title: Svchost data exfiltration | |
id: dc4249c9-d96f-401b-a92b-caa6208c097d | |
status: experimental | |
description: Detects possible data exfiltration via svchost | |
references: | |
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ | |
author: Nclose | |
date: 2021/03/29 | |
tags: | |
- attack.exfiltration | |
- attack.t1048 | |
logsource: | |
product: windows | |
service: process_creation | |
detection: | |
selection: | |
CommandLine|contains: 'copy' | |
Image|endswith: '\svchost.exe' | |
condition: selection | |
falsepositives: | |
- Unknown | |
level: high |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment