rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-kamlyuk-kamluk-computrace-backdoor-revisited.pdf

t1055
windows
sigma

Techniques

t1055

Sample rules

Suspect Svchost Activity

source: sigma
technicques:
- t1055

Description

It is extremely abnormal for svchost.exe to spawn without any CLI arguments and is normally observed when a malicious process spawns the process and injects code into the process memory space.

Detection logic

condition: selection and not filter
filter:
- ParentImage|endswith:
  - \rpcnet.exe
  - \rpcnetp.exe
- CommandLine: null
selection:
  CommandLine|endswith: svchost.exe
  Image|endswith: \svchost.exe