Merge PR #4946 from @swachchhanda000 - Add Suspicious Process Masquerading As SvcHost.EXE

new: Suspicious Process Masquerading As SvcHost.EXE --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com>
2024-08-07 14:33:12 +05:45
parent 22f02953b5
commit 4989d43ae9
2 changed files with 38 additions and 0 deletions
@@ -1,5 +1,8 @@
 title: System File Execution Location Anomaly
 id: e4a6b256-3e47-40fc-89d2-7a477edd6915
+related:
+    - id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd # Dedicated SvcHost rule
+      type: derived
 status: experimental
 description: |
    Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
@@ -0,0 +1,35 @@
+title: Suspicious Process Masquerading As SvcHost.EXE
+id: be58d2e2-06c8-4f58-b666-b99f6dc3b6cd
+related:
+    - id: 01d2e2a1-5f09-44f7-9fc1-24faa7479b6d
+      type: similar
+    - id: e4a6b256-3e47-40fc-89d2-7a477edd6915
+      type: similar
+status: experimental
+description: |
+    Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location.
+    Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
+references:
+    - https://tria.ge/240731-jh4crsycnb/behavioral2
+    - https://redcanary.com/blog/threat-detection/process-masquerading/
+author: Swachchhanda Shrawan Poudel
+date: 2024/08/07
+tags:
+    - attack.defense_evasion
+    - attack.t1036.005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\svchost.exe'
+    filter_main_img_location:
+        Image:
+            - 'C:\Windows\System32\svchost.exe'
+            - 'C:\Windows\SysWOW64\svchost.exe'
+    filter_main_ofn:
+        OriginalFileName: 'svchost.exe'
+    condition: selection and not 1 of filter_main_*
+falsepositives:
+    - Unlikely
+level: high