Unusual Service Host Child Process - Childless Service

 1[metadata]
 2creation_date = "2020/10/13"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes.
13This may indicate a code injection or an equivalent form of exploitation.
14"""
15false_positives = ["Changes to Windows services or a rarely executed child process."]
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Unusual Service Host Child Process - Childless Service"
21risk_score = 47
22rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7"
23setup = """## Setup
24
25If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
26events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
27Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
28`event.ingested` to @timestamp.
29For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
30"""
31severity = "medium"
32tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Tactic: Privilege Escalation", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37process where host.os.type == "windows" and event.type == "start" and
38  process.parent.name : "svchost.exe" and
39
40  /* based on svchost service arguments -s svcname where the service is known to be childless */
41  process.parent.args : (
42    "WdiSystemHost", "LicenseManager", "StorSvc", "CDPSvc", "cdbhsvc", "BthAvctpSvc", "SstpSvc", "WdiServiceHost",
43    "imgsvc", "TrkWks", "WpnService", "IKEEXT", "PolicyAgent", "CryptSvc", "netprofm", "ProfSvc", "StateRepository",
44    "camsvc", "LanmanWorkstation", "NlaSvc", "EventLog", "hidserv", "DisplayEnhancementService", "ShellHWDetection",
45    "AppHostSvc", "fhsvc", "CscService", "PushToInstall"
46  ) and
47
48  /* unknown FPs can be added here */
49  not process.name : ("WerFault.exe", "WerFaultSecure.exe", "wermgr.exe") and
50  not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and
51  not (
52    process.name : "rundll32.exe" and
53    process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and
54    process.parent.args : "WdiServiceHost"
55  ) and
56  not (
57    process.executable : (
58      "?:\\Program Files\\*",
59      "?:\\Program Files (x86)\\*",
60      "?:\\Windows\\System32\\Kodak\\kds_?????\\lib\\lexexe.exe"
61    ) and process.parent.args : "imgsvc"
62  )
63'''
64
65
66[[rule.threat]]
67framework = "MITRE ATT&CK"
68[[rule.threat.technique]]
69id = "T1055"
70name = "Process Injection"
71reference = "https://attack.mitre.org/techniques/T1055/"
72[[rule.threat.technique.subtechnique]]
73id = "T1055.012"
74name = "Process Hollowing"
75reference = "https://attack.mitre.org/techniques/T1055/012/"
76
77
78
79[rule.threat.tactic]
80id = "TA0004"
81name = "Privilege Escalation"
82reference = "https://attack.mitre.org/tactics/TA0004/"
83[[rule.threat]]
84framework = "MITRE ATT&CK"
85[[rule.threat.technique]]
86id = "T1055"
87name = "Process Injection"
88reference = "https://attack.mitre.org/techniques/T1055/"
89[[rule.threat.technique.subtechnique]]
90id = "T1055.012"
91name = "Process Hollowing"
92reference = "https://attack.mitre.org/techniques/T1055/012/"
93
94
95[rule.threat.tactic]
96id = "TA0005"
97name = "Defense Evasion"
98reference = "https://attack.mitre.org/tactics/TA0005/"