Under which conditions can dllhost.exe spawn child process? | MITRE ATT&CK T1191
I was looking for conditions/circumstances under which Dllhost.exe can spawn a child process. I examined a huge quantity of event logs from various Windows system and didn't come across any event in which Dllhost.exe spawns a child process.
The only noticeable event(eventid:4688) was dllhost.exe --> cmd.exe which was a result of a simulated 'cmstp UAC Bypass' attack.
Scenario:
- Threat hunting for MITRE ATT&CK T1191.
- Initial IOC being dllhost.exe spawning child process(attacker payload/elevated shell).
I am planning not to look for specific dllhost.exe-->cmd.exe events as they limit the scope of rule.
The insight I am looking for is: If we create a detection rule for T1191 which triggers when dllhost.exe spawns a child process what is going to be the success rate and how many false positives could arise from this particular rule.
PS: Looking for events where cmstp.exe is spawned and examining the commandline for certain execution flags might seem like a better approach but that will not tell us about the final elevated program that has been launched.
