Shrpubw Execution from Unexpected File Path
Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Shrpubw Execution from Unexpected File Path
2id: 3b9fc5ea-6288-4c03-882a-af00df4f5b32
3status: experimental
4description: Looks for the execution of svchost without the normal -k parameter. Inspired
5 by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/dll-search-order-hijacking/
8author: Micah Babinski
9date: 2022/11/04
10tags:
11 - attack.persistence
12 - attack.t1574
13 - attack.t1574.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\shrpubw.exe'
20 filter:
21 Image|contains:
22 - 'windows\system32\shrpubw.exe'
23 - 'windows\winsxs'
24 condition: selection and not filter
25falsepositives:
26 - Unknown
27level: high```
References
-
DLL Search Order Hijacking allows adversaries to introduce malicious binaries in a way that can be difficult to detect.
Read More
Related rules
- Files Dropped to Program Files by Non-Priviledged Process
- Suspicious Calc DLL Load
- Suspicious 'Admin' Local User Creation with Net Command
- AdSearch Reg Runkey Persistence Execution (RedCanary Threat Detection Report)
- AdSearch Startup Folder Persistence File Creation (RedCanary Threat Detection Report)