nethost.dll Detection Rules & Hunting Queries
Arsenal-237 C2 Communication Module Report Date: 2026-01-26
YARA Rules
Rule 1: Arsenal-237 nethost.dll File Hash Detection
rule Arsenal237_nethost_dll_hash_detection {
meta:
author = "Threat Intelligence Team"
description = "Detects Arsenal-237 nethost.dll by known file hashes"
date = "2026-01-26"
threat_level = "CRITICAL"
malware_type = "C2 Communication Module"
strings:
$sha256_1 = "158f61b6d10ea2ce78769703a2ffbba9c08f0172e37013de960d9efe5e9fde14"
$md5_1 = "f91ff1bb5699524524fff0e2587af040"
$sha1_1 = "622ddbacaf769aef383435162a203489c08c8468"
$filename = "nethost.dll" nocase
condition:
filename or any of ($sha256_*, $md5_*, $sha1_*)
}
Rule 2: Arsenal-237 nethost.dll Hardcoded C2 Detection
rule Arsenal237_nethost_dll_c2_strings {
meta:
author = "Threat Intelligence Team"
description = "Detects nethost.dll by hardcoded C2 target strings"
date = "2026-01-26"
threat_level = "CRITICAL"
strings:
$c2_targets = "8.8.8.8:53127.0.0.1ntdll.dll"
$env_discovery = "COMPUTERNAMEUSERNAME"
$rust_panic = "runtime error"
$winsock_init = "WSAStartup"
condition:
($c2_targets or $env_discovery) and uint16(0) == 0x5a4d // MZ header
}
Rule 3: Arsenal-237 nethost.dll PowerShell Template Detection
rule Arsenal237_nethost_dll_powershell_templates {
meta:
author = "Threat Intelligence Team"
description = "Detects nethost.dll by embedded PowerShell command templates"
date = "2026-01-26"
threat_level = "HIGH"
strings:
$ps_service = "Get-Service|?{$_.Status -eq ''}"
$ps_download = "Invoke-WebRequest -Uri '' -OutFile ''"
$upload_prefix = "pathB64:"
$response_keywords = "resultmachine_idsuccess"
condition:
3 of them and uint16(0) == 0x5a4d
}
Rule 4: Arsenal-237 nethost.dll Winsock Initialization Pattern
rule Arsenal237_nethost_dll_winsock_init {
meta:
author = "Threat Intelligence Team"
description = "Detects nethost.dll by Winsock initialization pattern"
date = "2026-01-26"
threat_level = "HIGH"
strings:
$ws_startup = {C7 ?? ?? 02 02 00} // WSAStartup with version 0x202
$wsa_socket = "WSASocket"
$connect_api = "connect"
$env_vars = "COMPUTERNAME"
condition:
all of them and uint16(0) == 0x5a4d
}
Rule 5: Arsenal-237 nethost.dll Rust Compilation Signature
rule Arsenal237_nethost_dll_rust_indicators {
meta:
author = "Threat Intelligence Team"
description = "Detects nethost.dll by Rust compilation indicators"
date = "2026-01-26"
threat_level = "MEDIUM"
strings:
$rust_panic = "rust_panic"
$rustc_artifact = ".rustc_artifact"
$rust_std = "std::panic"
$dlbug_assertion = "assertion `left right` failed"
$file_size = {00 C0 06 00} // 440,832 bytes
condition:
2 of them and uint16(0) == 0x5a4d
}
Sigma Detection Rules
Sigma Rule 1: Network Connection to C2 Targets
title: Arsenal-237 nethost.dll C2 Connection Attempt
description: Detects network connections to known Arsenal-237 C2 infrastructure
logsource:
category: network_connection
product: windows
detection:
c2_connection:
DestinationIp:
- 8.8.8.8
- 127.0.0.1
DestinationPort: 53
Protocol: tcp
process_filter:
Image|endswith:
- nethost.dll
- explorer.exe
- svchost.exe
- rundll32.exe
- powershell.exe
filter_legitimate:
DestinationIp: 8.8.8.8
Protocol: udp
condition: c2_connection and process_filter and not filter_legitimate
falsepositives:
- Legitimate DNS queries to Google Public DNS
- System DNS resolution to 8.8.8.8 via UDP (legitimate; TCP is suspicious)
level: critical
tags:
- attack.command_and_control
- attack.t1071
- arsenal-237
- c2_communication
Sigma Rule 2: Suspicious DLL Injection with nethost.dll
