M365_defender — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/m365_defender/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 04 Jan 2024 12:00:00 +0000Unusual Service Host Child Process - Childless Servicehttps://feed.craftedsignal.io/briefs/2024-01-unusual-svchost-child-process/Thu, 04 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-unusual-svchost-child-process/This detection identifies unusual child processes of Service Host (svchost.exe) that traditionally do not spawn child processes, potentially indicating code injection or exploitation.The Windows Service Host process (svchost.exe) is a critical system component that hosts multiple Windows services to optimize resource utilization. Certain services running under svchost.exe are not expected to spawn child processes. Attackers may inject malicious code into these “childless” svchost processes to execute unauthorized commands and evade traditional detection methods. This detection rule identifies anomalies by monitoring child processes of svchost.exe instances associated with services known to be childless, such as WdiSystemHost, LicenseManager, and StorSvc, flagging potential process injection or exploitation attempts. The rule aims to identify deviations from the expected behavior of these services, providing an early warning of potential malicious activity.

Attack Chain

  1. Attacker gains initial access to the system through an exploit or by leveraging existing credentials.
  2. The attacker injects malicious code into a running svchost.exe process associated with a childless service like WdiSystemHost or StorSvc.
  3. The injected code spawns a child process from the targeted svchost.exe instance. This could involve executing a system utility or a custom payload.
  4. The child process executes commands or performs actions dictated by the injected code, such as establishing a reverse shell or downloading additional payloads.
  5. The attacker uses the spawned process to perform reconnaissance activities, gathering information about the system and network.
  6. The attacker escalates privileges, potentially leveraging vulnerabilities or misconfigurations accessible from the compromised svchost process.
  7. The attacker moves laterally to other systems on the network, using the compromised system as a pivot point.
  8. The attacker achieves their final objective, which may include data exfiltration, ransomware deployment, or establishing persistent access.

Impact

Successful exploitation can lead to privilege escalation, allowing attackers to gain control of the compromised system and potentially the entire network. Attackers can use the compromised system as a staging ground for further attacks, exfiltrate sensitive data, deploy ransomware, or disrupt critical services. The medium severity score reflects the potential for significant impact if the activity is not detected and contained promptly.

Recommendation

  • Deploy the Sigma rule Unusual Svchost Child Process - Childless Service to your SIEM to detect potential process injection attacks targeting svchost.exe.
  • Tune the rule by adding known false positives to the exclusion list, such as WerFault.exe, WerFaultSecure.exe, and wermgr.exe to reduce alert fatigue.
  • Enable process creation logging via Sysmon (Event ID 1) with command line details for better visibility into spawned processes, as described in the setup guide.
  • Investigate any alerts generated by the rule, focusing on the process details and parent-child relationships to determine the legitimacy of the spawned process.
  • Consider using endpoint detection and response (EDR) solutions like Elastic Defend for enhanced visibility and automated response capabilities, as the rule is designed for data generated by Elastic Defend.
]]>mediumadvisoryprocess_injectionprivilege_escalationdefense_evasionwindows