The Search AI Company

Build tailored experiences with Elastic.

Elastic Search AI Platform overview

Scale your business with Elastic Partners

Partner overview

ELK Stack

Search and analytics, data ingestion, and visualization – all at your fingertips.

ELK Stack overview

By developers, for developers

Elastic Cloud

Unlock the power of real-time insights with Elastic on your preferred cloud provider.

Elastic Cloud overview

Generative AI

Prototype and integrate with LLMs faster using search AI.

Generative AI overview

Search

Discover a world of AI possibilities — built with the power of search.

Search Labs

Search overview

Security

Protect, investigate, and respond to cyber threats with AI-driven security analytics.

Security Labs

Security overview

Observability

Unify app and infrastructure visibility to proactively resolve issues.

Observability Labs

Observability overview

By solution

See how customers search, solve, and succeed — all on one Search AI Platform.

All customer stories

Industries

Exceed customer expectations and go to market faster.

Industries overview

Customer spotlight

Cisco saves 5,000 support engineer hours per month

Sitecore automates 96 percent of security workflows with Elastic

Comcast transforms customer experiences with Elastic Observability

Research

Stay at the forefront of innovation with technical tips from the experts.

Build

Code with other developers to create a better Elastic, together.

Learn

Unleash the possibilities of your data and grow your skill set.

Connect

Keep informed about the latest tech and news from Elastic.

Have questions?

New

The executive guide to generative AI

About us Partners Support|Login

Docs
/

Svchost spawning Cmd

Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe

Rule type: new_terms
Rule indices:

logs-endpoint.events.process-*
winlogbeat-*
logs-windows.forwarded*
logs-windows.sysmon_operational-*
endgame-*
logs-system.security*
logs-m365_defender.event-*
logs-sentinel_one_cloud_funnel.*

Rule Severity: low
Risk Score: 21
Runs every:
Searches indices from: now-9m
Maximum alerts per execution: ?
References:

https://nasbench.medium.com/demystifying-the-svchost-exe-process-and-its-command-line-options-508e9114e747

Tags:

Domain: Endpoint
OS: Windows
Use Case: Threat Detection
Tactic: Execution
Resources: Investigation Guide
Data Source: Elastic Endgame
Data Source: Elastic Defend
Data Source: Windows Security Event Logs
Data Source: Microsoft Defender for Endpoint
Data Source: Sysmon
Data Source: SentinelOne

Version: ?
Rule authors:

Elastic

Rule license: Elastic License v2

The Service Host process (SvcHost) is a system process that can host one, or multiple, Windows services in the Windows NT family of operating systems. Note that Svchost.exe is reserved for use by the operating system and should not be used by non-Windows services.

This rule looks for the creation of the cmd.exe process with svchost.exe as its parent process. This is an unusual behavior that can indicate the masquerading of a malicious process as svchost.exe or exploitation for privilege escalation.

Note: This investigation guide uses the Osquery Markdown Plugin introduced in Elastic Stack version 8.5.0. Older Elastic Stack versions will display unrendered Markdown in this guide.

Possible investigation steps

Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
Investigate other alerts associated with the user/host during the past 48 hours.
Investigate any abnormal behavior by the subject process such as network connections, registry or file modifications, and any spawned child processes.
Examine the host for derived artifacts that indicate suspicious activities:
- Analyze the process executable using a private sandboxed analysis system.
- Observe and collect information about the following activities in both the sandbox and the alert subject host:
  - Attempts to contact external domains and addresses.
    - Use the Elastic Defend network events to determine domains and addresses contacted by the subject process by filtering by the process' process.entity_id.
    - Examine the DNS cache for suspicious or anomalous entries.
      - $osquery_0
  - Use the Elastic Defend registry events to examine registry keys accessed, modified, or created by the related processes in the process tree.
  - Examine the host services for suspicious or anomalous entries.
    - $osquery_1
    - $osquery_2
    - $osquery_3
- Retrieve the files' SHA-256 hash values using the PowerShell Get-FileHash cmdlet and search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
Investigate potentially compromised accounts. Analysts can do this by searching for login events (for example, 4624) to the target host after the registry modification.

False positive analysis

This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.

Response and remediation

Initiate the incident response process based on the outcome of the triage.
Isolate the involved host to prevent further post-compromise behavior.
If the triage identified malware, search the environment for additional compromised hosts.
- Implement temporary network rules, procedures, and segmentation to contain the malware.
- Stop suspicious processes.
- Immediately block the identified indicators of compromise (IoCs).
- Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that attackers could use to reinfect the system.
Remove and block malicious artifacts identified during triage.
Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

Rule Query

		host.os.type:windows and event.category:process and event.type:start and process.parent.name:"svchost.exe" and
process.name:("cmd.exe" or "Cmd.exe" or "CMD.EXE") and
not process.command_line : "\"cmd.exe\" /C sc control hptpsmarthealthservice 211"

	

Framework: MITRE ATT&CK

Tactic:
- Name: Execution
- Id: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
Technique:
- Name: Command and Scripting Interpreter
- Id: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/