Uncommon Svchost Parent Process
Detects an uncommon svchost parent process
Sigma rule (View on GitHub)
1title: Uncommon Svchost Parent Process
2id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
3status: test
4description: Detects an uncommon svchost parent process
5references:
6 - Internal Research
7author: Florian Roth (Nextron Systems)
8date: 2017-08-15
9modified: 2022-06-28
10tags:
11 - attack.defense-evasion
12 - attack.t1036.005
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\svchost.exe'
19 filter_main_generic:
20 ParentImage|endswith:
21 - '\Mrt.exe'
22 - '\MsMpEng.exe'
23 - '\ngen.exe'
24 - '\rpcnet.exe'
25 - '\services.exe'
26 - '\TiWorker.exe'
27 filter_main_parent_null:
28 ParentImage: null
29 filter_main_parent_empty:
30 ParentImage:
31 - '-'
32 - ''
33 condition: selection and not 1 of filter_main_*
34falsepositives:
35 - Unknown
36level: medium
References
Related rules
- Exploit for CVE-2015-1641
- Files With System DLL Name In Unsuspected Locations
- Files With System Process Name In Unsuspected Locations
- Flash Player Update from Suspicious Location
- Greenbug Espionage Group Indicators