Suspect Svchost Activity
It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
Sigma rule (View on GitHub)
1title: Suspect Svchost Activity
2id: 16c37b52-b141-42a5-a3ea-bbe098444397
3status: test
4description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.
5references:
6 - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
7author: David Burkett, @signalblur
8date: 2019/12/28
9modified: 2022/06/27
10tags:
11 - attack.defense_evasion
12 - attack.privilege_escalation
13 - attack.t1055
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 CommandLine|endswith: 'svchost.exe'
20 Image|endswith: '\svchost.exe'
21 filter:
22 - ParentImage|endswith:
23 - '\rpcnet.exe'
24 - '\rpcnetp.exe'
25 - CommandLine: null # no CommandLine value available
26 condition: selection and not filter
27fields:
28 - CommandLine
29 - ParentCommandLine
30falsepositives:
31 - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf
32level: high
References
-
This website is for sale! securitybytes.io is your first and best source for all of the information you’re looking for. From general topics to more of what you would expect to find here, securitybytes.io has it all. We hope you find what you are searching for!
Read More
Related rules
- HackTool - CoercedPotato Named Pipe Creation
- Suspicious Child Process Of Wermgr.EXE
- CobaltStrike Named Pipe
- CobaltStrike Named Pipe Pattern Regex
- APT PRIVATELOG Image Load Pattern