kqlElastic-2.0from elastic/detection-rules
Svchost spawning Cmd
Identifies a suspicious parent child process relationship with cmd.exe descending from svchost.exe
Quality
92
FP risk
—
Forks
0
Views
0
Rule sourcerules/windows/execution_command_shell_started_by_svchost.toml
host.os.type:windows and event.category:process and event.type:start and process.parent.name:svchost.exe and
process.name:(CMD.EXE or Cmd.exe or cmd.exe) and
process.command_line:(* and not "\"cmd.exe\" /C sc control hptpsmarthealthservice 211") and
not process.args:(".\inetsrv\iissetup.exe /keygen " or "C:\Program" or "C:\Program Files (x86)\Kaspersky Lab\NetworkAgent\klmover.exe" or "C:\Program Files (x86)\Sentry\SA\adluminupdater.exe" or "C:\Program Files\WinRAR" or "C:\Program Files\WinRAR\uninstall.exe" or "hpdiags://BatteryStatusTest" or hptpsmarthealthservice or icacls or taskkill or w32tm or *.BAT* or *.CMD* or *.bat* or *.cmd*)