Unusual Service Host Child Process - Childless Service

  1[metadata]
  2creation_date = "2020/10/13"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2024/10/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes.
 13This may indicate a code injection or an equivalent form of exploitation.
 14"""
 15false_positives = ["Changes to Windows services or a rarely executed child process."]
 16from = "now-9m"
 17index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Unusual Service Host Child Process - Childless Service"
 21risk_score = 47
 22rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7"
 23severity = "medium"
 24tags = [
 25    "Domain: Endpoint",
 26    "OS: Windows",
 27    "Use Case: Threat Detection",
 28    "Tactic: Defense Evasion",
 29    "Tactic: Privilege Escalation",
 30    "Data Source: Elastic Endgame",
 31    "Data Source: Elastic Defend",
 32    "Data Source: Sysmon",
 33    "Data Source: Microsoft Defender for Endpoint",
 34    "Data Source: SentinelOne",
 35]
 36timestamp_override = "event.ingested"
 37type = "eql"
 38
 39query = '''
 40process where host.os.type == "windows" and event.type == "start" and
 41  process.parent.name : "svchost.exe" and
 42
 43  /* based on svchost service arguments -s svcname where the service is known to be childless */
 44  process.parent.args : (
 45    "WdiSystemHost", "LicenseManager", "StorSvc", "CDPSvc", "cdbhsvc", "BthAvctpSvc", "SstpSvc", "WdiServiceHost",
 46    "imgsvc", "TrkWks", "WpnService", "IKEEXT", "PolicyAgent", "CryptSvc", "netprofm", "ProfSvc", "StateRepository",
 47    "camsvc", "LanmanWorkstation", "NlaSvc", "EventLog", "hidserv", "DisplayEnhancementService", "ShellHWDetection",
 48    "AppHostSvc", "fhsvc", "CscService", "PushToInstall"
 49  ) and
 50
 51  /* unknown FPs can be added here */
 52  not process.name : ("WerFault.exe", "WerFaultSecure.exe", "wermgr.exe") and
 53  not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and
 54  not (
 55    process.name : "rundll32.exe" and
 56    process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and
 57    process.parent.args : "WdiServiceHost"
 58  ) and
 59  not (
 60    process.executable : (
 61      "?:\\Program Files\\*",
 62      "?:\\Program Files (x86)\\*",
 63      "?:\\Windows\\System32\\Kodak\\kds_?????\\lib\\lexexe.exe"
 64    ) and process.parent.args : "imgsvc"
 65  )
 66'''
 67
 68
 69[[rule.threat]]
 70framework = "MITRE ATT&CK"
 71[[rule.threat.technique]]
 72id = "T1055"
 73name = "Process Injection"
 74reference = "https://attack.mitre.org/techniques/T1055/"
 75[[rule.threat.technique.subtechnique]]
 76id = "T1055.012"
 77name = "Process Hollowing"
 78reference = "https://attack.mitre.org/techniques/T1055/012/"
 79
 80
 81
 82[rule.threat.tactic]
 83id = "TA0004"
 84name = "Privilege Escalation"
 85reference = "https://attack.mitre.org/tactics/TA0004/"
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1055"
 90name = "Process Injection"
 91reference = "https://attack.mitre.org/techniques/T1055/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1055.012"
 94name = "Process Hollowing"
 95reference = "https://attack.mitre.org/techniques/T1055/012/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0005"
101name = "Defense Evasion"
102reference = "https://attack.mitre.org/tactics/TA0005/"