svchost.exe

  • File Path: C:\Windows\system32\svchost.exe
  • Description: Host Process for Windows Services

Hashes

Type Hash
MD5 36F670D89040709013F6A460176767EC
SHA1 0DAC68816AE7C09EFC24D11C27C3274DFD147DEE
SHA256 438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7
SHA384 EB57F6C564B0F6DBEA33645D9C38BDDC38F95AFAFB0C9888BB5E236FCC4CACCE16F94C400E212944E14685CB85F11675
SHA512 BB93D19C35D751468B09B275DE48452FF8724569167B43F42D6AF74639F95121B84F59FA88BCEFD70BA6A23C2722D5D40F775E636141BFDC52E887E866E670E1
SSDEEP 768:MOob6+aRtPsddC9utr12ks4uJcaRWi/DeT1PhPi:gbhkydC9M2OuJca7/SPhPi

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: svchost.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of svchost.exe being misused. While svchost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_firewall_as_add_rule.yml - 'C:\Windows\System32\svchost.exe' DRL 1.0
sigma win_firewall_as_delete_rule.yml - ModifyingApplication: 'C:\Windows\System32\svchost.exe' DRL 1.0
sigma win_rdp_reverse_tunnel.yml description: Detects svchost hosting RDP termsvcs communicating with the loopback address DRL 1.0
sigma win_susp_lsass_dump_generic.yml - '\svchost.exe' DRL 1.0
sigma win_susp_time_modification.yml ProcessName: 'C:\Windows\System32\svchost.exe' DRL 1.0
sigma win_user_driver_loaded.yml - '\Windows\System32\svchost.exe' DRL 1.0
sigma win_alert_lsass_access.yml - 'C:\Windows\System32\svchost.exe' DRL 1.0
sigma file_delete_win_delete_appli_log.yml Image: C:\Windows\system32\svchost.exe DRL 1.0
sigma file_delete_win_delete_prefetch.yml Image: 'C:\windows\system32\svchost.exe' DRL 1.0
sigma file_event_win_creation_system_file.yml - '\svchost.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\svchost.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'svchost' DRL 1.0
sigma file_event_win_susp_desktopimgdownldr_file.yml Image\|endswith: svchost.exe DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml # - '\svchost.exe' triggered by installing common software DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' DRL 1.0
sigma image_load_suspicious_vss_ps_load.yml - '\svchost.exe' DRL 1.0
sigma image_load_svchost_dll_search_order_hijack.yml title: Svchost DLL Search Order Hijack DRL 1.0
sigma image_load_svchost_dll_search_order_hijack.yml description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. DRL 1.0
sigma image_load_svchost_dll_search_order_hijack.yml - '\svchost.exe' DRL 1.0
sigma image_load_usp_svchost_clfsw32.yml Image\|endswith: '\svchost.exe' DRL 1.0
sigma image_load_wmi_module_load.yml - '\svchost.exe' DRL 1.0
sigma image_load_wsman_provider_image_load.yml Image\|endswith: '\svchost.exe' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'svchost.exe -k netsvcs -p -s BITS' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'svchost.exe -k NetworkService -p -s Wecsvc' DRL 1.0
sigma image_load_wsman_provider_image_load.yml - 'svchost.exe -k netsvcs' DRL 1.0
sigma net_connection_win_rdp_reverse_tunnel.yml description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 DRL 1.0
sigma net_connection_win_rdp_reverse_tunnel.yml Image\|endswith: '\svchost.exe' DRL 1.0
sigma net_connection_win_rundll32_net_connections.yml ParentImage: 'C:\Windows\System32\svchost.exe' DRL 1.0
sigma proc_access_win_cred_dump_lsass_access.yml SourceImage: 'C:\WINDOWS\system32\svchost.exe' DRL 1.0
sigma proc_access_win_invoke_phantom.yml title: Suspect Svchost Memory Asccess DRL 1.0
sigma proc_access_win_invoke_phantom.yml description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. DRL 1.0
sigma proc_access_win_invoke_phantom.yml TargetImage\|endswith: '\WINDOWS\System32\svchost.exe' DRL 1.0
sigma proc_access_win_svchost_cred_dump.yml title: SVCHOST Credential Dump DRL 1.0
sigma proc_access_win_svchost_cred_dump.yml description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials DRL 1.0
sigma proc_access_win_svchost_cred_dump.yml TargetImage\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_apt_emissarypanda_sep19.yml Image\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_apt_hafnium.yml - '\svchost.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") DRL 1.0
sigma proc_creation_win_lethalhta.yml title: MSHTA Spwaned by SVCHOST DRL 1.0
sigma proc_creation_win_lethalhta.yml description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report DRL 1.0
sigma proc_creation_win_lethalhta.yml ParentImage\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml Image\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_malware_dridex.yml ParentImage\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml ParentImage\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html DRL 1.0
sigma proc_creation_win_proc_wrong_parent.yml - '\svchost.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\svchost.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_no_params.yml ParentImage\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_susp_service_dir.yml - '\svchost.exe' DRL 1.0
sigma proc_creation_win_susp_svchost.yml title: Suspicious Svchost Process DRL 1.0
sigma proc_creation_win_susp_svchost.yml description: Detects a suspicious svchost process start DRL 1.0
sigma proc_creation_win_susp_svchost.yml Image\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_susp_svchost.yml - '\svchost.exe' DRL 1.0
sigma proc_creation_win_susp_svchost_no_cli.yml title: Suspect Svchost Activity DRL 1.0
sigma proc_creation_win_susp_svchost_no_cli.yml description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. DRL 1.0
sigma proc_creation_win_susp_svchost_no_cli.yml CommandLine\|endswith: 'svchost.exe' DRL 1.0
sigma proc_creation_win_susp_svchost_no_cli.yml Image\|endswith: '\svchost.exe' DRL 1.0
sigma proc_creation_win_susp_webdav_client_execution.yml description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\svchost.exe' DRL 1.0
sigma proc_creation_win_termserv_proc_spawn.yml - '\svchost.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_cleanmgr.yml ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule' DRL 1.0
sigma proc_creation_win_wmi_persistence_script_event_consumer.yml ParentImage: C:\Windows\System32\svchost.exe DRL 1.0
sigma registry_event_asep_reg_keys_modification.yml - Image: 'C:\WINDOWS\System32\svchost.exe' DRL 1.0
sigma registry_event_persistence_search_order.yml - C:\WINDOWS\system32\svchost.exe DRL 1.0
sigma registry_event_removal_com_hijacking_registry_key.yml Image: 'C:\Windows\system32\svchost.exe' DRL 1.0
sigma registry_event_taskcache_entry.yml Image: 'C:\WINDOWS\system32\svchost.exe' DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml ParentImage: 'svchost.exe' DRL 1.0
malware-ioc misp-badiis.json "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", © ESET 2014-2018
malware-ioc invisimole "ImagePath"= "%SystemRoot%\System32\svchost.exe -k DComLaunch" (translated from hex) © ESET 2014-2018
malware-ioc win_apt_invisimole_wdigest_chain.yml ParentImage\|endswith: 'svchost.exe' © ESET 2014-2018
malware-ioc win_apt_invisimole_wrapper_dll.yml - '\Windows\svchost.exe' © ESET 2014-2018
malware-ioc nukesped_lazarus .svchost.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .SVCHOST.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc nukesped_lazarus .Svchost.exe``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.\n\nDetection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe<\/code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe<\/code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\\System32\\Tasks<\/code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler\/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)\n\n*Event ID 106 - Scheduled task registered\n*Event ID 140 - Scheduled task updated\n*Event ID 141 - Scheduled task removed\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs\n\nEffective Permissions: Administrator, SYSTEM, User\n\nPermissions Required: Administrator, SYSTEM, User\n\nRemote Support: Yes\n\nContributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security", © ESET 2014-2018
malware-ioc 2020_Q2 C:\PerfLogs\svchost.exe © ESET 2014-2018
atomic-red-team index.md - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #12: svchost writing a file to a UNC path [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #12: svchost writing a file to a UNC path [windows] MIT License. © 2018 Red Canary
atomic-red-team T1003.md - Atomic Test #3 - Dump svchost.exe to gather RDP credentials MIT License. © 2018 Red Canary
atomic-red-team T1003.md ## Atomic Test #3 - Dump svchost.exe to gather RDP credentials MIT License. © 2018 Red Canary
atomic-red-team T1003.md The svchost.exe contains the RDP plain-text credentials. MIT License. © 2018 Red Canary
atomic-red-team T1003.md Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ MIT License. © 2018 Red Canary
atomic-red-team T1003.md Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp. MIT License. © 2018 Red Canary
atomic-red-team T1003.md if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id } MIT License. © 2018 Red Canary
atomic-red-team T1003.md C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full MIT License. © 2018 Red Canary
atomic-red-team T1003.md Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md - Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md ## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md cmd.exe /c %APPDATA%\svchost.exe /B MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md del /Q /F %APPDATA%\svchost.exe >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path. MIT License. © 2018 Red Canary
atomic-red-team T1036.003.md | outputfile | path of file to execute | Path | ($env:TEMP + “\svchost.exe”)| MIT License. © 2018 Red Canary
atomic-red-team T1036.005.md <blockquote>Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. MIT License. © 2018 Red Canary
atomic-red-team T1036.005.md | executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | String | $Env:windir\Temp\svchost.exe| MIT License. © 2018 Red Canary
atomic-red-team T1105.md - Atomic Test #12 - svchost writing a file to a UNC path MIT License. © 2018 Red Canary
atomic-red-team T1105.md ## Atomic Test #12 - svchost writing a file to a UNC path MIT License. © 2018 Red Canary
atomic-red-team T1105.md svchost.exe writing a non-Microsoft Office file to a file with a UNC path. MIT License. © 2018 Red Canary
atomic-red-team T1105.md Upon successful execution, this will rename cmd.exe as svchost.exe and move it to c:\, then execute svchost.exe with output to a txt file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md copy C:\Windows\System32\cmd.exe C:\svchost.exe MIT License. © 2018 Red Canary
atomic-red-team T1105.md C:\svchost.exe /c echo T1105 > \localhost\c$\T1105.txt MIT License. © 2018 Red Canary
atomic-red-team T1105.md del C:\svchost.exe >nul 2>&1 MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md - Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md ## Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Spawnd a process as a child of the first accessible svchost.exe process. MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter “Name = ‘svchost.exe’ AND CommandLine LIKE ‘%’” | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ‘#{command_line}’ MIT License. © 2018 Red Canary
atomic-red-team T1197.md This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of “svchost.exe” and an Initiating Process Command Line of “svchost.exe -k netsvcs -p -s BITS” MIT License. © 2018 Red Canary
atomic-red-team T1197.md the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) MIT License. © 2018 Red Canary
atomic-red-team T1218.md | renamed_binary | renamed Microsoft.Workflow.Compiler | Path | PathToAtomicsFolder\T1218\src\svchost.exe| MIT License. © 2018 Red Canary
atomic-red-team T1543.003.md sc create W64Time binPath= “c:\Windows\System32\svchost.exe -k TimeService” type= share start=auto MIT License. © 2018 Red Canary
atomic-red-team T1543.003.md reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost” /v TimeService /t REG_MULTI_SZ /d “W64Time” /f MIT License. © 2018 Red Canary
atomic-red-team T1543.003.md reg delete “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost” /v TimeService /f MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\svchost.exe via \system32\schtasks.exe MIT License. © 2018 Red Canary
signature-base apt_apt15.yar $= “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost” wide ascii CC BY-NC 4.0
signature-base apt_apt15.yar $= “%SystemRoot%\System32\svchost.exe -k netsvcs” wide ascii fullword CC BY-NC 4.0
signature-base apt_apt41.yar $s5 = “\svchost.exe” fullword ascii CC BY-NC 4.0
signature-base apt_apt41.yar $s3 = “\svchost.exe” fullword ascii CC BY-NC 4.0
signature-base apt_casper.yar $s1 = “"svchost.exe"” fullword wide CC BY-NC 4.0
signature-base apt_cn_pp_zerot.yar $s1 = “/svchost.exe” fullword ascii CC BY-NC 4.0
signature-base apt_cn_pp_zerot.yar $s2 = “/svchost.exe” fullword ascii CC BY-NC 4.0
signature-base apt_codoso.yar $s1 = “svchost.dll” fullword wide CC BY-NC 4.0
signature-base apt_codoso.yar $s0 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” fullword ascii CC BY-NC 4.0
signature-base apt_codoso.yar $s9 = “%SystemRoot%\System32\svchost.exe -k netsvcs” fullword ascii /* Goodware String - occured 4 times */ CC BY-NC 4.0
signature-base apt_deeppanda.yar $s0 = “%SystemRoot%\System32\svchost.exe -k sqlserver” fullword ascii CC BY-NC 4.0
