARE\Microsoft\Netsh that indicate the addition of helper DLLs, followed by anomalous child process activity or module load behavior initiated by netsh.exe. These behaviors are rarely legitimate and may represent an adversary establishing persistence.
| Data Component | Name | Channel |
|---|---|---|
| Windows Registry Key Modification (DC0063) | WinEventLog:Security | EventCode=4657 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| TimeWindow | Defines the time window in which correlated registry and execution events are considered suspicious (e.g., within 10 minutes) |
| NetshChildProcessWhitelist | List of expected or approved child processes spawned by netsh.exe in the enterprise environment |
| DLLLoadPath | Directory or filename heuristics to distinguish benign DLLs from malicious helper DLLs |