Andrew Hollister
Director of LogRhythm Labs (EMEA);

Detecting Rogue Svchost Processes

The Challenge

Malware authors may attempt to hide their processes “in plain sight” by calling them the same name as some common Windows processes.

Very commonly, “svchost.exe” has been used for this purpose. It is difficult to catch this by simply looking at a system, because multiple instances of svchost.exe are expected to be running on a typical Windows System. For example, I have 12 instances on my test system.

The Solution

There are two aspects of the svhost process that are of particular interest:

  1. Where is the svhost.exe being launched from? We expect this to be C:\Windows\System32.
  2. Is the parent or creator process of the svchost.exe processes itself? We expect this to be services.exe

Leverage Sysmon to Provide Process Name and Parent Process Name

We need a log source that provides us with both the process name that is being launched, where it is being launched from, and the parent process name. Versions of Windows prior to Windows 10 do not provide this information in the audit log, so we turned to the Microsoft SysInternals tool “Sysmon” to provide us this deeper level of visibility.   The out of the box processing rule for Sysmon does not in fact currently assign the parent process to a metadata field, so I created a custom rule for to generate the extra metadata field. (This update will shortly be added to the processing policy in the Knowledge Base.)

Figure 1. Metadata field custom rule

We then get both the actual process and its parent into the metadata:

Figure 2. Metadata field custom rule log information

Create an AI Engine Rule Starting with an Unusual Parent Process Name

We know that svchost should be started by services.exe, so we look for any process called svchost starting up where services.exe is not its parent process:

Figure 3. Unusual parent process name

Figure 4. AIE: Process started by unusual parent

Figure 5. Inspector: Process started by unusual parent

Look for Any Process Called Svchost Starting up From Any Other Location

Finally, create an AI Engine rule that looks for occurrences of svchost.exe starting from an unusual location on disk. We know that svchost is found in C:\Windows\System32, so we look for any process called svchost starting up from any other location:

Figure 6. Svchost Starting up from any other location rule

Benefits

The primary benefit of this use case is the ability to quickly spot the difference between normal and abnormal behavior. This is the key to defeating attackers.

This AI Engine rule will immediately reveal the presence of malware masquerading as svchost; even if it using advanced stealth techniques, such as, the recently discovered LatentBot malware.

LatentBot attempted to hide some of its activity in plain sight through just this method. Just the fact that a process with this particular name is launched with an unusual path, or a parent process that is different to expected, is an indicator of malevolent.

By leveraging LogRhythm’s built in parsing support for the Windows Sysinternals tool “sysmon,” we can detect rogue svchost processes.

More from Andrew Hollister

Tracking Group Policy Changes, Part 3

)