This detection rule identifies unauthorized additions of Netsh Helper DLLs on Windows systems. The Netsh utility allows configuration and diagnostics of network settings and can be extended with Helper DLLs. Attackers may employ this functionality to execute malicious code whenever the utility is invoked, typically by legitimate administrative actions or automated tasks like scheduled jobs. The rule monitors specific Windows registry paths associated with Netsh to detect changes that could indicate an attempt to implement persistence tactics via malicious DLLs. The investigation guide outlines potential investigative steps, examines false positives, and details incident response strategies. By correlating registry changes with system activity, analysts can distinguish between legitimate uses and malicious attempts to exploit Netsh capabilities.