Unusual Service Host Child Process - Childless Service
Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes. This may indicate a code injection or an equivalent form of exploitation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/10/13"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes.
11This may indicate a code injection or an equivalent form of exploitation.
12"""
13false_positives = ["Changes to Windows services or a rarely executed child process."]
14from = "now-9m"
15index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
16language = "eql"
17license = "Elastic License v2"
18name = "Unusual Service Host Child Process - Childless Service"
19risk_score = 47
20rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7"
21setup = """## Setup
22
23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
26`event.ingested` to @timestamp.
27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
28"""
29severity = "medium"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Defense Evasion",
35 "Tactic: Privilege Escalation",
36 "Data Source: Elastic Endgame",
37 "Data Source: Elastic Defend",
38 "Data Source: Sysmon",
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where host.os.type == "windows" and event.type == "start" and
45 process.parent.name : "svchost.exe" and
46
47 /* based on svchost service arguments -s svcname where the service is known to be childless */
48 process.parent.args : (
49 "WdiSystemHost", "LicenseManager", "StorSvc", "CDPSvc", "cdbhsvc", "BthAvctpSvc", "SstpSvc", "WdiServiceHost",
50 "imgsvc", "TrkWks", "WpnService", "IKEEXT", "PolicyAgent", "CryptSvc", "netprofm", "ProfSvc", "StateRepository",
51 "camsvc", "LanmanWorkstation", "NlaSvc", "EventLog", "hidserv", "DisplayEnhancementService", "ShellHWDetection",
52 "AppHostSvc", "fhsvc", "CscService", "PushToInstall"
53 ) and
54
55 /* unknown FPs can be added here */
56 not process.name : ("WerFault.exe", "WerFaultSecure.exe", "wermgr.exe") and
57 not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and
58 not (
59 process.name : "rundll32.exe" and
60 process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and
61 process.parent.args : "WdiServiceHost"
62 ) and
63 not (
64 process.executable : (
65 "?:\\Program Files\\*",
66 "?:\\Program Files (x86)\\*",
67 "?:\\Windows\\System32\\Kodak\\kds_?????\\lib\\lexexe.exe"
68 ) and process.parent.args : "imgsvc"
69 )
70'''
71
72
73[[rule.threat]]
74framework = "MITRE ATT&CK"
75[[rule.threat.technique]]
76id = "T1055"
77name = "Process Injection"
78reference = "https://attack.mitre.org/techniques/T1055/"
79[[rule.threat.technique.subtechnique]]
80id = "T1055.012"
81name = "Process Hollowing"
82reference = "https://attack.mitre.org/techniques/T1055/012/"
83
84
85
86[rule.threat.tactic]
87id = "TA0004"
88name = "Privilege Escalation"
89reference = "https://attack.mitre.org/tactics/TA0004/"
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1055"
94name = "Process Injection"
95reference = "https://attack.mitre.org/techniques/T1055/"
96[[rule.threat.technique.subtechnique]]
97id = "T1055.012"
98name = "Process Hollowing"
99reference = "https://attack.mitre.org/techniques/T1055/012/"
100
101
102
103[rule.threat.tactic]
104id = "TA0005"
105name = "Defense Evasion"
106reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Conhost Spawned By Suspicious Parent Process
- UAC Bypass Attempt via Elevated COM Internet Explorer Add-On Installer
- UAC Bypass Attempt via Privileged IFileOperation COM Interface
- UAC Bypass Attempt with IEditionUpgradeManager Elevated COM Interface
- UAC Bypass via ICMLuaUtil Elevated COM Interface