logo

Query Exchange

Built off the open source project Osquery

The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Suspicious svchost running

Status: Approved Submitted by on ‎08-01-2019 03:24 PM

Description: Looks for suspicious svchosts running from outside the system32 folder

What The Data Shows: Shows if svchost processes are running from locations they shouldnt be. Its possible that malware, adware, or viruses are running as svchost.exe to hide.

SQL:

SELECT pid,u.username,p.name,f.path,h.sha256,
                datetime(f.atime,"unixepoch","localtime") AS atime,
                datetime(f.ctime,"unixepoch","localtime") AS ctime,
                datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM processes as p
JOIN file as f USING(path)
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE p.name = "svchost.exe"
     AND lower(p.path) <> "c:\windows\system32\svchost.exe"
     AND lower(p.path) <> "";

 

0 Votes
Comment
6 Comments
jnelson
Carbon Black Employee
‎08-05-2019 11:04 AM
‎08-05-2019 11:04 AM
Status changed to: Under Review

@ksnihur since this query is looking for malicious processes masquerading as svchost.exe, I think it would be beneficial to pull back more information that just the path. Would you consider something like this:

SELECT pid,u.username,path,h.sha256,
    datetime(f.atime,"unixepoch","localtime") AS atime,
    datetime(f.ctime,"unixepoch","localtime") AS ctime,
    datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM processes
JOIN file as f USING(path)
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE name = "svchost.exe" and path not in ("c:\windows\system32\svchost.exe","");

 

ksnihur
Contributor
‎08-06-2019 06:55 AM
‎08-06-2019 06:55 AM

Hi @jnelson , Updated as request to make it provide more details. 

jnelson
Carbon Black Employee
‎08-06-2019 07:16 AM
‎08-06-2019 07:16 AM
Status changed to: Approved

Thanks!

dale_a_brown
New Contributor II
‎06-04-2020 03:23 AM
‎06-04-2020 03:23 AM

Hi,

Has anyone else found that when this SQL is ran it pulls back instances inside the system32 folder and not ones from outside this location.

I have known instances of svchost outside of system32 and i'm not seeing them.

Is anyone else getting this issue?

Thanks

jnelson
Carbon Black Employee
‎06-04-2020 11:08 AM
‎06-04-2020 11:08 AM

@dale_a_brown thanks for letting us know about this issue. I have editied the query, so can you please try the new version?

dale_a_brown
New Contributor II
‎06-05-2020 02:12 AM
‎06-05-2020 02:12 AM

Hi,

I have tried the new code and it is still returning the same result, svchost.exe within the specified path.

I have been looking at the code with some of our team and tried some minor variations on the bottom line (changing name to filename) but we are getting the same results back also.

Cheers

logo