Suspicious Svchost Process Access (166e9c50-8cd9-44af-815d-d1f0c0e90dde)

Detects suspicious access to the "svchost" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Suspicious Svchost Process Access (166e9c50-8cd9-44af-815d-d1f0c0e90dde)	Sigma-Rules	Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0)	Attack Pattern	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Disable or Modify Windows Event Log - T1685.001 (1411e6b8-80a6-4465-9909-54eaa9c67ce0)	Attack Pattern	2