Detectionhighexperimental
Uncommon Svchost Command Line Parameter
Detects instances of svchost.exe running with an unusual or uncommon command line parameter by excluding known legitimate or common patterns. This could point at a file masquerading as svchost, a process injection, or hollowing of a legitimate svchost instance.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic6 selectors
detection:
selection:
# Example of command to simulate: "C:\Windows\System32\svchost.exe" calc.exe
Image|endswith: '\svchost.exe'
filter_main_flags:
CommandLine|re: '-k\s\w{1,64}(?:\s?(?:-p|-s))?'
filter_main_empty:
CommandLine: ''
filter_main_null:
CommandLine: null
filter_optional_defender:
ParentImage|endswith: '\MsMpEng.exe'
CommandLine|contains: 'svchost.exe'
filter_optional_mrt:
ParentImage|endswith: '\MRT.exe'
CommandLine: 'svchost.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*False Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Rule Metadata
Rule ID
f17211f1-1f24-4d0c-829f-31e28dc93cdd
Status
experimental
Level
high
Type
Detection
Created
Fri Nov 14
Modified
Mon Mar 23
Author
Path
rules/windows/process_creation/proc_creation_win_svchost_uncommon_command_line_flags.yml
Raw Tags
attack.defense-evasionattack.privilege-escalationattack.t1036.005attack.t1055attack.t1055.012