โ†

Case #404

service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution

informational closed false positive

๐Ÿท๏ธ Analyst Verdict Classification

FP by analyst

๐Ÿค– AI Analysis

๐Ÿ”” Detections (1)

Suspicious Process Masquerading As SvcHost.EXE informational
Rule: service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: EXISTING_PROCESS
Confidence: 98% ยท Verdict: false positive
Event Data:
FILE_IS_SIGNED:
1
FILE_PATH:
\Device\HarddiskVolume4\Windows\System32\svchost.exe
HASH:
7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6
MEMORY_USAGE:
6369280
PARENT:
{'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe', 'HASH': '526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446', 'MEMORY_USAGE': 10518528, 'PARENT_ATOM': '8a48f8b9f9228caf266409e169bf04da', 'PARENT_PROCESS_ID': 528, 'PROCESS_ID': 672, 'THIS_ATOM': '3be709c29d45897e05935dd969bf04da', 'THREADS': 45, 'TIMESTAMP': 1774126298977, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
672
PROCESS_ID:
4616
THREADS:
6
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs: 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6 526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446
MITRE: T1036.003
Analyst Declaration:
๐Ÿ“„ Raw Detection JSON 
{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Suspicious Process Masquerading As SvcHost.EXE",
  "detect": {
    "event": {
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
      "HASH": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
      "MEMORY_USAGE": 6369280,
      "PARENT": {
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe",
        "HASH": "526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446",
        "MEMORY_USAGE": 10518528,
        "PARENT_ATOM": "8a48f8b9f9228caf266409e169bf04da",
        "PARENT_PROCESS_ID": 528,
        "PROCESS_ID": 672,
        "THIS_ATOM": "3be709c29d45897e05935dd969bf04da",
        "THREADS": 45,
        "TIMESTAMP": 1774126298977,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 672,
      "PROCESS_ID": 4616,
      "THREADS": 6,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "c5ceed8b-dd79-419d-83be-7b307347b132",
      "event_time": 1774126305927,
      "event_type": "EXISTING_PROCESS",
      "ext_ip": "67.60.122.240",
      "hostname": "df-labsdc01.dflabs.local",
      "iid": "47501359-645e-4049-906e-e6195da7afcf",
      "int_ip": "192.168.45.129",
      "latency": 563,
      "moduleid": 2,
      "oid": "ad19afae-3759-4207-b06e-8648b225c455",
      "parent": "3be709c29d45897e05935dd969bf04da",
      "plat": 268435456,
      "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
      "tags": [
        "domain-controller",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage"
      ],
      "this": "ba7c4861c20e63a8cee2bb8669bf04e1"
    }
  },
  "detect_id": "bb15bcbc-506f-4b85-b1c2-d32c69bf04e2",
  "detect_mtd": {
    "author": "Swachchhanda Shrawan Poudel",
    "description": "Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\n",
    "falsepositives": [
      "Unlikely"
    ],
    "level": "high",
    "references": [
      "https://tria.ge/240731-jh4crsycnb/behavioral2",
      "https://redcanary.com/blog/threat-detection/process-masquerading/"
    ],
    "tags": [
      "attack.defense-evasion",
      "attack.t1036.005"
    ]
  },
  "gen_time": 1774126306494,
  "link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774126305\u0026selected=ba7c4861c20e63a8cee2bb8669bf04e1",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "c5ceed8b-dd79-419d-83be-7b307347b132",
    "event_time": 1774126305927,
    "event_type": "EXISTING_PROCESS",
    "ext_ip": "67.60.122.240",
    "hostname": "df-labsdc01.dflabs.local",
    "iid": "47501359-645e-4049-906e-e6195da7afcf",
    "int_ip": "192.168.45.129",
    "latency": 563,
    "moduleid": 2,
    "oid": "ad19afae-3759-4207-b06e-8648b225c455",
    "parent": "3be709c29d45897e05935dd969bf04da",
    "plat": 268435456,
    "sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
    "tags": [
      "domain-controller",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage"
    ],
    "this": "ba7c4861c20e63a8cee2bb8669bf04e1"
  },
  "rule_tags": [
    "attack.defense-evasion",
    "attack.t1036.005",
    "ext:ext-sigma"
  ],
  "source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution",
  "ts": 1774126306000
}
๐ŸŒ Threat Intel JSON 
{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 20,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}
๐Ÿค– Triage JSON 
{
  "confidence": 0.975,
  "false_positive_reason": "Legitimate system process (svchost.exe) spawned by services.exe from the correct directory.",
  "investigation_questions": [],
  "ioc_analysis": "The SHA-256 hash 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6 is a known-good Microsoft-signed binary for svchost.exe (Windows 10/Server 2019). The parent process services.exe is also signed and running from the correct path.",
  "iocs_extracted": [
    "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
    "526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446"
  ],
  "mitre_techniques": [
    "T1036.003"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Whitelisting of signed svchost.exe instances spawned by services.exe in System32",
    "No further investigation required"
  ],
  "risk_score": 5,
  "severity": "informational",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 1.0\nThe detection flagged a legitimate svchost.exe process as suspicious masquerading. Analysis confirms the binary is located in the standard Windows System32 directory, is signed by Microsoft, and was spawned by services.exe, which is the expected parent for system services.\n\n**IOC Analysis:** The SHA-256 hash 7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6 is a known-good Microsoft-signed binary for svchost.exe (Windows 10/Server 2019). The parent process services.exe is also signed and running from the correct path.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because svchost.exe is running from its expected location in System32 with a known-good hash and Microsoft signature. The process was spawned by services.exe under SYSTEM privileges, which is standard Windows behavior.\n\n**IOC Analysis:** The file path matches the legitimate Windows system binary location (C:\\Windows\\System32\\svchost.exe). The hash corresponds to the known Microsoft-signed version of svchost.exe, and FILE_IS_SIGNED confirms digital signature validation passed. Parent process services.exe is also a legitimate system binary running from System32.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\nFailed or timed out.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "gemini-cli: false_positive (informational, 100% confidence)",
      "qwen3.5:4b: false_positive (informational, 95% confidence)"
    ],
    "votes": [
      {
        "confidence": 1.0,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}

โš™๏ธ Response Actions

Action Target Status Result
tag e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated approved โ€”
recommended Close case as false positive (unanimous AI verdict) executed General Activity Sweep: 0 events found
recommended Whitelisting of signed svchost.exe instances spawned by services.exe in System32 executed General Activity Sweep: 0 events found
recommended No further investigation required executed General Activity Sweep: 0 events found

๐Ÿ“ Add Note

๐Ÿ’ฌ Notes (4)

๐Ÿค– FusionSOC AI 2026-03-23T03:06
๐Ÿค– FusionSOC AI 2026-03-23T03:06
๐Ÿค– FusionSOC AI 2026-03-23T03:06
๐Ÿค– FusionSOC AI 2026-03-21T21:30

๐Ÿ“œ Timeline

2026-03-23T03:53:48
analyst
Status changed: investigating โ†’ closed
2026-03-23T03:06:18
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-23T03:06:18
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-23T03:06:18
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** No further investigation required **Sensor:** `e4a1c62d-4d1f-44...` **Time Windo...
2026-03-23T03:06:15
FusionSOC AI
Status changed: investigating โ†’ investigating
2026-03-23T03:06:15
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-23T03:06:15
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Whitelisting of signed svchost.exe instances spawned by services.exe in System32...
2026-03-23T03:06:13
FusionSOC AI
Status changed: closed โ†’ investigating
2026-03-23T03:06:13
FusionSOC
Action recommended โ†’ executed: General Activity Sweep: 0 events found
2026-03-23T03:06:13
FusionSOC AI
Note by FusionSOC AI: ## ๐Ÿ” General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-22T06:08:48
analyst
Status changed: triaging โ†’ closed
2026-03-22T06:08:42
analyst
Analyst classified as False Positive (FP)
2026-03-21T21:30:20
FusionSOC
Response action queued: recommended on No further investigation required
2026-03-21T21:30:20
FusionSOC
Response action queued: recommended on Whitelisting of signed svchost.exe instances spawned by services.exe in System32
2026-03-21T21:30:20
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-21T21:30:20
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-21T21:30:20
FusionSOC AI
Detection bb15bcbc-506f-4b85-b1c2-d32c69bf04e2 triaged as false_positive (informational severity, confidence: 98%)
2026-03-21T21:30:20
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution