Dllhost.EXE Execution Anomaly
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
Sigma rule (View on GitHub)
1title: Dllhost.EXE Execution Anomaly
2id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9
3status: test
4description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
5references:
6 - https://redcanary.com/blog/child-processes/
7 - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
8 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-06-27
11modified: 2023-05-15
12tags:
13 - attack.privilege-escalation
14 - attack.defense-evasion
15 - attack.t1055
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\dllhost.exe'
22 CommandLine:
23 - 'dllhost.exe'
24 - 'dllhost'
25 filter_main_null:
26 CommandLine: null
27 condition: selection and not 1 of filter_main_*
28falsepositives:
29 - Unlikely
30level: high
References
-
Baseline knowledge of common executables—such as whether they normally spawn child processes—is key to detecting malicious behavior.
Read More -
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 2177 0 R/ViewerPreferences 2178 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Co...
Read More
Related rules
- Created Files by Microsoft Sync Center
- DotNet CLR DLL Loaded By Scripting Applications
- HackTool - DInjector PowerShell Cradle Execution
- Injected Browser Process Spawning Rundll32 - GuLoader Activity
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe