Hi Rapid7 Community,
Just wanted to share a quick observation in case it’s helpful.
After the recent update to the “Attacker Technique – Potential Process Hollowing to DLLHost” detection (updated on Dec 26th), we’ve started seeing this alert trigger across several different tenants around the same time.
In all the cases we’ve reviewed so far, the events look like legitimate dllhost.exe (COM Surrogate) executions, typically with the standard argument:
DllHost.exe /Processid:{GUID}
Additional context from the events:
-
dllhost.exerunning fromC:\Windows\System32 -
Valid Microsoft signature
-
Known hash reputation
-
Running as SYSTEM
-
No suspicious parent process or follow-on behavior
Given that this started right after the rule update and is appearing in multiple unrelated environments, it looks like the current logic may be a bit too strict around how the /Processid:{GUID} argument is excluded, leading to some false positives for normal COM/DCOM activity.
Just flagging it here in case others are seeing the same thing, and in case it’s useful for tuning the detection. Happy to share examples or more details if needed.
Thanks!