title: Arsenal-237 nethost.dll DLL Injection Attempt
description: Detects DLL injection of nethost.dll or similar network modules
logsource:
category: process_creation
product: windows
detection:
dll_injection:
CommandLine|contains:
- 'LoadLibrary*nethost.dll'
- 'GetProcAddress*WSASocket'
- 'inject*nethost'
suspicious_loader:
ParentImage|endswith:
- explorer.exe
- svchost.exe
- rundll32.exe
- regsvcs.exe
- regasm.exe
suspicious_dll_path:
Image|contains:
- '\Temp\'
- '\AppData\'
- '\Users\Public'
condition: (dll_injection or suspicious_loader) and suspicious_dll_path
falsepositives:
- Legitimate software installation procedures
level: high
tags:
- attack.defense_evasion
- attack.t1055
- arsenal-237
Sigma Rule 3: PowerShell Execution with Malware Command Templates
title: Arsenal-237 nethost.dll PowerShell Template Execution
description: Detects PowerShell execution with known malware command templates
logsource:
category: process_creation
product: windows
detection:
powershell_execution:
Image|endswith: powershell.exe
malware_templates:
CommandLine|contains:
- 'Get-Service|?{$_.Status -eq'
- 'Invoke-WebRequest -Uri'
- 'Select Name,Status|FT'
suspicious_parent:
ParentImage|endswith:
- rundll32.exe
- regsvcs.exe
- explorer.exe
- svchost.exe
condition: powershell_execution and malware_templates and suspicious_parent
falsepositives:
- Legitimate system administration scripts
level: high
tags:
- attack.execution
- attack.t1059.001
- arsenal-237
Sigma Rule 4: Environment Variable Discovery (COMPUTERNAME/USERNAME)
title: Arsenal-237 System Reconnaissance - Environment Variable Discovery
description: Detects suspicious queries for COMPUTERNAME and USERNAME environment variables
logsource:
category: process_creation
product: windows
detection:
env_discovery:
CommandLine|contains:
- 'GetEnvironmentVariable*COMPUTERNAME'
- 'GetEnvironmentVariable*USERNAME'
- '%COMPUTERNAME%'
- '%USERNAME%'
suspicious_process:
Image|endswith:
- rundll32.exe
- regsvcs.exe
- powershell.exe
- cmd.exe
filter_legitimate:
CommandLine|contains:
- 'echo %COMPUTERNAME%'
- 'hostname'
- 'whoami'
condition: env_discovery and suspicious_process and not filter_legitimate
falsepositives:
- System administration scripts
- Legitimate batch files querying environment variables
level: medium
tags:
- attack.discovery
- attack.t1082
- arsenal-237
Sigma Rule 5: Suspicious Network Reconnaissance Commands
title: Arsenal-237 System Reconnaissance Commands
description: Detects execution of reconnaissance commands (sysinfo, services, processes)
logsource:
category: process_creation
product: windows
detection:
recon_commands:
Image|endswith:
- cmd.exe
- powershell.exe
CommandLine|contains:
- 'Get-Service'
- 'Get-Process'
- 'systeminfo'
- 'tasklist'
- 'net user'
- 'wmic os get'
- 'ipconfig'
suspicious_parent:
ParentImage|endswith:
- rundll32.exe
- regsvcs.exe
- explorer.exe
- svchost.exe
sequential_execution:
selection: recon_commands and suspicious_parent
condition: sequential_execution
falsepositives:
- Legitimate system administration
- Help desk scripts
level: medium
tags:
- attack.discovery
- attack.t1057
- attack.t1082
- arsenal-237
Splunk SPL Queries
Query 1: Detect Connections to C2 Infrastructure
sourcetype=firewall OR sourcetype=wineventlog
(dest_ip=8.8.8.8 AND dest_port=53 AND protocol=tcp)
OR (dest_ip=127.0.0.1 AND dest_port=53 AND protocol=tcp)
| stats count by src_ip, dest_ip, dest_port, src_process, user
| where count >= 1
| sort - count
Use Case: Identify network connections to known Arsenal-237 C2 targets at the firewall level.