signature-base apt_eternalblue_non_wannacry.yar $s1 = “RegQueryValueEx(Svchost\netsvcs)” fullword ascii CC BY-NC 4.0
signature-base apt_fakem_backdoor.yar $e2 = “\svchost.exe” fullword ascii CC BY-NC 4.0
signature-base apt_grizzlybear_uscert.yar $OPT4 = “svchost.exe” wide ascii CC BY-NC 4.0
signature-base apt_hidden_cobra.yar $s1 = “%SystemRoot%\System32\svchost.exe -k mdnetuse” fullword ascii CC BY-NC 4.0
signature-base apt_keyboys.yar $x3 = “Internet using \svchost.exe -k -n 3” fullword ascii CC BY-NC 4.0
signature-base apt_nazar.yar description = “Detect Nazar’s svchost based on supported commands” CC BY-NC 4.0
signature-base apt_op_cloudhopper.yar $s1 = “%%SystemRoot%%\System32\svchost.exe -k "%s"” fullword wide CC BY-NC 4.0
signature-base apt_rokrat.yar $x1 = “c:\users\appdata\local\svchost.exe” fullword ascii CC BY-NC 4.0
signature-base apt_rokrat.yar $x1 = “\appdata\local\svchost.exe” ascii CC BY-NC 4.0
signature-base apt_scanbox_deeppanda.yar $s5 = “%SystemRoot%\System32\svchost.exe -k msupdate” fullword ascii CC BY-NC 4.0
signature-base apt_sofacy_jun16.yar $s3 = “svchost.dll” fullword wide CC BY-NC 4.0
signature-base apt_ta18_149A.yar $s1 = “%SystemRoot%\system32\svchost.exe -k Wmmvsvc” fullword ascii CC BY-NC 4.0
signature-base apt_ta18_149A.yar $s2 = “%SystemRoot%\system32\svchost.exe -k SCardPrv” fullword ascii CC BY-NC 4.0
signature-base apt_threatgroup_3390.yar $s2 = “svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014” CC BY-NC 4.0
signature-base apt_thrip.yar $s1 = “svchost.dll” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s1 = “%SystemRoot%\System32\svchost.exe -k “ fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “RegSetValueEx(Svchost\netsvcs)” fullword ascii CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $s3 = “%s\svchost.exe” fullword wide CC BY-NC 4.0
signature-base apt_wilted_tulip.yar $x1 = “C:\Windows\svchost.exe</Command>” fullword wide CC BY-NC 4.0
signature-base apt_winnti.yar $a2 = “svchost.exe” ascii fullword CC BY-NC 4.0
signature-base apt_zxshell.yar $s2 = “RegQueryValueEx(Svchost\netsvcs)” fullword ascii CC BY-NC 4.0
signature-base crime_eternalrocks.yar $s2 = “svchost.taskhost.exe” fullword ascii CC BY-NC 4.0
signature-base crime_fireball.yar $s2 = “%s\svchost.exe -k %s” fullword wide CC BY-NC 4.0
signature-base crime_rombertik_carbongrabber.yar $s0 = “C:\WINDOWS\system32\svchost.exe” fullword ascii CC BY-NC 4.0
signature-base generic_anomalies.yar description = “Detects uncommon file size of svchost.exe” CC BY-NC 4.0
signature-base generic_anomalies.yar and filename == “svchost.exe” CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s0 = “\svchost.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s1 = “\svchost.exe” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s1 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” fullword ascii CC BY-NC 4.0
signature-base gen_cn_hacktools.yar $s3 = “\svchost.exe -k “ fullword ascii CC BY-NC 4.0
signature-base gen_event_mute_hook.yar description = “Memory hunt for default wevtsv EtwEventCallback hook pattern to apply to eventlog svchost memory dump” CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $s1 = “& "\" & "svchost.exe"” fullword ascii CC BY-NC 4.0
signature-base gen_metasploit_payloads.yar $x3 = “, "svchost.exe");” ascii CC BY-NC 4.0
signature-base thor-hacktools.yar $s3 = “Full path: C:\Windows\system32\svchost.exe -k DevicesFlow” fullword wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Abnormal svchost.exe - typical strings not found in file” CC BY-NC 4.0
signature-base thor_inverse_matches.yar $win2003_win7_u1 = “svchost.exe” wide nocase CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “svchost.exe” CC BY-NC 4.0
stockpile 05cda6f6-2b1b-462e-bff1-845af94343f7.yml $valid = foreach($p in $ps) { if($p.Owner -eq $env:USERNAME -And $p.ProcessName -eq "svchost") {$p} }; Apache-2.0
stockpile 41bb2b7a-75af-49fd-bd15-6c827df25921.yml Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} } }; Apache-2.0
stockpile 41bb2b7a-75af-49fd-bd15-6c827df25921.yml Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{Get-Process cmd \| Where-Object Path -eq C:\Users\Public\svchost.exe \| Stop-Process} }; Apache-2.0
stockpile 4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session; Apache-2.0
stockpile 4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml Invoke-Command -Session $session -Command {Remove-Item "C:\Users\Public\svchost.exe" -force}; Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.