I have searched for conditions / circumstances under which Dllhost.exe can generate a child process. I looked at a large number of event logs from different Windows systems and did not encounter an event where Dllhost.exe spawned a child process.
The only noticeable event (eventid: 4688) was dllhost.exe -> cmd.exe, which was the result of a simulated "cmstp UAC Bypass" attack.
- Threat search for MITER ATT & CK T1191.
- Initial IOC is dllhost.exe, which generates the child process (attacker)
Payload / raised shell).
I do not plan to look for specific dllhost.exe -> cmd.exe events because they are limiting the rule scope.
The insight I'm looking for is that if we create a detection rule for T1191 that triggers when dllhost.exe generates a child process, the success rate is determined and how many false positives can result from that particular rule.
PS: If you're looking for events where cmstp.exe is generated and looking at certain execution flags on the command line, it may seem like a better approach, but it does not say anything about the final extended program that was started.