Malware authors may attempt to hide their processes “in plain sight” by calling them the same name as some common Windows processes.
Very commonly, “svchost.exe” has been used for this purpose. It is difficult to catch this by simply looking at a system, because multiple instances of svchost.exe are expected to be running on a typical Windows System. For example, I have 12 instances on my test system.
There are two aspects of the svhost process that are of particular interest:
We need a log source that provides us with both the process name that is being launched, where it is being launched from, and the parent process name. Versions of Windows prior to Windows 10 do not provide this information in the audit log, so we turned to the Microsoft SysInternals tool “Sysmon” to provide us this deeper level of visibility.
The out of the box processing rule for Sysmon does not in fact currently assign the parent process to a metadata field, so I created a custom rule for to generate the extra metadata field. (This update will shortly be added to the processing policy in the Knowledge Base.)
We then get both the actual process and its parent into the metadata:
We know that svchost should be started by services.exe, so we look for any process called svchost starting up where services.exe is not its parent process:
Finally, create an AI Engine rule that looks for occurrences of svchost.exe starting from an unusual location on disk. We know that svchost is found in C:\Windows\System32, so we look for any process called svchost starting up from any other location:
The primary benefit of this use case is the ability to quickly spot the difference between normal and abnormal behavior. This is the key to defeating attackers.
This AI Engine rule will immediately reveal the presence of malware masquerading as svchost; even if it using advanced stealth techniques, such as, the recently discovered LatentBot malware.
LatentBot attempted to hide some of its activity in plain sight through just this method. Just the fact that a process with this particular name is launched with an unusual path, or a parent process that is different to expected, is an indicator of malevolent.
By leveraging LogRhythm’s built in parsing support for the Windows Sysinternals tool “sysmon,” we can detect rogue svchost processes.
Tracking Group Policy Changes, Part 3
With the rise of deepfake technology, the financial sector faces a new and growing threat…
The cybersecurity industry is experiencing significant shifts in 2024. LogRhythm’s State of the Security Team…
The output of a security and information event management (SIEM) platform is only as good…