Detection rules › Sigma
Suspicious Process Masquerading As SvcHost.EXE
Detects a suspicious process that is masquerading as the legitimate "svchost.exe" by naming its binary "svchost.exe" and executing from an uncommon location. Adversaries often disguise their malicious binaries by naming them after legitimate system processes like "svchost.exe" to evade detection.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1036.005 Masquerading: Match Legitimate Resource Name or Location |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: selection
Image|endswith: '\svchost.exe'
Stage 2: not 1 of filter_main_*
or:
Image: 'C:\Windows\SysWOW64\svchost.exe'
Image: 'C:\Windows\System32\svchost.exe'
OriginalFileName: svchost.exe
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
Image | eq |
|
OriginalFileName | eq |
|