Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1588: Analytic 1588

Detection focuses on monitoring registry modifications under HKLM\SOFTWARE\Microsoft\Netsh that indicate the addition of helper DLLs, followed by anomalous child process activity or module load behavior initiated by netsh.exe. These behaviors are rarely legitimate and may represent an adversary establishing persistence.

EnterpriseAN1588AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about watching for suspicious Windows Netsh helper DLL registration and follow-on behavior from netsh.exe. For leaders, the value is that this is a narrow but high-signal place to validate Windows persistence monitoring: registry changes under HKLM\SOFTWARE\Microsoft\Netsh are described as rarely legitimate, so missing this telemetry can leave an endpoint persistence path outside normal SOC visibility.

Executive priority

Prioritize this as a Windows endpoint resilience and incident-readiness validation item. Security leaders should ask whether registry monitoring, process telemetry, and module-load visibility are available and retained for critical Windows systems, and whether the SOC has a clear response path when netsh.exe shows unusual child process or DLL-loading behavior. Because ATT&CK provides no relationships, tactic mapping, or official detection logic beyond the description, this should be treated as a coverage validation opportunity rather than proof of complete detection capability.

Technical view

For SOC, detection engineering, and IR teams, validate collection and alerting around modifications to HKLM\SOFTWARE\Microsoft\Netsh, especially additions that indicate helper DLL registration. Correlate those changes with netsh.exe execution, anomalous child process activity, and unusual module loads initiated by netsh.exe. Baseline legitimate administrative or software activity that touches this registry path, then tune for uncommon DLL paths, unexpected parent/child relationships, and activity on systems where Netsh helper DLL changes are not part of standard operations.

Likely telemetry

  • Windows registry modification events for HKLM\SOFTWARE\Microsoft\Netsh
  • Process creation telemetry for netsh.exe and its child processes
  • Module or image-load telemetry associated with netsh.exe
  • Endpoint timestamps and host/user context for correlating registry changes to process activity
  • Change-management or administrative activity records to distinguish expected Netsh configuration changes

Detection direction

  • Confirm registry auditing or EDR telemetry captures changes under HKLM\SOFTWARE\Microsoft\Netsh, not just process execution.
  • Correlate helper DLL registration events with subsequent netsh.exe execution, child process creation, or module-load behavior.
  • Tune against known administrative baselines because the ATT&CK description says these behaviors are rarely legitimate, but local tooling or network administration practices may still create exceptions.
  • Prioritize alerts where netsh.exe loads unusual modules or spawns unexpected child processes after a Netsh registry modification.
  • Document blind spots such as endpoints without registry telemetry, missing module-load visibility, short retention, or lack of correlation between registry and process events.

Mitigation priorities

  • Ensure Windows endpoint monitoring includes registry modification visibility for the specified Netsh path.
  • Restrict and monitor administrative rights that can modify HKLM registry locations.
  • Establish baselines for legitimate Netsh helper DLL usage and approved administrative activity.
  • Create an IR triage procedure for suspected Netsh helper DLL persistence, including host isolation decision points, registry review, process tree review, and module-load review.
  • Use the analytic as compliance and audit evidence only after confirming the required telemetry sources, retention, and alert handling are actually implemented.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Windows only. It has no supplied relationships, no aliases, no tactic value, and no official detection logic beyond the descriptive detection focus. The strongest supported interpretation is that defenders should monitor Netsh-related registry modifications and correlate them with suspicious netsh.exe child process or module-load behavior that may indicate persistence.

This take is limited to the official STIX fields, the MITRE external reference, and the absence of relationship context. It does not establish active exploitation, actor attribution, prevalence, business impact, or guaranteed detection. Local environment baselines are required to determine what Netsh helper DLL activity is legitimate.

Official MITRE ATT&CK definition

Analytic 1588

Detection focuses on monitoring registry modifications under HKLM\SOFTWARE\Microsoft\Netsh that indicate the addition of helper DLLs, followed by anomalous child process activity or module load behavior initiated by netsh.exe. These behaviors are rarely legitimate and may represent an adversary establishing persistence.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e2672461f5c61048...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e2672461f5c6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1588
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use