Our SIEM has a Sigma rule that alerts when svchost is launched without any arguments. The logs are from a domain controller which unfortunately I don't have access to to verify. I will be reaching out to our system admin, but can anyone think of why a Windows domain controller would launch svchost without any arguments? A link to the Sigma rule is below.
Rule: Suspect Svchost Activity
Get-ItemProperty hklm:\SYSTEM\CurrentControlSet\Services\* | % { if ($_.imagepath -match "svchost"){ write-host "$($_.pschildname), $($_.imagepath)"}}Looking at the rule, I don't think it should match this potential process:C:\WINDOWS\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exeas it might match selection1 but I think selection2 would be ok and you need both to be true.Get-WmiObject Win32_Process -Filter "name like '%svchost%'" | select processid, name, processname, description, commandline | Sort-Object commandline | ogv. This will list a number of svchost.exe processes without command lines, for me both of which are ProtectionLevel: PsProtectedSignerWindows-Light. If you use Process Explorer with a filter for svchost, and add the Protection column, it might highlight this.Get-WmiObject Win32_Process -Filter "name like '%svchost%'" | select * | Sort-Object commandline | ogvas local system user, the columnsPath,CommandLine,ExecutablePath,MaximumWorkingSetSize,MinimumWorkingSetSizeare not obtainable for the Protection Level PsProtectedSignerWindows-Light. The process obtaining the information would have to call the necessary APIs with certain flags to get this information. docs.microsoft.com/windows/win32/procthread/…