Suspect Svchost Activity

calendar Nov 24, 2025 · attack.defense-evasion attack.privilege-escalation attack.t1055  ·
Share on: linkedin copy

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Sigma rule (View on GitHub)

 1title: Suspect Svchost Activity
 2id: 16c37b52-b141-42a5-a3ea-bbe098444397
 3status: test
 4description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
 5references:
 6    - https://web.archive.org/web/20180718061628/https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
 7author: David Burkett, @signalblur
 8date: 2019-12-28
 9modified: 2022-06-27
10tags:
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.t1055
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        CommandLine|endswith: 'svchost.exe'
20        Image|endswith: '\svchost.exe'
21    filter:
22        - ParentImage|endswith:
23              - '\rpcnet.exe'
24              - '\rpcnetp.exe'
25        - CommandLine: null  # no CommandLine value available
26    condition: selection and not filter
27falsepositives:
28    - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
29level: high

References

  • Please Don't Scroll Past This We keep the record straight by preserving government websites, news articles, historical data, and more. If you find our archive useful, please pitch in. Please Don't ...


    Read More

Related rules

to-top