← Back to Explore
sigmamediumHunting
Uncommon Svchost Parent Process
Detects an uncommon svchost parent process
Detection Query
selection:
Image|endswith: \svchost.exe
filter_main_generic:
ParentImage|endswith:
- \Mrt.exe
- \MsMpEng.exe
- \ngen.exe
- \rpcnet.exe
- \services.exe
- \TiWorker.exe
filter_main_parent_null:
ParentImage: null
filter_main_parent_empty:
ParentImage:
- "-"
- ""
condition: selection and not 1 of filter_main_*
Author
Florian Roth (Nextron Systems)
Created
2017-08-15
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1036.005
Raw Content
title: Uncommon Svchost Parent Process
id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
status: test
description: Detects an uncommon svchost parent process
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2017-08-15
modified: 2022-06-28
tags:
- attack.defense-evasion
- attack.t1036.005
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\svchost.exe'
filter_main_generic:
ParentImage|endswith:
- '\Mrt.exe'
- '\MsMpEng.exe'
- '\ngen.exe'
- '\rpcnet.exe'
- '\services.exe'
- '\TiWorker.exe'
filter_main_parent_null:
ParentImage: null
filter_main_parent_empty:
ParentImage:
- '-'
- ''
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium