Dllhost.EXE Execution Anomaly
Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
Sigma rule (View on GitHub)
1title: Dllhost.EXE Execution Anomaly
2id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9
3status: test
4description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
5references:
6 - https://redcanary.com/blog/child-processes/
7 - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
8 - https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022/06/27
11modified: 2023/05/15
12tags:
13 - attack.defense_evasion
14 - attack.t1055
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\dllhost.exe'
21 CommandLine:
22 - 'dllhost.exe'
23 - 'dllhost'
24 filter_main_null:
25 CommandLine: null
26 condition: selection and not 1 of filter_main_*
27falsepositives:
28 - Unlikely
29level: high
References
-
Baseline knowledge of common executables—such as whether they normally spawn child processes—is key to detecting malicious behavior.
Read More -
-
%PDF-1.7 %µµµµ 1 0 obj /Metadata 2177 0 R/ViewerPreferences 2178 0 R>> endobj 2 0 obj endobj 3 0 obj /ExtGState /XObject /ProcSet[/PDF/Text/ImageB/ImageC/ImageI] >>/MediaBox[ 0 0 594.96 842.04] /Co...
Read More
Related rules
- Rundll32 Injection into LSASS
- Microsoft Sync Center Suspicious Network Connections
- FlawedGrace spawning threat injection target
- Network Connection Initiated Via Notepad.EXE
- Potential Shellcode Injection