From 2b11a2768b806b05d26e8ba8617705847f35f574 Mon Sep 17 00:00:00 2001
From: keyboardcrunch <40863898+keyboardcrunch@users.noreply.github.com>
Date: Tue, 15 Sep 2020 15:44:50 -0500
Subject: [PATCH] Added T1546.007 netsh helper dll

---
 queries.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/queries.md b/queries.md
index 1174b10..4ed961b 100644
--- a/queries.md
+++ b/queries.md
@@ -109,3 +109,13 @@ Detects addition of logon scripts through command line or registry methods.
 ```
 SrcProcCmdLine ContainsCIS "UserInitMprLogonScript" OR (RegistryKeyPath ContainsCIS "UserInitMprLogonScript" AND EventType = "Registry Value Create")
 ```
+
+### T1546.007 Netsh Helper DLL
+Atomics: [T1546.007]()
+
+Detection of "helper" dlls with network command shell, through command arguments or registry modification.
+
+```
+(TgtProcName = "netsh.exe" AND TgtProcCmdLine ContainsCIS "add helper") OR (RegistryPath ContainsCIS "SOFTWARE\Microsoft\NetSh" AND EventType = "Registry Value Create")
+```
+