Uncommon Svchost Command Line Parameter

 1title: Uncommon Svchost Command Line Parameter
 2id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
 3status: experimental
 4description: |
 5    Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
 6    This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.    
 7references:
 8    - https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
 9    - https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
10    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
11    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
12author: Liran Ravich
13date: 2025-11-14
14tags:
15    - attack.defense-evasion
16    - attack.privilege-escalation
17    - attack.t1036.005
18    - attack.t1055
19    - attack.t1055.012
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        # Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
26        Image|endswith: '\svchost.exe'
27    filter_main_flags:
28        CommandLine|re: '-k\s\w{1,64}(\s?(-p|-s))?'
29    filter_main_empty:
30        CommandLine: ''
31    filter_main_null:
32        CommandLine: null
33    filter_optional_defender:
34        ParentImage|endswith: '\MsMpEng.exe'
35        CommandLine|contains: 'svchost.exe'
36    filter_optional_mrt:
37        ParentImage|endswith: '\MRT.exe'
38        CommandLine: 'svchost.exe'
39    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
40falsepositives:
41    - Unlikely
42level: high

References

• The Art of Anomaly Hunting: Learning from Legitimate Patterns for Detection - CardinalOps

  

  Hunting for anomalies is a key part of detection engineering. This blog covers how to incorporate broader pattern recognition into detections.

  
  Read More

• Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool

  

  Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims.

  
  Read More

• APT41 Initiates Intrusion Campaign Using Multiple Exploits | Google Cloud Blog

  

  Mandiant has observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC

  
  Read More

• %PDF-1.6 %âãÏÓ 3620 0 obj endobj 3633 0 obj /Filter/FlateDecode/ID[ ]/Index[3620 32]/Info 3619 0 R/Length 84/Prev 3720490/Root 3621 0 R/Size 3652/Type/XRef/W[1 3 1]>>stream hÞbbd```b``y"/‚H=Ét...

  
  Read More

Related rules

• Antivirus PrinterNightmare CVE-2021-34527 Exploit Detection
• Created Files by Microsoft Sync Center
• Dllhost.EXE Execution Anomaly
• DotNet CLR DLL Loaded By Scripting Applications
• HackTool - CACTUSTORCH Remote Thread Creation