Unusual Service Host Child Process - Childless Service

  1[metadata]
  2creation_date = "2020/10/13"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn any child processes.
 11This may indicate a code injection or an equivalent form of exploitation.
 12"""
 13false_positives = ["Changes to Windows services or a rarely executed child process."]
 14from = "now-9m"
 15index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Unusual Service Host Child Process - Childless Service"
 19risk_score = 47
 20rule_id = "6a8ab9cc-4023-4d17-b5df-1a3e16882ce7"
 21setup = """## Setup
 22
 23If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 24events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 25Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 26`event.ingested` to @timestamp.
 27For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 28"""
 29severity = "medium"
 30tags = [
 31    "Domain: Endpoint",
 32    "OS: Windows",
 33    "Use Case: Threat Detection",
 34    "Tactic: Defense Evasion",
 35    "Tactic: Privilege Escalation",
 36    "Data Source: Elastic Endgame",
 37    "Data Source: Elastic Defend",
 38    "Data Source: Sysmon",
 39]
 40timestamp_override = "event.ingested"
 41type = "eql"
 42
 43query = '''
 44process where host.os.type == "windows" and event.type == "start" and
 45  process.parent.name : "svchost.exe" and
 46
 47  /* based on svchost service arguments -s svcname where the service is known to be childless */
 48  process.parent.args : (
 49    "WdiSystemHost", "LicenseManager", "StorSvc", "CDPSvc", "cdbhsvc", "BthAvctpSvc", "SstpSvc", "WdiServiceHost",
 50    "imgsvc", "TrkWks", "WpnService", "IKEEXT", "PolicyAgent", "CryptSvc", "netprofm", "ProfSvc", "StateRepository",
 51    "camsvc", "LanmanWorkstation", "NlaSvc", "EventLog", "hidserv", "DisplayEnhancementService", "ShellHWDetection",
 52    "AppHostSvc", "fhsvc", "CscService", "PushToInstall"
 53  ) and
 54
 55  /* unknown FPs can be added here */
 56  not process.name : ("WerFault.exe", "WerFaultSecure.exe", "wermgr.exe") and
 57  not (process.executable : "?:\\Windows\\System32\\RelPost.exe" and process.parent.args : "WdiSystemHost") and
 58  not (
 59    process.name : "rundll32.exe" and
 60    process.args : "?:\\WINDOWS\\System32\\winethc.dll,ForceProxyDetectionOnNextRun" and
 61    process.parent.args : "WdiServiceHost"
 62  ) and
 63  not (
 64    process.executable : (
 65      "?:\\Program Files\\*",
 66      "?:\\Program Files (x86)\\*",
 67      "?:\\Windows\\System32\\Kodak\\kds_?????\\lib\\lexexe.exe"
 68    ) and process.parent.args : "imgsvc"
 69  )
 70'''
 71
 72
 73[[rule.threat]]
 74framework = "MITRE ATT&CK"
 75[[rule.threat.technique]]
 76id = "T1055"
 77name = "Process Injection"
 78reference = "https://attack.mitre.org/techniques/T1055/"
 79[[rule.threat.technique.subtechnique]]
 80id = "T1055.012"
 81name = "Process Hollowing"
 82reference = "https://attack.mitre.org/techniques/T1055/012/"
 83
 84
 85
 86[rule.threat.tactic]
 87id = "TA0004"
 88name = "Privilege Escalation"
 89reference = "https://attack.mitre.org/tactics/TA0004/"
 90[[rule.threat]]
 91framework = "MITRE ATT&CK"
 92[[rule.threat.technique]]
 93id = "T1055"
 94name = "Process Injection"
 95reference = "https://attack.mitre.org/techniques/T1055/"
 96[[rule.threat.technique.subtechnique]]
 97id = "T1055.012"
 98name = "Process Hollowing"
 99reference = "https://attack.mitre.org/techniques/T1055/012/"
100
101
102
103[rule.threat.tactic]
104id = "TA0005"
105name = "Defense Evasion"
106reference = "https://attack.mitre.org/tactics/TA0005/"