Svchost Not Matching Normal Execution Parameters
Looks for the execution of svchost without the normal -k parameter. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Svchost Not Matching Normal Execution Parameters
2id: 036c727d-0263-4733-ad60-d5f48dc72144
3status: experimental
4description: Looks for the execution of svchost without the normal -k parameter. Inspired
5 by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/match-legitimate-name-or-location/
8author: Micah Babinski
9date: 2022/11/04
10tags:
11 - attack.defense_evasion
12 - attack.t1036
13 - attack.t1036.005
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\svchost.exe'
20 filter:
21 CommandLine|contains: '-k'
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: high```
References
-
Adversaries often name their malicious payloads after system binaries to evade detection strategies that rely on filenames.
Read More
Related rules
- Unexpected Internal Process Name
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components
- Application Bypass with RunDLL32 and DllRegisterServer Function
- Base64 Encoding in CMD or Powershell