Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
|
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
The process dllhost.exe was executed with an empty command line. This behavior is suspicious, and may be caused by a malicious actor using 'Image File Execution Options' in the registry to evade detection.
Attacker's Goals
Evade detection when running suspicious commands.
Investigative actions
- Check if an entry for dllhost.exe was added in the registry, under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.
Variations
Execution of unsigned dllhost from a non-typical path with empty command lineGlobally uncommon execution of dllhost.exe with an empty command line