Query 2: Detect nethost.dll File Creation
sourcetype=wineventlog EventID=11
(FileName=nethost.dll OR FileName=*nethost*)
| stats count by host, FileName, TargetFilename, SourceIp
| sort - count
Use Case: Monitor for nethost.dll creation in logs (Windows EventID 11 - File Object Added to System).
Query 3: Detect PowerShell Execution with Malware Templates
sourcetype=powershell
(CommandLine="*Get-Service*" AND CommandLine="*Status -eq*")
OR (CommandLine="*Invoke-WebRequest*" AND CommandLine="*-OutFile*")
| stats count by host, CommandLine, user, process_id
| sort - count
Use Case: Hunt for PowerShell commands matching Arsenal-237 templates in PowerShell transcript logs.
Query 4: Detect Suspicious DLL Loading
sourcetype=wineventlog EventID=7 OR EventCode=7
(ImageLoaded="*nethost.dll" OR ImageLoaded="*\\Temp\\*dll")
| stats count by host, Image, ImageLoaded, SourceIp
| sort - count
Use Case: Monitor for suspicious DLL loading events (Windows EventID 7 - Image Loaded).
Query 5: Detect Process Injection from Suspicious Parents
sourcetype=wineventlog EventCode=1
(ParentImage=*rundll32.exe OR ParentImage=*regsvcs.exe OR ParentImage=*explorer.exe)
(Image=*powershell.exe OR Image=*cmd.exe)
| stats count by host, ParentImage, Image, CommandLine
| where count >= 2
| sort - count
Use Case: Identify process injection patterns suggesting malware deployment.
Query 6: Detect Reconnaissance Command Sequence
sourcetype=wineventlog EventCode=1
(Image=*cmd.exe OR Image=*powershell.exe)
(CommandLine=*systeminfo* OR CommandLine=*Get-Service* OR CommandLine=*Get-Process* OR CommandLine=*net user*)
| dedup host, user, CommandLine
| stats count by host, user, CommandLine
| where count >= 3
| sort - count
Use Case: Identify sequences of reconnaissance commands on the same host.
KQL Queries (Microsoft Sentinel / Microsoft Defender)
Query 1: Network Detection - Connections to C2 IPs
NetworkCommunication
| where RemoteIP in ("8.8.8.8", "127.0.0.1") and RemotePort == 53
| extend ThreatIndicator = "Arsenal-237-nethost-C2"
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ThreatIndicator
| order by TimeGenerated desc
Use Case: Identify network connections to known Arsenal-237 C2 infrastructure via network telemetry.
Query 2: Process Execution - Suspicious Parent/Child Relationship
DeviceProcessEvents
| where (InitiatingProcessFileName has_any ("rundll32.exe", "regsvcs.exe", "explorer.exe"))
and (FileName has_any ("powershell.exe", "cmd.exe"))
| extend CommandLineIndicator = "T1055-ProcessInjection"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, CommandLine, CommandLineIndicator
| order by TimeGenerated desc
Use Case: Detect suspicious parent-child process relationships suggesting DLL injection.
Query 3: File Creation - nethost.dll Detection
DeviceFileEvents
| where FileName == "nethost.dll" or FileName endswith "nethost.dll"
| extend ThreatIndicator = "Arsenal-237-nethost-DLL"
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, ThreatIndicator
| order by TimeGenerated desc
Use Case: Identify nethost.dll file creation or modification events.
Query 4: PowerShell Execution - Malware Command Templates
DeviceProcessEvents
| where FileName == "powershell.exe"
| where CommandLine contains "Get-Service" and CommandLine contains "Status -eq"
or CommandLine contains "Invoke-WebRequest" and CommandLine contains "-OutFile"
| extend ThreatIndicator = "Arsenal-237-PowerShell-Template"
| project TimeGenerated, DeviceName, CommandLine, ProcessId, InitiatingProcessFileName, ThreatIndicator
| order by TimeGenerated desc
Use Case: Hunt for PowerShell commands matching Arsenal-237 templates in process telemetry.
Query 5: Registry Persistence Check
DeviceRegistryEvents
| where RegistryKey has_any (
@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
@"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
)
| where RegistryValueData contains "nethost" or RegistryValueData contains "cmd"
| extend ThreatIndicator = "Arsenal-237-Persistence"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ThreatIndicator
| order by TimeGenerated desc
Use Case: Identify suspicious registry persistence mechanisms associated with Arsenal-237.
Suricata Network Signatures
Signature 1: Detect Connections to C2 Addresses (Port 53/TCP)
alert tcp any any -> 8.8.8.8 53 (
msg:"Arsenal-237 nethost.dll C2 Connection Attempt to 8.8.8.8:53";
flow:established;
content:"GET"; http_method;
sid:1001001; rev:1;
classtype:trojan-activity;
metadata: policy balanced-ips drop, policy security-ips alert;
)
alert tcp any any -> 127.0.0.1 53 (
msg:"Arsenal-237 nethost.dll C2 Connection Attempt to localhost:53";
flow:established;
sid:1001002; rev:1;
classtype:trojan-activity;
metadata: policy balanced-ips drop, policy security-ips alert;
)
Signature 2: Detect Suspicious DNS-over-TCP (Port 53/TCP)
alert tcp any any -> any 53 (
msg:"Suspicious DNS-over-TCP from suspicious process";
flow:established;
content:"|00|"; depth:1;
pcre:"/^[^\x00-\x09\x0b\x0c\x0e-\x1f\x7f-\xff]*$/";
sid:1001003; rev:1;
classtype:trojan-activity;
)
Threat Hunting Playbook
Hunting Scenario 1: Find All Instances of nethost.dll
Objective: Locate all instances of nethost.dll across your infrastructure.
Tools: YARA, EDR, File Share Scanning
Procedure:
- Deploy YARA rule “Arsenal237_nethost_dll_hash_detection” across all endpoints
- Query file shares and backups for nethost.dll
- Review EDR logs for any DLL load events matching nethost.dll
- Correlate findings with process execution logs
Expected Result: Comprehensive inventory of nethost.dll instances; if any found, escalate to incident response.
Hunting Scenario 2: Find All Connections to C2 Infrastructure
Objective: Identify any network connections to 8.8.8.8:53 or 127.0.0.1:53.
Tools: Firewall, Proxy, Network Monitoring, EDR
Procedure:
- Query firewall logs for any connections to 8.8.8.8:53 (TCP) or 127.0.0.1:53 (TCP)
- Query proxy logs for similar connections
- Query EDR for network connection telemetry matching these addresses
- For each connection found, identify source process and system
Expected Result: List of systems attempting C2 connections; investigate each for malware presence.
Hunting Scenario 3: Find PowerShell Execution with Malware Templates
Objective: Identify PowerShell execution patterns matching Arsenal-237 templates.
Tools: PowerShell Transcript Logging, EDR, SIEM
Procedure:
-
Search PowerShell transcripts for commands containing “Get-Service ?{$_.Status -eq” - Search for commands containing “Invoke-WebRequest -Uri ‘’ -OutFile ‘’”
- For each match, identify parent process and user context
- Cross-reference with process creation logs
Expected Result: List of systems executing malware templates; investigate for compromise.
Hunting Scenario 4: Find Suspicious DLL Injection Events
Objective: Identify DLL injection patterns potentially associated with nethost.dll deployment.
Tools: EDR, Event Logging (Sysmon), SIEM
Procedure:
- Search Event ID 7 (Image Loaded) for DLL loads from suspicious paths (%Temp%, %AppData%)
- Identify parent processes: rundll32.exe, regsvcs.exe, explorer.exe, svchost.exe
- Look for DLL names: nethost, network, host, c2
- For each match, check for subsequent network connections
Expected Result: List of suspicious DLL injection events; escalate those with network communication.
Hunting Scenario 5: Find Environment Variable Discovery Patterns
Objective: Identify systems querying COMPUTERNAME/USERNAME in suspicious context.
Tools: EDR, PowerShell Transcript Logging, Event Logs
Procedure:
- Search for processes querying GetEnvironmentVariable(COMPUTERNAME) or GetEnvironmentVariable(USERNAME)
- Identify parent processes and context
- Look for immediate network connection attempts following variable queries
- Cross-reference with C2 connection list from Hunting Scenario 2
Expected Result: Systems performing reconnaissance; correlate with C2 connections for high-confidence detections.
Detection Coverage Matrix
| Detection Method | Coverage | Reliability | Ease of Evasion |
|---|---|---|---|
| File Hash (YARA) | Exact variant detection | HIGH | HIGH (recompilation evades) |
| String Signatures (YARA) | Hardcoded C2, templates | HIGH | MEDIUM (recompilation evades) |
| Network Signature (Suricata) | C2 connections | VERY HIGH | MEDIUM (new C2 evades) |
| Behavioral Detection (EDR) | Suspicious process behavior | HIGH | LOW (behavior patterns consistent) |
| PowerShell Transcript Analysis | Command execution tracking | HIGH | MEDIUM (obfuscation bypasses) |
| DNS Sinkhole | C2 domain resolution | HIGH | MEDIUM (new domains evade) |
| Registry Monitoring | Persistence mechanisms | MEDIUM | LOW (no registry persistence) |
| Process Injection Detection | DLL injection patterns | MEDIUM | MEDIUM (alternative methods bypass) |
Recommended Detection Deployment Priority
PHASE 1 (Days 1-3) - Emergency Detection:
- Deploy network signatures to block 8.8.8.8:53 and 127.0.0.1:53 outbound connections
- Deploy YARA file hash detection across all endpoints
- Deploy Sigma network connection rule to SIEM
PHASE 2 (Days 4-7) - Behavioral Detection:
- Deploy PowerShell transcript logging and analysis
- Deploy EDR behavioral detection rules for process injection
- Deploy Sigma detection rules for reconnaissance commands
PHASE 3 (Weeks 2-4) - Long-Term Hardening:
- Implement DNS sinkhole for known C2 domains
- Deploy next-generation firewall with C2 detection
- Establish continuous threat hunting schedule
False Positive Management
Expected False Positives:
- Legitimate Google DNS usage (8.8.8.8 port 53 UDP) - Filter out UDP traffic
- System administration scripts querying environment variables
- Standard PowerShell administration (Get-Service usage)
Tuning Recommendations:
- Filter out UDP to 8.8.8.8:53 (legitimate DNS) - focus on TCP
- Exclude known administrative PowerShell scripts from alerting
- Establish baseline for each organization’s legitimate environment variable queries
- Implement confidence levels rather than binary alerting
Integration with Security Tools
SIEM Integration
- Import Sigma rules into Splunk, Elastic, or Microsoft Sentinel
- Configure SPL/KQL queries for continuous monitoring
- Set up alerting thresholds and escalation procedures
EDR Integration
- Deploy YARA/Sigma detection rules to endpoint agents
- Configure incident response automation for high-confidence detections
- Enable process tree visualization for parent-child relationship analysis
Firewall Integration
- Create firewall rules to block 8.8.8.8:53 and 127.0.0.1:53
- Enable logging for all connection attempts (even if blocked)
- Alert on repeated connection attempts indicating persistence
DNS Sinkhole
- Add known C2 domains to sinkhole blocklist
- Monitor for queries to C2 domains by suspicious processes
- Alert on sinkhole hits for rapid incident response
Metrics & Effectiveness Tracking
Track the following metrics to assess detection effectiveness:
- Detection Rate: Percentage of known infected systems detected
- Time to Detection: Average time from compromise to detection alert
- False Positive Rate: Percentage of benign alerts vs. true positives
- MTTR (Mean Time to Response): Average time from alert to incident response
- Coverage: Percentage of infrastructure covered by each detection method
Goal: Achieve 95%+ detection rate with <5% false positive rate within 30 days of deployment.
License
(c) 2026 Threat Intelligence Team. All rights reserved. Detection rules free to use for security defensive purposes. Commercial distribution requires written permission.