
Summary
This rule identifies unusual child processes spawned by the Windows Service Host (svchost.exe), which traditionally do not create child processes. Such behavior may indicate potential code injection or exploitation attempts by adversaries. The detection employs a set of checks on svchost.exe parent process launches, specifically monitoring for processes that are known to be typically ‘childless’ based on their associated service arguments. It checks for specific allowed processes while excluding known legitimate ones to minimize false positives. The rule's risk score is medium (47), and it aids in recognizing possible privilege escalation or defense evasion tactics as detailed in the MITRE ATT&CK framework.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Windows Registry
- Logon Session
- Application Log
- Network Share
ATT&CK Techniques
- T1055
- T1055.012
Created: 2020-10-13