Built off the open source project Osquery
Description: Looks for suspicious svchosts running from outside the system32 folder
What The Data Shows: Shows if svchost processes are running from locations they shouldnt be. Its possible that malware, adware, or viruses are running as svchost.exe to hide.
@ksnihur since this query is looking for malicious processes masquerading as svchost.exe, I think it would be beneficial to pull back more information that just the path. Would you consider something like this:
Hi @jnelson , Updated as request to make it provide more details.
Has anyone else found that when this SQL is ran it pulls back instances inside the system32 folder and not ones from outside this location.
I have known instances of svchost outside of system32 and i'm not seeing them.
Is anyone else getting this issue?
@dale_a_brown thanks for letting us know about this issue. I have editied the query, so can you please try the new version?
I have tried the new code and it is still returning the same result, svchost.exe within the specified path.
I have been looking at the code with some of our team and tried some minor variations on the bottom line (changing name to filename) but we are getting the same results back also.