Suspicious Svchost Process Access
Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
Sigma rule (View on GitHub)
1title: Suspicious Svchost Process Access
2id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde
3status: test
4description: Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.
5references:
6 - https://github.com/hlldz/Invoke-Phant0m
7 - https://twitter.com/timbmsft/status/900724491076214784
8author: Tim Burrell
9date: 2020/01/02
10modified: 2023/01/30
11tags:
12 - attack.defense_evasion
13 - attack.t1562.002
14logsource:
15 category: process_access
16 product: windows
17detection:
18 selection:
19 TargetImage|endswith: ':\Windows\System32\svchost.exe'
20 GrantedAccess: '0x1F3FFF'
21 CallTrace|contains: 'UNKNOWN'
22 filter_main_msbuild:
23 SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'
24 SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
25 # Just to make sure it's "really" .NET :)
26 CallTrace|contains:
27 - 'Microsoft.Build.ni.dll'
28 - 'System.ni.dll'
29 condition: selection and not 1 of filter_main_*
30falsepositives:
31 - Unknown
32level: high
References
-
Windows Event Log Killer. Contribute to hlldz/Phant0m development by creating an account on GitHub.
Read More -
Related rules
- HackTool - SysmonEnte Execution
- Potential NT API Stub Patching
- Disable Windows IIS HTTP Logging
- Potential Suspicious Activity Using SeCEdit
- Potential EventLog File Location Tampering