Detecting Rogue Svchost Processes

Malware authors may attempt to hide their processes in plain sight by calling them the same name as common Windows processes. Very commonly, "svchost.exe" has been used for this purpose. It is difficult to catch this by simply looking at a system, because multiple instances of svchost.exe are expected to be running on a typical Windows System. By leveraging LogRhythm's built in parsing support, we can detect rogue svchost processes.

Read More

Agent SmartResponse Host Checking

How can you find out if a SmartResponse plug-in using PowerShell will run on a specific System Monitor Agent host? Also, with what user context will the SmartResponse plug-ins execute? Windows PowerShell execution policies let you determine the conditions under which PowerShell loads configuration files and runs scripts. We would like to find out what that setting is on a specific host that has a System Monitor Agent installed. Read more about execution policies.

Read More