Unusual Service Host Child Process - Childless Service
Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/13"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes.
13This may indicate a code injection or an equivalent form of exploitation.
14"""
15false_positives = ["Changes to Windows services or a rarely executed child process."]
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Unusual Service Host Child Process - Childless Service"
21risk_score = 47
22rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37process where host.os.type == "windows" and event.type == "start" and
38 process.parent.name : "svchost.exe" and
39
40 /* based on svchost service arguments -s svcname where the service is known to be childless */
41 process.parent.args : (
42 "WdiSystemHost", "LicenseManager", "StorSvc", "CDPSvc", "cdbhsvc", "BthAvctpSvc", "SstpSvc", "WdiServiceHost",
43 "imgsvc", "TrkWks", "WpnService", "IKEEXT", "PolicyAgent", "CryptSvc", "netprofm", "ProfSvc", "StateRepository",
44 "camsvc", "LanmanWorkstation", "NlaSvc", "EventLog", "hidserv", "DisplayEnhancementService", "ShellHWDetection",
45 "AppHostSvc", "fhsvc", "CscService", "PushToInstall"
46 ) and
47
48 /* unknown FPs can be added here */
49 not process.name : ("WerFault.exe", "WerFaultSecure.exe", "wermgr.exe") and
50 not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and
51 not (
52 process.name : "rundll32.exe" and
53 process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and
54 process.parent.args : "WdiServiceHost"
55 ) and
56 not (
57 process.executable : (
58 "?:\\Program Files\\*",
59 "?:\\Program Files (x86)\\*",
60 "?:\\Windows\\System32\\Kodak\\kds_?????\\lib\\lexexe.exe"
61 ) and process.parent.args : "imgsvc"
62 )
63'''
64
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1055"
70name = "Process Injection"
71reference = "https://attack.mitre.org/techniques/T1055/"
72[[rule.threat.technique.subtechnique]]
73id = "T1055.012"
74name = "Process Hollowing"
75reference = "https://attack.mitre.org/techniques/T1055/012/"
76
77
78
79[rule.threat.tactic]
80id = "TA0004"
81name = "Privilege Escalation"
82reference = "https://attack.mitre.org/tactics/TA0004/"
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1055"
87name = "Process Injection"
88reference = "https://attack.mitre.org/techniques/T1055/"
89[[rule.threat.technique.subtechnique]]
90id = "T1055.012"
91name = "Process Hollowing"
92reference = "https://attack.mitre.org/techniques/T1055/012/"
93
94
95[rule.threat.tactic]
96id = "TA0005"
97name = "Defense Evasion"
98reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Conhost Spawned By Suspicious Parent Process
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt via Privileged IFileOperation COM Interface
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface