Skip to content

Instantly share code, notes, and snippets.

@LindoMngadi

LindoMngadi/svchost_copy_command.yml Secret

Last active Mar 29, 2021
Embed
What would you like to do?
title: Svchost data exfiltration
id: dc4249c9-d96f-401b-a92b-caa6208c097d
status: experimental
description: Detects possible data exfiltration via svchost
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
author: Nclose
date: 2021/03/29
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: process_creation
detection:
selection:
CommandLine|contains: 'copy'
Image|endswith: '\svchost.exe'
condition: selection
falsepositives:
- Unknown
level: high
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment