SVCHost.exe and Internet Sharing Triage

This post describes an investigation into thousands of DNS requests observed from svchost.exe on a corporate laptop; initial attribution to the InfoStealer ViperSoftx was revisited after telemetry and a svchost command-line showed the SharedAccess (ICS) service was in use. Forensics on a svchost process dump revealed HOSTS.ICS entries and domains contacted, leading to the conclusion that a personal device connected via Internet Connection Sharing was the infected host proxying DNS traffic rather than the corporate endpoint being compromised.