The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Suspicious svchost running

Description: Looks for suspicious svchosts running from outside the system32 folder

What The Data Shows: Shows if svchost processes are running from locations they shouldnt be. Its possible that malware, adware, or viruses are running as svchost.exe to hide.

SQL:

SELECT pid,u.username,p.name,f.path,h.sha256,
                datetime(f.atime,"unixepoch","localtime") AS atime,
                datetime(f.ctime,"unixepoch","localtime") AS ctime,
                datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM processes as p
JOIN file as f USING(path)
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE p.name = "svchost.exe"
     AND lower(p.path) <> "c:\windows\system32\svchost.exe"
     AND lower(p.path) <> "";

 

6 Comments
jnelson
Carbon Black Employee
Status changed to: Under Review

@ksnihur since this query is looking for malicious processes masquerading as svchost.exe, I think it would be beneficial to pull back more information that just the path. Would you consider something like this:

SELECT pid,u.username,path,h.sha256,
    datetime(f.atime,"unixepoch","localtime") AS atime,
    datetime(f.ctime,"unixepoch","localtime") AS ctime,
    datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM processes
JOIN file as f USING(path)
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE name = "svchost.exe" and path not in ("c:\windows\system32\svchost.exe","");

 

ksnihur
Contributor II

Hi @jnelson , Updated as request to make it provide more details. 

jnelson
Carbon Black Employee
Status changed to: Approved

Thanks!

dale_a_brown
New Contributor II

Hi,

Has anyone else found that when this SQL is ran it pulls back instances inside the system32 folder and not ones from outside this location.

I have known instances of svchost outside of system32 and i'm not seeing them.

Is anyone else getting this issue?

Thanks

jnelson
Carbon Black Employee

@dale_a_brown thanks for letting us know about this issue. I have editied the query, so can you please try the new version?

dale_a_brown
New Contributor II

Hi,

I have tried the new code and it is still returning the same result, svchost.exe within the specified path.

I have been looking at the code with some of our team and tried some minor variations on the bottom line (changing name to filename) but we are getting the same results back also.

Cheers