Detection rules › Splunk
Unusual svchost Child Process (Windows Event Log)
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Expected Service Host (svchost.exe) activity does not normally include certain child processes. Svchost spawning these child processes may be an indication of process injection
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1055 Process Injection |
| Stealth | T1055 Process Injection |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '16041.24006'
title: Unusual svchost Child Process
description: 'Adversaries may inject code into processes in order to evade process-based
defenses as well as possibly elevate privileges. Process injection is a method of
executing arbitrary code in the address space of a separate live process. Running
code in the context of another process may allow access to the process''s memory,
system/network resources, and possibly elevated privileges. Execution via process
injection may also evade detection from security products since the execution is
masked under a legitimate process. Expected Service Host (svchost.exe) activity
does not normally include certain child processes. Svchost spawning these child
processes may be an indication of process injection. -- Threat Actor Association:
Lazarus'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) "svchost" ("WdiSystemHost" OR "LicenseManager"
OR "StorSvc" OR "CDPSvc" OR "cdbhsvc" OR "BthAvctpSvc" OR "SstpSvc" OR "WdiServiceHost"
OR "imgsvc" OR "TrkWks" OR "WpnService" OR "IKEEXT" OR "PolicyAgent" OR "CryptSvc"
OR "netprofm" OR "ProfSvc" OR "StateRepository" OR "camsvc" OR "LanmanWorkstation"
OR "NlaSvc" OR "EventLog" OR "hidserv" OR "DisplayEnhancementService" OR "ShellHWDetection"
OR "AppHostSvc" OR "fhsvc" OR "CscService" OR "PushToInstall") | regex process="(?i)WdiSystemHost|LicenseManager|StorSvc|CDPSvc|cdbhsvc|BthAvctpSvc|SstpSvc|WdiServiceHost|imgsvc|TrkWks|WpnService|IKEEXT|PolicyAgent|CryptSvc|netprofm|ProfSvc|StateRepository|camsvc|LanmanWorkstation|NlaSvc|EventLog|hidserv|DisplayEnhancementService|ShellHWDetection|AppHostSvc|fhsvc|CscService|PushToInstall"|
where match(parent_process_name, "(?i)svchost")| where not match(process_name, "(?i)werfault(secure)?|wermgr\.exe")
| table _time, host, user process, process_*, parent_process_*, signature_id | bin
span=1s | stats values(*) as * by _time, host '
techniques:
- defense-evasion:process injection
technique_id:
- T1055
data_category:
- Windows event logs
references:
- https://redcanary.com/threat-detection-report/techniques/process-injection/
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` (TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) "svchost" ("WdiSystemHost" OR "LicenseManager" OR "StorSvc" OR "CDPSvc" OR "cdbhsvc" OR "BthAvctpSvc" OR "SstpSvc" OR "WdiServiceHost" OR "imgsvc" OR "TrkWks" OR "WpnService" OR "IKEEXT" OR "PolicyAgent" OR "CryptSvc" OR "netprofm" OR "ProfSvc" OR "StateRepository" OR "camsvc" OR "LanmanWorkstation" OR "NlaSvc" OR "EventLog" OR "hidserv" OR "DisplayEnhancementService" OR "ShellHWDetection" OR "AppHostSvc" OR "fhsvc" OR "CscService" OR "PushToInstall")
Stage 2: regex
| regex process="(?i)WdiSystemHost|LicenseManager|StorSvc|CDPSvc|cdbhsvc|BthAvctpSvc|SstpSvc|WdiServiceHost|imgsvc|TrkWks|WpnService|IKEEXT|PolicyAgent|CryptSvc|netprofm|ProfSvc|StateRepository|camsvc|LanmanWorkstation|NlaSvc|EventLog|hidserv|DisplayEnhancementService|ShellHWDetection|AppHostSvc|fhsvc|CscService|PushToInstall"
Stage 3: where
| where match(parent_process_name, "(?i)svchost")
Stage 4: where
| where not match(process_name, "(?i)werfault(secure)?|wermgr\.exe")
Stage 5: table
| table _time, host, user process, process_*, parent_process_*, signature_id
Stage 6: bucket
| bin span=1s
Stage 7: stats
| stats values(*) as * by _time, host
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
process_name | match | "(?i)werfault(secure)?|wermgr\.exe" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
parent_process_name | match |
|
process | regex_match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | "svchost" |
| 1 | "WdiSystemHost" |
| 1 | "LicenseManager" |
| 1 | "StorSvc" |
| 1 | "CDPSvc" |
| 1 | "cdbhsvc" |
| 1 | "BthAvctpSvc" |
| 1 | "SstpSvc" |
| 1 | "WdiServiceHost" |
| 1 | "imgsvc" |
| 1 | "TrkWks" |
| 1 | "WpnService" |
| 1 | "IKEEXT" |
| 1 | "PolicyAgent" |
| 1 | "CryptSvc" |
| 1 | "netprofm" |
| 1 | "ProfSvc" |
| 1 | "StateRepository" |
| 1 | "camsvc" |
| 1 | "LanmanWorkstation" |
| 1 | "NlaSvc" |
| 1 | "EventLog" |
| 1 | "hidserv" |
| 1 | "DisplayEnhancementService" |
| 1 | "ShellHWDetection" |
| 1 | "AppHostSvc" |
| 1 | "fhsvc" |
| 1 | "CscService" |
| 1 | "PushToInstall" |