{
  "author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
  "cat": "Suspicious Process Masquerading As SvcHost.EXE",
  "detect": {
    "event": {
      "FILE_IS_SIGNED": 1,
      "FILE_PATH": "\\Device\\HarddiskVolume3\\Windows\\System32\\svchost.exe",
      "HASH": "44fd6f9347ceed5798a25c47167f335ef085ae4648a81f775dd4bdc6240d8189",
      "MEMORY_USAGE": 14766080,
      "PARENT": {
        "FILE_IS_SIGNED": 1,
        "FILE_PATH": "\\Device\\HarddiskVolume3\\Windows\\System32\\services.exe",
        "HASH": "f08f9a65a69c1033391097824d3e7109c5e4a26ed4d96ddf2bfc20d0e769829d",
        "MEMORY_USAGE": 19476480,
        "PARENT_ATOM": "02d8e3fc429acd8d750d0b8d69c2dec7",
        "PARENT_PROCESS_ID": 864,
        "PROCESS_ID": 1004,
        "THIS_ATOM": "bb9236fdeb9871bff8ed61c569c2dec7",
        "THREADS": 11,
        "TIMESTAMP": 1774378695240,
        "USER_NAME": "NT AUTHORITY\\SYSTEM"
      },
      "PARENT_PROCESS_ID": 1004,
      "PROCESS_ID": 5052,
      "THREADS": 7,
      "USER_NAME": "NT AUTHORITY\\SYSTEM"
    },
    "routing": {
      "arch": 2,
      "did": "",
      "event_id": "5d64dce9-4ff2-44a2-a4e0-a0bf5d442efc",
      "event_time": 1774378696529,
      "event_type": "EXISTING_PROCESS",
      "ext_ip": "23.128.32.10",
      "hostname": "win-91lccq536b4",
      "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
      "int_ip": "192.168.50.170",
      "latency": 541,
      "moduleid": 2,
      "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
      "parent": "bb9236fdeb9871bff8ed61c569c2dec7",
      "plat": 268435456,
      "sid": "f8e98d83-79d8-4ff7-9fe1-7c507dad89e4",
      "tags": [
        "frontdesk",
        "fusion-soc-alert",
        "fusion-soc-case",
        "fusion-soc-pulled",
        "fusion-soc-triage",
        "fusionsoc-critical",
        "fusionsoc-investigated",
        "windows",
        "yara_detection_memory"
      ],
      "this": "459a12323bf85f2d990f8a6469c2dec8"
    }
  },
  "detect_id": "21f90256-aa59-4167-8103-7ef969c2dec9",
  "detect_mtd": {
    "author": "Swachchhanda Shrawan Poudel",
    "description": "Detects a suspicious process that is masquerading as the legitimate \"svchost.exe\" by naming its binary \"svchost.exe\" and executing from an uncommon location.\nAdversaries often disguise their malicious binaries by naming them after legitimate system processes like \"svchost.exe\" to evade detection.\n",
    "falsepositives": [
      "Unlikely"
    ],
    "level": "high",
    "references": [
      "https://tria.ge/240731-jh4crsycnb/behavioral2",
      "https://redcanary.com/blog/threat-detection/process-masquerading/"
    ],
    "tags": [
      "attack.defense-evasion",
      "attack.t1036.005"
    ]
  },
  "gen_time": 1774378697071,
  "link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/f8e98d83-79d8-4ff7-9fe1-7c507dad89e4/timeline?time=1774378696\u0026selected=459a12323bf85f2d990f8a6469c2dec8",
  "namespace": "general",
  "routing": {
    "arch": 2,
    "did": "",
    "event_id": "5d64dce9-4ff2-44a2-a4e0-a0bf5d442efc",
    "event_time": 1774378696529,
    "event_type": "EXISTING_PROCESS",
    "ext_ip": "23.128.32.10",
    "hostname": "win-91lccq536b4",
    "iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
    "int_ip": "192.168.50.170",
    "latency": 541,
    "moduleid": 2,
    "oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
    "parent": "bb9236fdeb9871bff8ed61c569c2dec7",
    "plat": 268435456,
    "sid": "f8e98d83-79d8-4ff7-9fe1-7c507dad89e4",
    "tags": [
      "frontdesk",
      "fusion-soc-alert",
      "fusion-soc-case",
      "fusion-soc-pulled",
      "fusion-soc-triage",
      "fusionsoc-critical",
      "fusionsoc-investigated",
