Suspicious Process Masquerading As SvcHost.EXE
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
Image|endswith: '\svchost.exe'
filter_main_img_location:
Image:
- 'C:\Windows\System32\svchost.exe'
- 'C:\Windows\SysWOW64\svchost.exe'
filter_main_ofn:
OriginalFileName: 'svchost.exe'
condition: selection and not 1 of filter_main_*False positives are unlikely for most environments. High confidence detection.
Tactics
Sub-techniques
Uncommon Svchost Parent Process
Detects an uncommon svchost parent process
Detects similar activity. Both rules may fire on overlapping events.
System File Execution Location Anomaly
Detects the execution of a Windows system binary that is usually located in the system folder from an uncommon location.
Detects similar activity. Both rules may fire on overlapping events.