Uncommon Svchost Command Line Parameter

calendar Apr 28, 2026 · attack.privilege-escalation attack.stealth attack.t1036.005 attack.t1055 attack.t1055.012  ·
Share on: linkedin copy

Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.

Sigma rule (View on GitHub)

 1title: Uncommon Svchost Command Line Parameter
 2id: f17211f1-1f24-4d0c-829f-31e28dc93cdd
 3status: experimental
 4description: |
 5    Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns.
 6    This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.    
 7references:
 8    - https://cardinalops.com/blog/the-art-of-anomaly-hunting-patterns-detection/
 9    - https://www.security.com/threat-intelligence/blackbyte-exbyte-ransomware
10    - https://cloud.google.com/blog/topics/threat-intelligence/apt41-initiates-global-intrusion-campaign-using-multiple-exploits/
11    - https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
12author: Liran Ravich
13date: 2025-11-14
14modified: 2026-03-23
15tags:
16    - attack.privilege-escalation
17    - attack.stealth
18    - attack.t1036.005
19    - attack.t1055
20    - attack.t1055.012
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        # Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
27        Image|endswith: '\svchost.exe'
28    filter_main_flags:
29        CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
30    filter_main_empty:
31        CommandLine: ''
32    filter_main_null:
33        CommandLine: null
34    filter_optional_defender:
35        ParentImage|endswith: '\MsMpEng.exe'
36        CommandLine|contains: 'svchost.exe'
37    filter_optional_mrt:
38        ParentImage|endswith: '\MRT.exe'
39        CommandLine: 'svchost.exe'
40    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
41falsepositives:
42    - Unlikely
43level: high

References

Related rules

to-top