โ
Case #523
service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Suspicious Process Masquerading As SvcHost.EXE
informational
Rule: service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution
Hostname: df-labsdc01.dflabs.local ยท Sensor: e4a1c62d-4d1f-44...
Event Type: EXISTING_PROCESS
Confidence: 92% ยท Verdict: false positive
Event Data:
FILE_IS_SIGNED:
1
FILE_PATH:
\Device\HarddiskVolume4\Windows\System32\svchost.exe
HASH:
7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6
MEMORY_USAGE:
6377472
PARENT:
{'FILE_IS_SIGNED': 1, 'FILE_PATH': '\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe', 'HASH': '526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446', 'MEMORY_USAGE': 10727424, 'PARENT_ATOM': '711ae775947218761767ba1169c2a7fc', 'PARENT_PROCESS_ID': 532, 'PROCESS_ID': 676, 'THIS_ATOM': 'd488a175b4ca0a0ffce8332069c2a7fc', 'THREADS': 45, 'TIMESTAMP': 1774364668842, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
676
PROCESS_ID:
5452
THREADS:
6
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'file_path', 'value': '\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\svchost.exe'}
{'type': 'hash', 'value': '7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Suspicious Process Masquerading As SvcHost.EXE",
"detect": {
"event": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\svchost.exe",
"HASH": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6",
"MEMORY_USAGE": 6377472,
"PARENT": {
"FILE_IS_SIGNED": 1,
"FILE_PATH": "\\Device\\HarddiskVolume4\\Windows\\System32\\services.exe",
"HASH": "526f2447ad8da40cf3b969e98acd6621fe9f5ed94ee6a652661ffaa0e8628446",
"MEMORY_USAGE": 10727424,
"PARENT_ATOM": "711ae775947218761767ba1169c2a7fc",
"PARENT_PROCESS_ID": 532,
"PROCESS_ID": 676,
"THIS_ATOM": "d488a175b4ca0a0ffce8332069c2a7fc",
"THREADS": 45,
"TIMESTAMP": 1774364668842,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 676,
"PROCESS_ID": 5452,
"THREADS": 6,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "7f5067b0-18e2-4497-8767-4675f59398c5",
"event_time": 1774364670958,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 745,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "d488a175b4ca0a0ffce8332069c2a7fc",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "bf20956d27e1fe25ef30d20769c2a7fe"
}
},
"detect_id": "2f482d95-1eec-4fd0-affb-d92a69c2a7ff",
"detect_mtd": {
"author": "Swachchhanda Shrawan Poudel",
"description": "Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\n",
"falsepositives": [
"Unlikely"
],
"level": "high",
"references": [
"https://tria.ge/240731-jh4crsycnb/behavioral2",
"https://redcanary.com/blog/threat-detection/process-masquerading/"
],
"tags": [
"attack.defense-evasion",
"attack.t1036.005"
]
},
"gen_time": 1774364671710,
"link": "https://app.limacharlie.io/orgs/ad19afae-3759-4207-b06e-8648b225c455/sensors/e4a1c62d-4d1f-4472-bae4-43291246b4d4/timeline?time=1774364670\u0026selected=bf20956d27e1fe25ef30d20769c2a7fe",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "7f5067b0-18e2-4497-8767-4675f59398c5",
"event_time": 1774364670958,
"event_type": "EXISTING_PROCESS",
"ext_ip": "67.60.122.240",
"hostname": "df-labsdc01.dflabs.local",
"iid": "47501359-645e-4049-906e-e6195da7afcf",
"int_ip": "192.168.45.129",
"latency": 745,
"moduleid": 2,
"oid": "ad19afae-3759-4207-b06e-8648b225c455",
"parent": "d488a175b4ca0a0ffce8332069c2a7fc",
"plat": 268435456,
"sid": "e4a1c62d-4d1f-4472-bae4-43291246b4d4",
"tags": [
"domain-controller",
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage"
],
"this": "bf20956d27e1fe25ef30d20769c2a7fe"
},
"rule_tags": [
"attack.defense-evasion",
"attack.t1036.005",
"ext:ext-sigma"
],
"source": "ad19afae-3759-4207-b06e-8648b225c455.47501359-645e-4049-906e-e6195da7afcf.e4a1c62d-4d1f-4472-bae4-43291246b4d4.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution",
"ts": 1774364671000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 20,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.925,
"false_positive_reason": "svchost.exe running from System32 with Microsoft signature and spawned by services.exe is normal Windows behavior",
"investigation_questions": [
"Is there any unusual activity from svchost.exe in the past hour?",
"Are there any recent changes to Windows Update or service configuration?"
],
"ioc_analysis": "The process path matches the known-good Windows system binary location (C:\\Windows\\System32\\svchost.exe). The file hash corresponds to a legitimate Microsoft-signed svchost.exe, and it is spawned by services.exe under SYSTEM privileges, which is normal behavior for Windows service management.",
"iocs_extracted": [
{
"type": "file_path",
"value": "\\\\Device\\\\HarddiskVolume4\\\\Windows\\\\System32\\\\svchost.exe"
},
{
"type": "hash",
"value": "7fd065bac18c5278777ae44908101cdfed72d26fa741367f0ad4d02020787ab6"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Log this event as informational for audit purposes",
"No immediate action required - process is legitimate system behavior"
],
"risk_score": 10,
"severity": "informational",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive as svchost.exe is running from its expected location in System32 with a valid Microsoft signature and parent process services.exe.\n\n**IOC Analysis:** The process path matches the known-good Windows system binary location (C:\\Windows\\System32\\svchost.exe). The file hash corresponds to a legitimate Microsoft-signed svchost.exe, and it is spawned by services.exe under SYSTEM privileges, which is normal behavior for Windows service management.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nA process creation event involving svchost.exe in the System32 directory, spawned by services.exe under the SYSTEM user. This is consistent with normal system operations and known false positives.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Windows\\System32, which is a standard directory for legitimate Windows system binaries. The file is signed, and the parent process is services.exe, a known system binary. This matches the false positive scenario described in the IOC validation rules.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (informational, 95% confidence)",
"deepseek-r1:8b: false_positive (low, 90% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.9,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 75 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | failed | 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 75 events found |
๐ Add Note
๐ฌ Notes (10)
๐ค FusionSOC AI
2026-03-24T19:52
๐ค FusionSOC AI
2026-03-24T19:52
๐ค FusionSOC AI
2026-03-24T19:52
๐ค FusionSOC AI
2026-03-24T19:49
๐ค FusionSOC AI
2026-03-24T19:49
๐ค FusionSOC AI
2026-03-24T19:49
๐ค FusionSOC AI
2026-03-24T17:34
๐ค FusionSOC AI
2026-03-24T17:34
๐ค FusionSOC AI
2026-03-24T17:34
๐ค FusionSOC AI
2026-03-24T17:34
๐ Timeline
2026-03-24T23:14:37
analyst
Status changed: investigating โ closed
2026-03-24T23:14:32
analyst
Analyst classified as False Positive (FP)
2026-03-24T19:52:30
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T19:52:30
FusionSOC
Action recommended โ executed: Process Tree Investigation: 75 events found
2026-03-24T19:52:30
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** No immediate action required - process is legitimate system behavior **Senso...
2026-03-24T19:52:30
FusionSOC
Response action queued: recommended on No immediate action required - process is legitimate system behavior
2026-03-24T19:52:30
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T19:52:30
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T19:52:30
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Log this event as informational for audit purposes **Sensor:** `e4a1c62d-4d1f-44...
2026-03-24T19:52:29
FusionSOC
Response action queued: recommended on Log this event as informational for audit purposes
2026-03-24T19:52:29
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T19:52:29
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T19:52:29
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-24T19:52:29
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T19:52:29
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T19:52:29
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T19:49:14
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T19:49:14
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T19:49:14
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Tuning: Evaluate the rule logic for 'proc_creation_win_svchost_masqueraded_execu...
2026-03-24T19:49:14
FusionSOC
Response action queued: recommended on Tuning: Evaluate the rule logic for 'proc_creation_win_svchost_masqueraded_execution' to reduce noise from signed system binaries.
2026-03-24T19:49:14
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T19:49:14
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T19:49:14
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close as false positive **Sensor:** `e4a1c62d-4d1f-44...` **Time Window:** +/- 2...
2026-03-24T19:49:14
FusionSOC
Response action queued: recommended on Close as false positive
2026-03-24T19:49:14
FusionSOC AI
Status changed: closed โ investigating
2026-03-24T19:49:14
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T19:49:14
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `e4a1c62d-4d1f-4...
2026-03-24T19:49:13
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T19:49:13
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T19:49:13
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T17:36:03
analyst
Status changed: investigating โ closed
2026-03-24T17:35:56
analyst
Analyst classified as False Positive (FP)
2026-03-24T17:34:22
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:34:22
FusionSOC
Action recommended โ executed: Process Tree Investigation: 75 events found
2026-03-24T17:34:22
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** No immediate action required as this is a known benign process **Sensor:** `...
2026-03-24T17:34:21
FusionSOC
Response action queued: recommended on No immediate action required as this is a known benign process
2026-03-24T17:34:21
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:34:21
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T17:34:21
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Log this event for audit purposes only **Sensor:** `e4a1c62d-4d1f-44...` **Time ...
2026-03-24T17:34:21
FusionSOC
Response action queued: recommended on Log this event for audit purposes only
2026-03-24T17:34:21
FusionSOC AI
Status changed: open โ investigating
2026-03-24T17:34:21
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T17:34:21
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (majority) **Sensor:** `e4a1c62d-4d1f...
2026-03-24T17:34:21
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (majority)
2026-03-24T17:34:20
FusionSOC
Action tag โ failed: 401 Client Error: Unauthorized for url: https://api.limacharlie.io/v1/e4a1c62d-4d1f-4472-bae4-43291246b4d4/tags?tags=fusionsoc-investigated
2026-03-24T17:34:20
FusionSOC
Response action queued: tag on e4a1c62d-4d1f-4472-bae4-43291246b4d4:fusionsoc-investigated
2026-03-24T17:34:20
FusionSOC AI
Detection 2f482d95-1eec-4fd0-affb-d92a69c2a7ff triaged as false_positive (high severity, confidence: 98%)
2026-03-24T17:34:20
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution