Suspicious Parent Spawning Dllhost

Rule added on 20th February, 2024

In this page

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This rule monitors a suspicious process creating a new instance of "dllhost.exe". Dllhost is a legitimate Windows program used to load DLL (Dynamic Link Library) files. However, attackers can exploit it to execute arbitrary code by loading malicious DLLs.

Data source:

Windows: Network traffic, process

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0003 - Persistence, TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1055 - Process Injection, T1574 - Hijack Execution Flow

Sub-techniques: T1055.012 - Process Hollowing, T1574.001 - DLL Search Order Hijacking

Criteria:

Target process: Any process ending with "dllhost.exe" (including paths).

Condition: Parent process name does NOT end with any of the following:

  • Windows\System32\services.exe
  • Windows\SysWow64\services.exe
  • WINNT\system32\services.exe
  • Windows\System32\svchost.exe
  • Windows\SysWow64\svchost.exe
  • WINNT\system32\svchost.exe

An unexpected parent process, especially one that's not a service (services.exe) or svchost.exe, raises suspicion.

When to enable this rule:

Enable this rule when the user wants to detect potential malware activities or system exploitation by identifying suspicious parent spawning of dllhost processes.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) for detecting unusual spawning patterns that may indicate COM hijacking or other exploits.
  • CIS Control: 8 (Malware Defense) to guard against malicious exploitation of the COM Surrogate process for executing malware.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.