Excessive Number Of Taskhost Processes

Excessive Number Of Taskhost Processes


This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame.


Excessive Number Of Taskhost Processes Help

To successfully implement this search you need to be ingesting events related to processes on the endpoints that include the name of the process and process id into the Endpoint datamodel in the Processes node.


Open in Search