cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Claim your free VMworld 2020 ticket now for a completely digital experience to learn about how VMware Carbon Black can protect you from sophisticated threats.

Suspicious svchost running

Description: Looks for suspicious svchosts running from outside the system32 folder

What The Data Shows: Shows if svchost processes are running from locations they shouldnt be. Its possible that malware, adware, or viruses are running as svchost.exe to hide.

SQL:

SELECT pid,u.username,p.name,f.path,h.sha256,
                datetime(f.atime,"unixepoch","localtime") AS atime,
                datetime(f.ctime,"unixepoch","localtime") AS ctime,
                datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM processes as p
JOIN file as f USING(path)
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE p.name = "svchost.exe"
     AND lower(p.path) <> "c:\windows\system32\svchost.exe"
     AND lower(p.path) <> "";

 

0 Votes
6 Comments
Carbon Black Employee
Status changed to: Under Review

@ksnihur since this query is looking for malicious processes masquerading as svchost.exe, I think it would be beneficial to pull back more information that just the path. Would you consider something like this:

SELECT pid,u.username,path,h.sha256,
    datetime(f.atime,"unixepoch","localtime") AS atime,
    datetime(f.ctime,"unixepoch","localtime") AS ctime,
    datetime(f.mtime,"unixepoch","localtime") AS mtime
FROM processes
JOIN file as f USING(path)
JOIN users AS u USING(uid)
JOIN hash AS h USING(path)
WHERE name = "svchost.exe" and path not in ("c:\windows\system32\svchost.exe","");

 

Contributor

Hi @jnelson , Updated as request to make it provide more details. 

Carbon Black Employee
Status changed to: Approved

Thanks!

New Contributor II

Hi,

Has anyone else found that when this SQL is ran it pulls back instances inside the system32 folder and not ones from outside this location.

I have known instances of svchost outside of system32 and i'm not seeing them.

Is anyone else getting this issue?

Thanks

Carbon Black Employee

@dale_a_brown thanks for letting us know about this issue. I have editied the query, so can you please try the new version?

New Contributor II

Hi,

I have tried the new code and it is still returning the same result, svchost.exe within the specified path.

I have been looking at the code with some of our team and tried some minor variations on the bottom line (changing name to filename) but we are getting the same results back also.

Cheers