search

wazuh / wazuh-dashboard-plugins

Plugins for Wazuh Dashboard
https://wazuh.com/
GNU General Public License v2.0
436 stars 182 forks source link

List Services being managed by svchost.exe by PID #3595

Open kmfreder1 opened 3 years ago

kmfreder1 commented 3 years ago

Describe the solution you'd like I would like to see Syscheck collect and Inventory Data display the processes that are supervising each separate svchost.exe PID on Windows hosts. I don't know if this belongs here or in wazuh/wazuh.

So, frequently during threat hunting, I find some suspicious process event identified from Windows EventChannel logs where the parent process is identified as svchost.exe. When I dig further following events from this processes GUID, if I find anything at all, I generally find that the parent process to svchost was something like services.exe but there is no reference at all to what actual process is being supervised by this specific instance of svchost.

If I have access to the host where this has occurred, I can run something like tasklist /svc /fi "imagename eq svchost.exe" that will list for me svchost instances by PID and what services are supervising each PID, like so:

C:\>tasklist /svc /fi "imagename eq svchost.exe"

Image Name                     PID Services
========================= ======== ============================================
svchost.exe                     88 PlugPlay
svchost.exe                    604 BrokerInfrastructure, DcomLaunch, Power,
                                   SystemEventsBroker
svchost.exe                    620 RpcEptMapper, RpcSs
svchost.exe                   1064 LSM
svchost.exe                   1244 NcbService
svchost.exe                   1332 CoreMessagingRegistrar...etc...

but most of the time, that is not feasible. Seeing only the svchost.exe instances by PID is not very helpful or informative and makes it very difficult to evaluate some of the otherwise suspicious events.

Describe alternatives you've considered Using OSquery to pull this list on a periodic basis.

Additional context

Here is an example event (various identifying information has been changed):

{"win":{"system":{"providerName":"Microsoft-Windows-Sysmon","providerGuid":"{5771385f-c22a-43e0-bf4c-06f5698ffbd9}","eventID":"1","version":"5","level":"4","task":"1","opcode":"0","keywords":"0x8000000000000000","systemTime":"2021-09-03T21:38:00.141395100Z","eventRecordID":"280451","processID":"3212","threadID":"4104","channel":"Microsoft-Windows-Sysmon/Operational","computer":"mycomputer","severityValue":"INFORMATION","message":"\"Process Create:\r\nRuleName: -\r\nUtcTime: 2021-09-03 21:38:00.139\r\nProcessGuid: {3d5174f3-95b5-6132-af5d-000000005a00}\r\nProcessId: 3776\r\nImage: C:\\Windows\\System32\\fodhelper.exe\r\nFileVersion: 10.0.17763.1 (WinBuild.160101.0800)\r\nDescription: Features On Demand Helper\r\nProduct: Microsoft® Windows® Operating System\r\nCompany: Microsoft Corporation\r\nOriginalFileName: FodHelper.EXE\r\nCommandLine: C:\\Windows\\System32\\FodHelper.exe -Embedding\r\nCurrentDirectory: C:\\Windows\\system32\\\r\nUser: NT AUTHORITY\\SYSTEM\r\nLogonGuid: {3d5174f5-0307-6124-e703-000000000000}\r\nLogonId: 0x3E5\r\nTerminalSessionId: 0\r\nIntegrityLevel: System\r\nHashes: MD5=F23BCF023D5039CCAB3AA40F6A07B817,SHA256=B1223B86D03C3583B84E46A9A6AD009D770FC4114640402EDE19793167593A8F,IMPHASH=2BD851C90720C3E5FEE7E3FF3ACFA3D5\r\nParentProcessGuid: {3d5174f3-0305-6124-0e00-000000005a00}\r\nParentProcessId: 604\r\nParentImage: C:\\Windows\\System32\\svchost.exe\r\nParentCommandLine: C:\\Windows\\system32\\svchost.exe -k DcomLaunch -p\""},"eventdata":{"utcTime":"2021-09-03 21:38:00.139","processGuid":"{3d5174f5-95b8-6132-af5d-000000005a00}","processId":"3776","image":"C:\\\\Windows\\\\System32\\\\fodhelper.exe","fileVersion":"10.0.17763.1 (WinBuild.160101.0800)","description":"Features On Demand Helper","product":"Microsoft® Windows® Operating System","company":"Microsoft Corporation","originalFileName":"FodHelper.EXE","commandLine":"C:\\\\Windows\\\\System32\\\\FodHelper.exe -Embedding","currentDirectory":"C:\\\\Windows\\\\system32\\\\","user":"NT AUTHORITY\\\\SYSTEM","logonGuid":"{3d5174f3-0305-6124-e703-000000000000}","logonId":"0x3e5","terminalSessionId":"0","integrityLevel":"System","hashes":"MD5=F23BCF023D5039CCAB3AA40F6A07B817,SHA256=B1223B86D03C3583B84E46A9A6AD009D770FC4114640402EDE19793167593A8F,IMPHASH=2BD851C90720C3E5FEE7E3FF3ACFA3D5","parentProcessGuid":"{3d5174f3-0305-6124-0e00-000000005a00}","parentProcessId":"604","parentImage":"C:\\\\Windows\\\\System32\\\\svchost.exe","parentCommandLine":"C:\\\\Windows\\\\system32\\\\svchost.exe -k DcomLaunch -p"}}}

In the case of the above event, fodhelper.exe was called by svchost.exe (Process ID 604).

Fodhelper.exe can be used by malware as a UAC bypass and there was no information in the logs or Inventory Data to clue me in to what process was being managed by this particular svchost instance:

Reference: https://medium.com/cybersecpadawan/utilizing-a-common-windows-binary-to-escalate-to-system-privileges-c16482cced4b

By running the tasklist command referenced above on the host, I found that this particular svchost instance was managing BrokerInfrastructure, DcomLaunch, Power, and SystemEventsBroker.

kmfreder1 commented 2 years ago

Any thoughts on if this is something the Wazuh Team is interested in implementing? Also, curious what the label pending-PO means. Sure would be helpful.