Suspicious Parent Spawning Svchost

Rule added on 20th February, 2024

In this page

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation

Rule description:

This correlation rule monitors for potential malware by monitoring the processes that spawn svchost.exe (the generic service host process). Legitimate Windows services often run under svchost.exe. The concern arises when a suspicious process spawns svchost.exe. This could be an attempt to disguise a malicious program as a legitimate service.

Data source:

Windows: Network traffic, process, kernel

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004 - Privilege Escalation, TA0005 - Defense Evasion

Techniques: T1134 - Access Token Manipulation, T1036 - Masquerading, T1055 - Process Injection, T1548 - Abuse Elavation Control Mechanism

Sub-techniques: T1134.004 - Parent PID Spoofing, T1055.012 - Process Hollowing T1548.002 - Bypass User Account Control

Criteria:

  • This rule checks for processes ending with "svchost.exe" (including paths).
  • It considers the spawn suspicious if the parent is not one of the legitimate services.exe locations or MsMpEng.exe process. MsMpEng.exe is a known legitimate process associated with Microsoft Defender Antivirus.

When to enable this rule:

Enable this rule when the user wants to detect potential malware activity or lateral movement leveraging svchost by suspicious parent processes.

Compliance mapping (NIST, CIS):

  • NIST CSF: DE.AE (Detection Processes) to monitor for unusual patterns in service host process activity.
  • CIS Control: 8 (Malware Defense) to ensure svchost.exe, which hosts multiple Windows services, is not exploited.

Next steps:

Upon triggering this alert, the following actions can be taken:

  • Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
  • Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
  • Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.