Suspicious Svchost Process Access

Severity: high
Author: Tim Burrell
Source: upstream

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1562.002` Impair Defenses: Disable Windows Event Logging

Event coverage

Provider	Event ID	Title
Sysmon	10	ProcessAccess

Stages and Predicates

Stage 1: `selection`

CallTrace|contains: UNKNOWN
GrantedAccess: 0x1F3FFF
TargetImage|endswith: ':\Windows\System32\svchost.exe'

Stage 2: `not 1 of filter_main_msbuild`

or:
CallTrace|contains: Microsoft.Build.ni.dll
CallTrace|contains: System.ni.dll
SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe'
SourceImage|contains: ':\Program Files\Microsoft Visual Studio\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CallTrace`	match	`Microsoft.Build.ni.dll` `System.ni.dll` `UNKNOWN` corpus 2 (sigma 2)
`GrantedAccess`	eq	`0x1F3FFF`
`SourceImage`	ends_with	`\MSBuild\Current\Bin\MSBuild.exe`
`SourceImage`	match	`:\Program Files\Microsoft Visual Studio\`
`TargetImage`	ends_with	`:\Windows\System32\svchost.exe`