      "windows",
      "yara_detection_memory"
    ],
    "this": "459a12323bf85f2d990f8a6469c2dec8"
  },
  "rule_tags": [
    "ext:ext-sigma",
    "attack.defense-evasion",
    "attack.t1036.005"
  ],
  "source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.f8e98d83-79d8-4ff7-9fe1-7c507dad89e4.10000000.2",
  "source_rule": "service.windows_process_creation/proc_creation_win_svchost_masqueraded_execution",
  "ts": 1774378697000
}

{
  "virustotal": {
    "malicious": false,
    "provider": "virustotal",
    "reputation": 0,
    "stats": {
      "confirmed-timeout": 0,
      "failure": 0,
      "harmless": 0,
      "malicious": 0,
      "suspicious": 0,
      "timeout": 0,
      "type-unsupported": 4,
      "undetected": 72
    }
  }
}

{
  "confidence": 0.95,
  "false_positive_reason": "legitimate_system_process",
  "investigation_questions": [
    "Why did the rule trigger despite the process being in the standard path and correctly signed?",
    "Is the rule specifically checking for an empty command line which might be present in this service launch?"
  ],
  "ioc_analysis": "The hash 44fd6f9347ceed5798a25c47167f335ef085ae4648a81f775dd4bdc6240d8189 is a known-good Microsoft binary for svchost.exe on Windows 11. The parent services.exe hash f08f9a65... is also a legitimate Microsoft system binary.",
  "iocs_extracted": [
    "44fd6f9347ceed5798a25c47167f335ef085ae4648a81f775dd4bdc6240d8189",
    "f08f9a65a69c1033391097824d3e7109c5e4a26ed4d96ddf2bfc20d0e769829d"
  ],
  "mitre_techniques": [
    "T1036.003"
  ],
  "recommended_actions": [
    "Close case as false positive (unanimous AI verdict)",
    "Whitelist this specific svchost.exe hash if it continues to trigger for legitimate Windows services.",
    "Close this case as a false positive."
  ],
  "risk_score": 8,
  "severity": "low",
  "summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection triggered on svchost.exe masquerading, but the process is a legitimate Microsoft-signed binary (hash 44fd6f93...) running from its standard location (System32) and spawned by the expected parent process services.exe. The loaded modules appxdeploymentserver.dll and AppxAllUserStore.dll indicate this is the legitimate AppX Deployment Service (AppXSVC).\n\n**IOC Analysis:** The hash 44fd6f9347ceed5798a25c47167f335ef085ae4648a81f775dd4bdc6240d8189 is a known-good Microsoft binary for svchost.exe on Windows 11. The parent services.exe hash f08f9a65... is also a legitimate Microsoft system binary.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because svchost.exe is running from its expected location in System32 with a valid Microsoft signature and parent process services.exe.\n\n**IOC Analysis:** The process path matches the known-good Windows system binary location (C:\\Windows\\System32\\svchost.exe). The file is signed, the parent process is services.exe (PID 1004), and historical analyst feedback consistently marks this rule as false positive for legitimate svchost instances.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\nFailed or timed out.",
  "verdict": "false_positive",
  "voting": {
    "auto_action": "auto_close_fp",
    "mode": "unanimous",
    "total_models": 2,
    "vote_summary": [
      "gemini-cli: false_positive (low, 95% confidence)",
      "qwen3.5:4b: false_positive (informational, 95% confidence)"
    ],
    "votes": [
      {
        "confidence": 0.95,
        "model": "gemini-cli",
        "verdict": "false_positive"
      },
      {
        "confidence": 0.95,
        "model": "qwen3.5:4b",
        "verdict": "false_positive"
      }
    ],
    "winning_count": 2,
    "winning_verdict": "false_positive"
  }
}