What is Service Host?
Service Host also known as Svchost runs as the Windows executable svchost.exe. It can be abused by malicious actors, because of this, cyber security teams must understand how to detect service host abuse.
It runs from the path “C:\Windows\System32\svchost.exe” or “C:\SysWOW64\Svchost.exe” (for 32-bit services on 64-bit systems
What does Service Host do?
Service Host is a Windows system process that hosts multiple services in a single process and helps to reduce resource consumption on a computer. Service Host loads DLL (Dynamically-linked Libraries) and runs them as a Service.
Why is Understanding the Detection of Service Host Abuse Important?
All computers require the need to run background processes All computers run background processes continuously, in Windows these are known as Services. Threat actors abuse services to run malicious processes.
- Background processes, cannot generate User Interface screens that would tip off a computer user.
- They run with high levels of privilege
- Services can automatically run when a computer starts and run continuously.
Two Windows utilities run Services.
- Services (Services.exe) – Runs an executable as a child process
- Service Host (Svchost.exe) – Loads a DLL directly into the application to run a service.
Detecting Abuse of Service Host
Detection is easier when malware runs under Services.exe because an executable will be running on the system with Services as a parent process. If a security team observe suspicious activity, they can easily investigate the child process executable and understand if the process is malicious.
Security teams need to have a good understanding of detecting Service Host abuse to protect against malware because abusing this process is more effective for evading detection. This is due to the fact that malicious files loaded into Service Host will run under svchost.exe, which is a legitimate Windows process. This makes detection difficult for security teams.
The command “tasklist /svc” shows all services run by Svchost. There will be multiple instances of svchost.exe running on a system. The output below documents what one instance looks like in the output of “tasklist /svc”.
Command line execution shows the Service run by Svchost. Svchost uses the “-k” flag to specify the service group it should load. Read more on the flags used here.
Malware uses the name Svchost.exe to blend in with Windows processes. These malicious programs are not abusing Service Host because they are not loading DLL files into Service Host, but simply using the name to evade detection.
How to Detect Service Host Abuse
The key points on how to detect the abuse of malicious files being loaded into Service Host.
- Unusual DLL loads into svchost.exe
- Unusual Services started by Service Host.
- Abnormal patterns of network activity from Svchost.exe
- Creation of new services that utilise Service Host
To detect Malware masquerading as Service Host, look for.
- Programs with similar names to Svchost.exe, e.g. svch0st.exe
- Svchost.exe running from an unexpected location.
- Unsigned versions of Svchost.exe