---
action: global
title: Suspicious Svchost Processes
description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder
author: Florian Roth, @c_APT_ure
date: 2018/10/26
status: experimental
references:
    - https://twitter.com/Moti_B/status/1002280132143394816
    - https://twitter.com/Moti_B/status/1002280287840153601
falsepositives: 
    - Renamed %SystemRoot%s 
level: high
---
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        Image: '*\svchost.exe'
    filter1:
        ParentImage: 
            - '*\services.exe'
            - '*\MsMpEng.exe'
    filter2:
        CommandLine: '* -k *'
    filter3:
        Image: 'C:\Windows\S*'  # \* is a reserved expression
    condition: selection and not ( filter1 or filter2 or filter3 )
---
logsource:
    product: windows
    service: security
    definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
    selection:
        EventID: 4688
        NewProcessName: '*\svchost.exe'
    # Deactivated as long as some backends do not fully support the 'null' expression
    # filter2:
    #    ProcessCommandLine:
    #        - null  # Missing KB3004375 and Group Policy setting
    #        - '* -k *'
    filter3:
        NewProcessName: 'C:\Windows\S*'  # \* is a reserved expression
    condition: selection and not filter3