โ
Case #383
service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Suspicious Process Masquerading As SvcHost.EXE
informational
Rule: service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: EXISTING_PROCESS
Confidence: 97% ยท Verdict: false positive
Event Data:
FILE_IS_SIGNED:
1
FILE_PATH:
\Device\HarddiskVolume4\Windows\System32\svchost.exe
HASH:
7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6
MEMORY_USAGE:
7880704
PARENT:
{'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe', 'HASH': '526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446', 'MEMORY_USAGE': 10428416, 'PARENT_ATOM': '5aac4ac94a5899870505a72a69badbc5', 'PARENT_PROCESS_ID': 536, 'PROCESS_ID': 608, 'THIS_ATOM': '5121f09ae4602c114b78252569badbc5', 'THREADS': 8, 'TIMESTAMP': 1773853637283, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
608
PROCESS_ID:
7360
THREADS:
7
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6
526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446
MITRE:
T1036.003
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Suspicious Process Masquerading As SvcHost.EXE",
"detect": {
"event": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
"HASH": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"MEMORY_USAGE": 7880704,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe",
"HASH": "526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446",
"MEMORY_USAGE": 10428416,
"PARENT_ATOM": "5aac4ac94a5899870505a72a69badbc5",
"PARENT_PROCESS_ID": 536,
"PROCESS_ID": 608,
"THIS_ATOM": "5121f09ae4602c114b78252569badbc5",
"THREADS": 8,
"TIMESTAMP": 1773853637283,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 608,
"PROCESS_ID": 7360,
"THREADS": 7,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "c04f3650-d942-4a60-a4fe-8a08fbb5eed2",
"event_time": 1773853640503,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 72,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5121f09ae4602c114b78252569badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller"
],
"this": "d3159ebdd7ba61ded467c86d69badbc8"
}
},
"detect_id": "aeab2bc0-0248-4bc9-8c8e-c8b969badbc8",
"detect_mtd": {
"author": "Swachchhanda Shrawan Poudel",
"description": "Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\n",
"falsepositives": [
"Unlikely"
],
"level": "high",
"references": [
"https://tria.ge/240731-jh4crsycnb/behavioral2",
"https://redcanary.com/blog/threat-detection/process-masquerading/"
],
"tags": [
"attack.defense-evasion",
"attack.t1036.005"
]
},
"gen_time": 1773853640579,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1773853640\u0026selected=d3159ebdd7ba61ded467c86d69badbc8",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "c04f3650-d942-4a60-a4fe-8a08fbb5eed2",
"event_time": 1773853640503,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 72,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "5121f09ae4602c114b78252569badbc5",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller"
],
"this": "d3159ebdd7ba61ded467c86d69badbc8"
},
"rule_tags": [
"attack.defense-evasion",
"attack.t1036.005",
"ext:ext-sigma"
],
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution",
"ts": 1773853640000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 20,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.967,
"false_positive_reason": "Standard Windows service execution (svchost.exe spawned by services.exe in System32)",
"investigation_questions": [
"None required as this is a verified system process."
],
"ioc_analysis": "The FILE_PATH (System32\\svchost.exe) and PARENT (System32\\services.exe) are correct for legitimate Windows operations. The hashes provided (7fd065ba... and 526f2447...) are known-good Microsoft-signed binaries.",
"iocs_extracted": [
"7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446"
],
"mitre_techniques": [
"T1036.003"
],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Close the case as False Positive",
"Tuning: Exclude svchost.exe when spawned by services.exe from System32 with valid signatures"
],
"risk_score": 5,
"severity": "informational",
"summary": "**Vote: UNANIMOUS (3/3 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection triggered on a legitimate svchost.exe process running from the standard System32 directory, spawned by the services.exe parent process. Both the process and its parent are digitally signed by Microsoft and running as NT AUTHORITY\\SYSTEM, which is standard behavior for Windows service hosting.\n\n**IOC Analysis:** The FILE_PATH (System32\\svchost.exe) and PARENT (System32\\services.exe) are correct for legitimate Windows operations. The hashes provided (7fd065ba... and 526f2447...) are known-good Microsoft-signed binaries.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because svchost.exe is running from its expected location in System32 and is signed by Microsoft. The process tree shows it was spawned by services.exe, which is a standard Windows behavior.\n\n**IOC Analysis:** The file path matches the known-good location for svchost.exe (C:\\Windows\\System32\\svchost.exe). The hash corresponds to a legitimate Microsoft-signed binary. The parent process is services.exe running from System32, which is normal Windows architecture. File is signed and running under SYSTEM user.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection event involves svchost.exe from the System32 directory, spawned by services.exe, both of which are legitimate Windows system binaries. This is a common false positive scenario with no malicious indicators.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Windows\\System32, a known-good directory for svchost.exe. The parent process is services.exe from System32, which is expected and legitimate. The hash is signed, confirming it\u0027s a Microsoft binary. This matches the false positive scenario described in the IOC validation rules.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 3,
"vote_summary": [
"gemini-cli: false_positive (informational, 100% confidence)",
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 95% confidence)"
],
"votes": [
{
"confidence": 1.0,
"model": "gemini-cli",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 3,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (7)
๐ค FusionSOC AI
2026-03-18T17:17
๐ค FusionSOC AI
2026-03-18T17:17
๐ค FusionSOC AI
2026-03-18T17:17
๐ค FusionSOC AI
2026-03-18T17:16
๐ค FusionSOC AI
2026-03-18T17:16
๐ค FusionSOC AI
2026-03-18T17:16
๐ค FusionSOC AI
2026-03-18T17:16
๐ Timeline
2026-03-18T18:26:30
analyst
Status changed: triaging โ closed
2026-03-18T18:26:28
analyst
Analyst classified as False Positive (FP)
2026-03-18T17:17:04
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:17:04
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Tuning: Exclude svchost.exe when spawned by services.exe from System32 with vali...
2026-03-18T17:17:04
FusionSOC
Response action queued: recommended on Tuning: Exclude svchost.exe when spawned by services.exe from System32 with valid signatures
2026-03-18T17:17:04
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:17:04
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close the case as False Positive **Sensor:** `e4a1c62d-4d1f-44...` **Time Window...
2026-03-18T17:17:04
FusionSOC
Response action queued: recommended on Close the case as False Positive
2026-03-18T17:17:04
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:17:04
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T17:17:04
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T17:17:04
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T17:17:04
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T17:16:26
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:16:26
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify the command line arguments for this svchost.exe instance if available in ...
2026-03-18T17:16:25
FusionSOC
Response action queued: recommended on Verify the command line arguments for this svchost.exe instance if available in other logs to ensure it matches standard service hosting patterns.
2026-03-18T17:16:25
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:16:25
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Adjust detection rule to account for NT path naming conventions (\Device\Harddis...
2026-03-18T17:16:25
FusionSOC
Response action queued: recommended on Adjust detection rule to account for NT path naming conventions (\Device\HarddiskVolume) to prevent similar false positives.
2026-03-18T17:16:25
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-18T17:16:25
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-18T17:16:25
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-18T17:16:25
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-18T17:16:25
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-18T17:16:25
FusionSOC AI
Detection aeab2bc0-0248-4bc9-8c8e-c8b969badbc8 triaged as false_positive (low severity, confidence: 94%)
2026-03-18T17:16:25
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution