DET0575 Detection Strategy for Netsh Helper DLL Persistence via Registry and Child Process Monitoring (Windows)

Item	Value
ID	DET0575
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1546.007 (Netsh Helper DLL)

Analytics

Windows

AN1588

Detection focuses on monitoring registry modifications under HKLM\SOFTWARE\Microsoft\Netsh that indicate the addition of helper DLLs, followed by anomalous child process activity or module load behavior initiated by netsh.exe. These behaviors are rarely legitimate and may represent an adversary establishing persistence.

Log Sources

Data Component	Name	Channel
Windows Registry Key Modification (DC0063)	WinEventLog:Security	EventCode=4657
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Module Load (DC0016)	WinEventLog:Sysmon	EventCode=7

Mutable Elements

Field	Description
TimeWindow	Defines the time window in which correlated registry and execution events are considered suspicious (e.g., within 10 minutes)
NetshChildProcessWhitelist	List of expected or approved child processes spawned by netsh.exe in the enterprise environment
DLLLoadPath	Directory or filename heuristics to distinguish benign DLLs from malicious helper DLLs