Skip to content

Hide Navigation Hide TOC

Suspicious Svchost Process Access (166e9c50-8cd9-44af-815d-d1f0c0e90dde)

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

Cluster A Galaxy A Cluster B Galaxy B Level
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Suspicious Svchost Process Access (166e9c50-8cd9-44af-815d-d1f0c0e90dde) Sigma-Rules 1
Disable Windows Event Logging - T1562.002 (4eb28bed-d11a-4641-9863-c2ac017d910a) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 2