Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • NERC Publishes Practice Guide for assessing SVCHOST.EXE
  • Critical Vulnerability
  • Data Breach

NERC Publishes Practice Guide for assessing SVCHOST.EXE

5 years ago Robert Landavazo
NERC Publishes Practice Guide for assessing SVCHOST.EXE

One of our customers (you know who you are, thanks!) made us aware of a new practice guide titled “ERO Enterprise CMEP Practice Guide: Assessment of SVCHOST.EXE” published exactly two weeks ago today on September 15th, 2020. NERC seldom releases guidance like this, so they shouldn’t go unnoticed. They’ve published 3 such Critical Infrastructure Protection (CIP) specific guides including this one since 2017 according to their website. The CMEP Practice Guides are described as “provid[ing] direction to ERO Enterprise CMEP staff on approaches to carry out compliance monitoring and enforcement activities.” Based on that statement, not only should they not go unnoticed but they also shouldn’t be taken lightly due to the fact that NERC (North American Electric Reliability Corporation), and the ERO (Electric Reliability Organization) Enterprise adopts these guidance policies and audits according to their language.

Figure 1

The practice guide summarizes the CIP-007-6 R1.1 requirement to establish a process for enabling only those ports on each in scope asset that is needed for its function, and provide evidence to demonstrate that need. The quality of that evidence is the focus of the guide, specifically regarding a rather important Window system process called svchost.exe. Svchost.exe is integral to the function of shared service processes as it can reduce system resource consumption by doing some of the heavy lifting for port management. Therein lies the problem; svchost.exe serves as a host for many services, and specifically Dynamic Link Libraries (DLLs) and whatever port they need opened on their behalf. Here’s an example of my Windows 10 workstation’s task manager details tab in Figure 1 (click to expand).

 

As you can clearly see, that is in fact a bunch of svchosts! There is a much easier way to see what’s behind each of those by looking at a different view in the processes tab, as seen in Figure 2.

Figure 2

In the above example, we can see that the Windows Time service is the culprit in this instance. So as you might suspect, if a Responsible Entity (you, the asset owner) is not clearly documenting in your evidence which service is actually opening the port, i.e. only showing svchost.exe, that is inadequate per the document.

At Tripwire, our customers leverage the Tripwire State Analyzer App (formerly Tripwire Whitelist Profiler App) to do all the heavy lifting to help our customers satisfy the CIP-007 R1.1 requirement and include as part of the output for its ports and services control not just the protocol (TCP), the service name (svchost.exe), and any other required fields (Iike business justifications), but also the process name that requested svchost.exe to open a port on its behalf. Here’s an example of that output:

**********************************
** UNAUTHORIZED OPEN PORT FOUND **
**********************************
Protocol: UDP
Port: 123
Process Name: svchost.exe (Service Name: W32tm)
Process ID: 716

In order to enumerate the service name, the Tripwire State Analyzer App employs the native Windows ‘netstat –b’ command, and has had this functionality available for more than two and a half years. The ‘netstat’ command was selected in order to support operating systems pre Windows 8.1. that could not leverage Powershell commands. In response to this Practice Guide, Tripwire is performing additional research internally to ensure that our approach meets or exceeds the requirements and the language of the guide specifically, and if any findings warrant it, an update will be published to this article. If you have any opinions or questions on this matter, I welcome you to reach out to me at [email protected].

The post ” NERC Publishes Practice Guide for assessing SVCHOST.EXE” appeared first on TripWire

Source:TripWire – Robert Landavazo

Tags: Critical Severity, Encryption, Medium Severity, TripWire

Continue Reading

Previous Zerologon Attacks Against Microsoft DCs Snowball in a Week
Next Lessons From Teaching Cybersecurity: Week 1

More Stories

  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

5 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

7 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

8 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

12 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

13 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Develops Scanner to Detect Backdoors in Open-Weight Large Language Models

1 day ago [email protected] (The Hacker News)

Recent Posts

  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows
  • Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT