Potential Masquerading as Svchost

  1[metadata]
  2creation_date = "2025/11/12"
  3integration = ["endpoint", "windows", "system"]
  4maturity = "production"
  5updated_date = "2026/04/29"
  6min_stack_comments = "Changing min stack to 9.2.0, the latest minimum supported version for 9.X releases."
  7min_stack_version = "9.2.0"
  8[rule]
  9author = ["Elastic"]
 10description = """
 11Identifies attempts to masquerade as the Service Host process `svchost.exe` to evade detection and blend in with
 12normal system activity.
 13"""
 14from = "now-9m"
 15interval = "8m"
 16language = "esql"
 17license = "Elastic License v2"
 18name = "Potential Masquerading as Svchost"
 19risk_score = 73
 20rule_id = "32f95776-6498-4f3c-a90c-d4f6083e3901"
 21severity = "high"
 22tags = [
 23    "Domain: Endpoint",
 24    "OS: Windows",
 25    "Use Case: Threat Detection",
 26    "Tactic: Defense Evasion",
 27    "Resources: Investigation Guide",
 28    "Data Source: Elastic Defend",
 29    "Data Source: Windows Security Event Logs",
 30    "Data Source: Sysmon"
 31]
 32timestamp_override = "event.ingested"
 33type = "esql"
 34
 35query = '''
 36FROM logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-*, logs-windows.*, winlogbeat-* metadata _id, _version, _index
 37| where event.category == "process" and event.type == "start" and
 38  match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and
 39  not to_lower(process.executable) in ("c:\\windows\\syswow64\\svchost.exe", "c:\\windows\\system32\\svchost.exe") and
 40  not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\system32\\svchost.exe""" and
 41  not to_lower(process.executable) like """\\device\\harddiskvolume*\\windows\\syswow64\\svchost.exe""" 
 42| keep *
 43'''
 44
 45note = """## Triage and analysis
 46
 47### Investigating Potential Masquerading as Svchost
 48
 49#### Possible investigation steps
 50
 51- Does the alert confirm a service-host-like name running from a noncanonical path?
 52  - Focus: `process.name`, `process.executable`, `process.command_line`, `process.parent.executable`, and `host.id`, comparing the path with `C:\\Windows\\System32\\svchost.exe` and `C:\\Windows\\SysWOW64\\svchost.exe`.
 53  - Hint: use `process.entity_id`, hash, and signer fields where present; if enrichments are missing, keep the gap unresolved and scope by `host.id`, path, and alert time.
 54  - Implication: escalate when svchost.exe or a near-match runs from a user-writable, temp, share-backed, or product-mismatched path; lower concern only when a recognized lab, build-test, or recovery workflow also fits later evidence.
 55
 56- Is the file identity or rename timing consistent with Microsoft Service Host?
 57  - Focus: `process.hash.sha256`, `process.pe.original_file_name`, `process.code_signature.*`, rename timing, and file events for the same path. $investigate_0
 58  - Implication: escalate for an unfamiliar hash, unsigned/untrusted or non-Microsoft signer, recent rename, or original filename conflict; Microsoft identity and stable name timing reduce identity concern but do not clear the noncanonical path.
 59
 60- Does the launch context fit service-controlled svchost.exe behavior?
 61  - Focus: `process.parent.name`, `process.parent.executable`, `process.parent.command_line`, `process.command_line`, and session context, checking for services.exe and service grouping arguments such as `-k <group>` or `-s <service>`.
 62  - Implication: escalate when the parent is a shell, script engine, Office process, archive tool, or user-run utility, when service-group arguments are absent, or when context is interactive; services.exe plus service grouping lowers launch-context concern, but the noncanonical path still needs explanation.
 63
 64- Does this process instance behave like a launcher rather than a passive service host?
 65  - Focus: child starts where `process.parent.entity_id` matches `process.entity_id`, especially child `process.name`, `process.executable`, and `process.command_line`. $investigate_1
 66  - Hint: use `process.Ext.ancestry` only as a deeper fallback when direct parent-child lineage is missing or incomplete.
 67  - Implication: escalate when it spawns shells, script engines, admin tools, installers, additional lookalikes, or short-lived command chains; absent or service-like child activity narrows launcher risk but does not close the name/path anomaly.
 68
 69- If local findings remain suspicious or unresolved, does related alert scope show reuse of the same masquerading path?
 70  - Focus: related alerts for the same `process.executable` or `process.hash.sha256`, comparing `host.id` and `user.id` where available. $investigate_2 $investigate_3
 71  - Implication: broaden scope and raise urgency when the same path or hash appears on other hosts, users, or alert types; keep local only when related alerts are absent and all local evidence supports one recognized lab, build, or recovery workflow.
 72
 73- Escalate when the path anomaly plus identity, lineage, timing, child-process, or scope evidence points to masquerading or broader compromise; close only when path, identity, launch context, and bounded host/user scope prove one recognized lab, build, or recovery workflow; if telemetry cannot prove legitimacy, preserve artifacts and escalate.
 74
 75### False positive analysis
 76
 77- Controlled malware-analysis, image-build, or recovery testing can stage a service-host-like file outside canonical Windows paths. Confirm by aligning identity (`process.hash.sha256`, `process.pe.original_file_name`, signer trust/subject), launch context (`process.parent.executable`, `process.parent.command_line`, `process.command_line`), and scope (`host.id`, `host.name`, `user.id`). Without outside records, close only when process fields prove the controlled workflow.
 78- Treat a noncanonical svchost.exe name as suspicious until process evidence proves one complete benign workflow; a trusted Microsoft signer, familiar parent, or single quiet execution is not enough when the path or name still mimics Service Host.
 79- Before creating an exception, require recurring `process.executable`, `process.hash.sha256`, signer subject, parent executable, command-line shape, and `host.id` or controlled host cohort across prior alerts from this rule. Avoid exceptions on `process.name`, svchost.exe, `user.name`, or a host alone.
 80
 81### Response and remediation
 82
 83- If confirmed benign, reverse any temporary containment and record the exact workflow evidence: `process.executable`, `process.hash.sha256`, `process.code_signature.subject_name`, `process.parent.executable`, `process.command_line`, `host.id`, and the controlled lab, build, or recovery scope. Create an exception only after the same evidence pattern recurs.
 84- If suspicious but unconfirmed, preserve the alert, source process event, recovered `process.entity_id`, `process.executable`, `process.hash.sha256`, signature metadata, parent context, command line, and related-alert results before containment. Apply reversible controls first, such as heightened monitoring or temporary network restrictions for the affected `host.id`, and avoid termination or deletion until scope is clearer.
 85- If confirmed malicious, first preserve the recovered `process.entity_id`, command line, child-process list, path evidence, and forensic package for `process.executable`. Finish same-path and same-hash scoping, then isolate the endpoint when host criticality allows, terminate only the suspicious noncanonical service-host process, and remove the masquerading executable or launcher artifacts. Do not stop canonical Service Host instances unless that exact instance is proven malicious.
 86- After containment, restore any affected service-host component from known-good media if a legitimate file was replaced, restrict execution from user-writable or share-backed paths where feasible, and document the recovered command-line and parent-chain pattern that separated this fake service host from normal services.exe-launched instances.
 87"""
 88
 89setup = """## Setup
 90
 91This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 92
 93Setup instructions: https://ela.st/install-elastic-defend
 94
 95### Additional data sources
 96
 97This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 98
 99- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
100- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
101"""
102
103[rule.investigation_fields]
104field_names = [
105    "@timestamp",
106    "host.name",
107    "host.id",
108    "user.name",
109    "user.id",
110    "process.name",
111    "process.entity_id",
112    "process.executable",
113    "process.command_line",
114    "process.hash.sha256",
115    "process.pe.original_file_name",
116    "process.code_signature.subject_name",
117    "process.code_signature.trusted",
118    "process.parent.executable",
119    "process.parent.command_line",
120]
121
122[transform]
123
124[[transform.investigate]]
125label = "File events for the masquerading executable path"
126description = ""
127providers = [
128  [
129    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
130    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
131    { excluded = false, field = "file.path", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
132  ]
133]
134relativeFrom = "now-24h"
135relativeTo = "now"
136
137[[transform.investigate]]
138label = "Child process starts from the masquerading svchost instance"
139description = ""
140providers = [
141  [
142    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
143    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
144    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
145  ]
146]
147relativeFrom = "now-1h"
148relativeTo = "now"
149
150[[transform.investigate]]
151label = "Alerts associated with the same executable path"
152description = ""
153providers = [
154  [
155    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
156    { excluded = false, field = "process.executable", queryType = "phrase", value = "{{process.executable}}", valueType = "string" }
157  ]
158]
159relativeFrom = "now-48h/h"
160relativeTo = "now"
161
162[[transform.investigate]]
163label = "Alerts associated with the same executable hash"
164description = ""
165providers = [
166  [
167    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
168    { excluded = false, field = "process.hash.sha256", queryType = "phrase", value = "{{process.hash.sha256}}", valueType = "string" }
169  ]
170]
171relativeFrom = "now-48h/h"
172relativeTo = "now"
173
174[[rule.threat]]
175framework = "MITRE ATT&CK"
176[[rule.threat.technique]]
177id = "T1036"
178name = "Masquerading"
179reference = "https://attack.mitre.org/techniques/T1036/"
180[[rule.threat.technique.subtechnique]]
181id = "T1036.005"
182name = "Match Legitimate Resource Name or Location"
183reference = "https://attack.mitre.org/techniques/T1036/005/"
184
185[rule.threat.tactic]
186id = "TA0005"
187name = "Defense Evasion"
188reference = "https://attack.mitre.org/tactics/TA0005/"