mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
50 lines
1.5 KiB
YAML
Executable File
50 lines
1.5 KiB
YAML
Executable File
---
|
|
action: global
|
|
title: Suspicious Svchost Processes
|
|
description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder
|
|
author: Florian Roth, @c_APT_ure
|
|
date: 2018/10/26
|
|
status: experimental
|
|
references:
|
|
- https://twitter.com/Moti_B/status/1002280132143394816
|
|
- https://twitter.com/Moti_B/status/1002280287840153601
|
|
falsepositives:
|
|
- Renamed %SystemRoot%s
|
|
level: high
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: sysmon
|
|
detection:
|
|
selection:
|
|
EventID: 1
|
|
Image: '*\svchost.exe'
|
|
filter1:
|
|
ParentImage:
|
|
- '*\services.exe'
|
|
- '*\MsMpEng.exe'
|
|
filter2:
|
|
CommandLine: '* -k *'
|
|
filter3:
|
|
Image: 'C:\Windows\S*' # \* is a reserved expression
|
|
condition: selection and not ( filter1 or filter2 or filter3 )
|
|
---
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
|
|
detection:
|
|
selection:
|
|
EventID: 4688
|
|
NewProcessName: '*\svchost.exe'
|
|
# Deactivated as long as some backends do not fully support the 'null' expression
|
|
# filter2:
|
|
# ProcessCommandLine:
|
|
# - null # Missing KB3004375 and Group Policy setting
|
|
# - '* -k *'
|
|
filter3:
|
|
NewProcessName: 'C:\Windows\S*' # \* is a reserved expression
|
|
condition: selection and not filter3
|
|
|
|
|