svchost.exe
- File Path:
C:\windows\SysWOW64\svchost.exe - Description: Host Process for Windows Services
Hashes
| Type | Hash |
|---|---|
| MD5 | D0ABC231C0B3E88C6B612B28ABBF734D |
| SHA1 | 8FE931B1EB696CF3DB0CA62F42DF713E933E51B1 |
| SHA256 | 388557172F87D67A033D7B8EA0124246AF2E7C041E93FB6CFB35BB9CF733578B |
| SHA384 | D5E518A823FE33FD0BBFDB72E0E6B5F58168D750E6E193A978BD8A7FC468F88DE376FB8575F3B3C4F27F4BDF6ED2E488 |
| SHA512 | C580D199BEBE61B0EAC73FAD805C04D318400DD0AED58DEB4793E89B1C968C4640C9A7647E1E99471F8D7D99948797CA896EBBEF8F70437942FCEDD86C08E99C |
| SSDEEP | 384:jgn6FcWjK3SoXqvz//lnPXT4u6B4PuUv/0e9K8gWW9wbWsjt1ZVUuDBRJxxd1laU:BjK3S3z1n8uZPuU05G/jt1/Uu1P7dyyv |
Signature
- Status: Signature verified.
- Serial:
33000000287E6E0262D24588ED000000000028 - Thumbprint:
826B2E27B4A7DFC3ED7D34AD6A5BA22699D205D6 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: svchost.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of svchost.exe being misused. While svchost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | win_firewall_as_add_rule.yml | - 'C:\Windows\System32\svchost.exe' |
DRL 1.0 |
| sigma | win_firewall_as_delete_rule.yml | - ModifyingApplication: 'C:\Windows\System32\svchost.exe' |
DRL 1.0 |
| sigma | win_rdp_reverse_tunnel.yml | description: Detects svchost hosting RDP termsvcs communicating with the loopback address |
DRL 1.0 |
| sigma | win_susp_lsass_dump_generic.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | win_susp_time_modification.yml | ProcessName: 'C:\Windows\System32\svchost.exe' |
DRL 1.0 |
| sigma | win_user_driver_loaded.yml | - '\Windows\System32\svchost.exe' |
DRL 1.0 |
| sigma | win_alert_lsass_access.yml | - 'C:\Windows\System32\svchost.exe' |
DRL 1.0 |
| sigma | file_delete_win_delete_appli_log.yml | Image: C:\Windows\system32\svchost.exe |
DRL 1.0 |
| sigma | file_delete_win_delete_prefetch.yml | Image: 'C:\windows\system32\svchost.exe' |
DRL 1.0 |
| sigma | file_event_win_creation_system_file.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | file_event_win_susp_adsi_cache_usage.yml | - 'C:\windows\system32\svchost.exe' |
DRL 1.0 |
| sigma | file_event_win_susp_clr_logs.yml | - 'svchost' |
DRL 1.0 |
| sigma | file_event_win_susp_desktopimgdownldr_file.yml | Image\|endswith: svchost.exe |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | # - '\svchost.exe' triggered by installing common software |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' |
DRL 1.0 |
| sigma | image_load_suspicious_dbghelp_dbgcore_load.yml | - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' |
DRL 1.0 |
| sigma | image_load_suspicious_vss_ps_load.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | image_load_svchost_dll_search_order_hijack.yml | title: Svchost DLL Search Order Hijack |
DRL 1.0 |
| sigma | image_load_svchost_dll_search_order_hijack.yml | description: IKEEXT and SessionEnv service, as they call LoadLibrary on files that do not exist within C:\Windows\System32\ by default. An attacker can place their malicious logic within the PROCESS_ATTACH block of their library and restart the aforementioned services "svchost.exe -k netsvcs" to gain code execution on a remote machine. |
DRL 1.0 |
| sigma | image_load_svchost_dll_search_order_hijack.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | image_load_usp_svchost_clfsw32.yml | Image\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | image_load_wmi_module_load.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | Image\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'svchost.exe -k netsvcs -p -s BITS' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'svchost.exe -k GraphicsPerfSvcGroup -s GraphicsPerfSvc' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'svchost.exe -k NetworkService -p -s Wecsvc' |
DRL 1.0 |
| sigma | image_load_wsman_provider_image_load.yml | - 'svchost.exe -k netsvcs' |
DRL 1.0 |
| sigma | net_connection_win_rdp_reverse_tunnel.yml | description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 |
DRL 1.0 |
| sigma | net_connection_win_rdp_reverse_tunnel.yml | Image\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | net_connection_win_rundll32_net_connections.yml | ParentImage: 'C:\Windows\System32\svchost.exe' |
DRL 1.0 |
| sigma | proc_access_win_cred_dump_lsass_access.yml | SourceImage: 'C:\WINDOWS\system32\svchost.exe' |
DRL 1.0 |
| sigma | proc_access_win_invoke_phantom.yml | title: Suspect Svchost Memory Asccess |
DRL 1.0 |
| sigma | proc_access_win_invoke_phantom.yml | description: Detects suspect access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. |
DRL 1.0 |
| sigma | proc_access_win_invoke_phantom.yml | TargetImage\|endswith: '\WINDOWS\System32\svchost.exe' |
DRL 1.0 |
| sigma | proc_access_win_svchost_cred_dump.yml | title: SVCHOST Credential Dump |
DRL 1.0 |
| sigma | proc_access_win_svchost_cred_dump.yml | description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials |
DRL 1.0 |
| sigma | proc_access_win_svchost_cred_dump.yml | TargetImage\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_emissarypanda_sep19.yml | Image\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_apt_hafnium.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_impacket_lateralization.yml | - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") |
DRL 1.0 |
| sigma | proc_creation_win_lethalhta.yml | title: MSHTA Spwaned by SVCHOST |
DRL 1.0 |
| sigma | proc_creation_win_lethalhta.yml | description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report |
DRL 1.0 |
| sigma | proc_creation_win_lethalhta.yml | ParentImage\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_malware_dridex.yml | Image\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_malware_dridex.yml | ParentImage\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_mmc20_lateral_movement.yml | description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe |
DRL 1.0 |
| sigma | proc_creation_win_mmc20_lateral_movement.yml | ParentImage\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_office_shell.yml | - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html |
DRL 1.0 |
| sigma | proc_creation_win_outlook_shell.yml | - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html |
DRL 1.0 |
| sigma | proc_creation_win_proc_wrong_parent.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_script_event_consumer_spawn.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_rundll32_no_params.yml | ParentImage\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_service_dir.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | title: Suspicious Svchost Process |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | description: Detects a suspicious svchost process start |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | Image\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost_no_cli.yml | title: Suspect Svchost Activity |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost_no_cli.yml | description: It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space. |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost_no_cli.yml | CommandLine\|endswith: 'svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_svchost_no_cli.yml | Image\|endswith: '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_susp_webdav_client_execution.yml | description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). |
DRL 1.0 |
| sigma | proc_creation_win_system_exe_anomaly.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_termserv_proc_spawn.yml | - '\svchost.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_cleanmgr.yml | ParentCommandLine: 'C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule' |
DRL 1.0 |
| sigma | proc_creation_win_wmi_persistence_script_event_consumer.yml | ParentImage: C:\Windows\System32\svchost.exe |
DRL 1.0 |
| sigma | registry_event_asep_reg_keys_modification.yml | - Image: 'C:\WINDOWS\System32\svchost.exe' |
DRL 1.0 |
| sigma | registry_event_persistence_search_order.yml | - C:\WINDOWS\system32\svchost.exe |
DRL 1.0 |
| sigma | registry_event_removal_com_hijacking_registry_key.yml | Image: 'C:\Windows\system32\svchost.exe' |
DRL 1.0 |
| sigma | registry_event_taskcache_entry.yml | Image: 'C:\WINDOWS\system32\svchost.exe' |
DRL 1.0 |
| sigma | win_suspicious_werfault_connection_outbound.yml | ParentImage: 'svchost.exe' |
DRL 1.0 |
| malware-ioc | misp-badiis.json | "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.\n\nAdversaries may also use the same icon of the file they are trying to mimic.", |
© ESET 2014-2018 |
| malware-ioc | misp_invisimole.json | "description": "Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed.\n\nOne variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous. An example of this is when a common system utility or program is moved and renamed to avoid detection based on its usage.(Citation: FireEye APT10 Sept 2018) This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate.\n\nA third variant uses the right-to-left override (RTLO or RLO) character (U+202E) as a means of tricking a user into executing what they think is a benign file type but is actually executable code. RTLO is a non-printing character that causes the text that follows it to be displayed in reverse.(Citation: Infosecinstitute RTLO Technique) For example, a Windows screensaver file named <code>March 25 \\u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>. A common use of this technique is with spearphishing attachments since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default. \n\nAdversaries may modify a binary's metadata, including such fields as icons, version, name of the product, description, and copyright, to better blend in with the environment and increase chances of deceiving a security analyst or product.(Citation: Threatexpress MetaTwin 2017)\n\n### Windows\nIn another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)\n\nAn example of abuse of trusted locations in Windows would be the <code>C:\\Windows\\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include \"explorer.exe\" and \"svchost.exe\".\n\n### Linux\nAnother variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten)\n\nAn example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binaries include \"rsyncd\" and \"dbus-inotifier\". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis)", |
© ESET 2014-2018 |
| malware-ioc | invisimole | "ImagePath"= "%SystemRoot%\System32\svchost.exe -k DComLaunch" (translated from hex) |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_wdigest_chain.yml | ParentImage\|endswith: 'svchost.exe' |
© ESET 2014-2018 |
| malware-ioc | win_apt_invisimole_wrapper_dll.yml | - '\Windows\svchost.exe' |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | .svchost.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | .SVCHOST.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | nukesped_lazarus | .Svchost.exe``{:.highlight .language-cmhg} |
© ESET 2014-2018 |
| malware-ioc | oceanlotus-rtf_ocx_campaigns.misp.event.json | "description": "Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on. Scheduling a task on a remote system typically required being a member of the Administrators group on the the remote system. (Citation: TechNet Task Scheduler Security)\n\nAn adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.\n\nDetection: Monitor scheduled task creation from common utilities using command-line invocation. Legitimate scheduled tasks may be created during installation of new software or through system administration functions. Monitor process execution from the <code>svchost.exe<\/code> in Windows 10 and the Windows Task Scheduler <code>taskeng.exe<\/code> for older versions of Windows. (Citation: Twitter Leoloobeek Scheduled Task) If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Monitor Windows Task Scheduler stores in <code>%systemroot%\\System32\\Tasks<\/code> for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.\n\nConfigure event logging for scheduled task creation and changes by enabling the \"Microsoft-Windows-TaskScheduler\/Operational\" setting within the event logging service. (Citation: TechNet Forum Scheduled Task Operational Setting) Several events will then be logged on scheduled task activity, including: (Citation: TechNet Scheduled Task Events)\n\n*Event ID 106 - Scheduled task registered\n*Event ID 140 - Scheduled task updated\n*Event ID 141 - Scheduled task removed\n\nTools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks. (Citation: TechNet Autoruns) Look for changes to tasks that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks may show up as outlier processes that have not been seen before when compared against historical data.\n\nMonitor processes and command-line arguments for actions that could be taken to create tasks. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.\n\nPlatforms: Windows\n\nData Sources: File monitoring, Process command-line parameters, Process monitoring, Windows event logs\n\nEffective Permissions: Administrator, SYSTEM, User\n\nPermissions Required: Administrator, SYSTEM, User\n\nRemote Support: Yes\n\nContributors: Travis Smith, Tripwire, Leo Loobeek, @leoloobeek, Alain Homewood, Insomnia Security", |
© ESET 2014-2018 |
| malware-ioc | 2020_Q2 | C:\PerfLogs\svchost.exe |
© ESET 2014-2018 |
| atomic-red-team | index.md | - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | index.md | - Atomic Test #12: svchost writing a file to a UNC path [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | windows-index.md | - Atomic Test #12: svchost writing a file to a UNC path [windows] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | - Atomic Test #3 - Dump svchost.exe to gather RDP credentials | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | ## Atomic Test #3 - Dump svchost.exe to gather RDP credentials | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | The svchost.exe contains the RDP plain-text credentials. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id } | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.md | Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | - Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | ## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | cmd.exe /c %APPDATA%\svchost.exe /B | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | del /Q /F %APPDATA%\svchost.exe >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.003.md | | outputfile | path of file to execute | Path | ($env:TEMP + “\svchost.exe”)| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.005.md | <blockquote>Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.005.md | | executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | String | $Env:windir\Temp\svchost.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | - Atomic Test #12 - svchost writing a file to a UNC path | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | ## Atomic Test #12 - svchost writing a file to a UNC path | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | svchost.exe writing a non-Microsoft Office file to a file with a UNC path. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | Upon successful execution, this will rename cmd.exe as svchost.exe and move it to c:\, then execute svchost.exe with output to a txt file. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | copy C:\Windows\System32\cmd.exe C:\svchost.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | C:\svchost.exe /c echo T1105 > \localhost\c$\T1105.txt | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | del C:\svchost.exe >nul 2>&1 | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | - Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | ## Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Spawnd a process as a child of the first accessible svchost.exe process. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter “Name = ‘svchost.exe’ AND CommandLine LIKE ‘%’” | Select-Object -First 1 | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ‘#{command_line}’ | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of “svchost.exe” and an Initiating Process Command Line of “svchost.exe -k netsvcs -p -s BITS” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1197.md | the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) | MIT License. © 2018 Red Canary |
| atomic-red-team | T1218.md | | renamed_binary | renamed Microsoft.Workflow.Compiler | Path | PathToAtomicsFolder\T1218\src\svchost.exe| | MIT License. © 2018 Red Canary |
| atomic-red-team | T1543.003.md | sc create W64Time binPath= “c:\Windows\System32\svchost.exe -k TimeService” type= share start=auto | MIT License. © 2018 Red Canary |
| atomic-red-team | T1543.003.md | reg add “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost” /v TimeService /t REG_MULTI_SZ /d “W64Time” /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1543.003.md | reg delete “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost” /v TimeService /f | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Target: \system32\svchost.exe via \system32\schtasks.exe | MIT License. © 2018 Red Canary |
| signature-base | apt_apt15.yar | $= “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost” wide ascii | CC BY-NC 4.0 |
| signature-base | apt_apt15.yar | $= “%SystemRoot%\System32\svchost.exe -k netsvcs” wide ascii fullword | CC BY-NC 4.0 |
| signature-base | apt_apt41.yar | $s5 = “\svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_apt41.yar | $s3 = “\svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_casper.yar | $s1 = “"svchost.exe"” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_cn_pp_zerot.yar | $s1 = “/svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_cn_pp_zerot.yar | $s2 = “/svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $s1 = “svchost.dll” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $s0 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_codoso.yar | $s9 = “%SystemRoot%\System32\svchost.exe -k netsvcs” fullword ascii /* Goodware String - occured 4 times */ | CC BY-NC 4.0 |
| signature-base | apt_deeppanda.yar | $s0 = “%SystemRoot%\System32\svchost.exe -k sqlserver” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_eternalblue_non_wannacry.yar | $s1 = “RegQueryValueEx(Svchost\netsvcs)” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_fakem_backdoor.yar | $e2 = “\svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_grizzlybear_uscert.yar | $OPT4 = “svchost.exe” wide ascii | CC BY-NC 4.0 |
| signature-base | apt_hidden_cobra.yar | $s1 = “%SystemRoot%\System32\svchost.exe -k mdnetuse” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_keyboys.yar | $x3 = “Internet using \svchost.exe -k -n 3” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_nazar.yar | description = “Detect Nazar’s svchost based on supported commands” | CC BY-NC 4.0 |
| signature-base | apt_op_cloudhopper.yar | $s1 = “%%SystemRoot%%\System32\svchost.exe -k "%s"” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_rokrat.yar | $x1 = “c:\users\appdata\local\svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_rokrat.yar | $x1 = “\appdata\local\svchost.exe” ascii | CC BY-NC 4.0 |
| signature-base | apt_scanbox_deeppanda.yar | $s5 = “%SystemRoot%\System32\svchost.exe -k msupdate” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_sofacy_jun16.yar | $s3 = “svchost.dll” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_ta18_149A.yar | $s1 = “%SystemRoot%\system32\svchost.exe -k Wmmvsvc” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_ta18_149A.yar | $s2 = “%SystemRoot%\system32\svchost.exe -k SCardPrv” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_threatgroup_3390.yar | $s2 = “svchost.exe a -k -r -s -m5 -v1024000 -padmin-windows2014” | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s1 = “svchost.dll” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s1 = “%SystemRoot%\System32\svchost.exe -k “ fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_thrip.yar | $s4 = “RegSetValueEx(Svchost\netsvcs)” fullword ascii | CC BY-NC 4.0 |
| signature-base | apt_wilted_tulip.yar | $s3 = “%s\svchost.exe” fullword wide | CC BY-NC 4.0 |
| signature-base | apt_wilted_tulip.yar | $x1 = “ |
CC BY-NC 4.0 |
| signature-base | apt_winnti.yar | $a2 = “svchost.exe” ascii fullword | CC BY-NC 4.0 |
| signature-base | apt_zxshell.yar | $s2 = “RegQueryValueEx(Svchost\netsvcs)” fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_eternalrocks.yar | $s2 = “svchost.taskhost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | crime_fireball.yar | $s2 = “%s\svchost.exe -k %s” fullword wide | CC BY-NC 4.0 |
| signature-base | crime_rombertik_carbongrabber.yar | $s0 = “C:\WINDOWS\system32\svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | description = “Detects uncommon file size of svchost.exe” | CC BY-NC 4.0 |
| signature-base | generic_anomalies.yar | and filename == “svchost.exe” | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s0 = “\svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s1 = “\svchost.exe” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s1 = “SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_cn_hacktools.yar | $s3 = “\svchost.exe -k “ fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_event_mute_hook.yar | description = “Memory hunt for default wevtsv EtwEventCallback hook pattern to apply to eventlog svchost memory dump” | CC BY-NC 4.0 |
| signature-base | gen_metasploit_payloads.yar | $s1 = “& "\" & "svchost.exe"” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_metasploit_payloads.yar | $x3 = “, "svchost.exe");” ascii | CC BY-NC 4.0 |
| signature-base | thor-hacktools.yar | $s3 = “Full path: C:\Windows\system32\svchost.exe -k DevicesFlow” fullword wide | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | description = “Abnormal svchost.exe - typical strings not found in file” | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | $win2003_win7_u1 = “svchost.exe” wide nocase | CC BY-NC 4.0 |
| signature-base | thor_inverse_matches.yar | filename == “svchost.exe” | CC BY-NC 4.0 |
| stockpile | 05cda6f6-2b1b-462e-bff1-845af94343f7.yml | $valid = foreach($p in $ps) { if($p.Owner -eq $env:USERNAME -And $p.ProcessName -eq "svchost") {$p} }; |
Apache-2.0 |
| stockpile | 41bb2b7a-75af-49fd-bd15-6c827df25921.yml | Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} } }; |
Apache-2.0 |
| stockpile | 41bb2b7a-75af-49fd-bd15-6c827df25921.yml | Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{Get-Process cmd \| Where-Object Path -eq C:\Users\Public\svchost.exe \| Stop-Process} }; |
Apache-2.0 |
| stockpile | 4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml | Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session; |
Apache-2.0 |
| stockpile | 4908fdc4-74fc-4d7c-8935-26d11ad26a8d.yml | Invoke-Command -Session $session -Command {Remove-Item "C:\Users\Public\svchost.exe" -force}; |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.