Elastic Security Detection Rules

Potential Masquerading as Svchost

Last updated 10 days ago on 2025-11-12
Created 10 days ago on 2025-11-12

About

Identifies attempts to masquerade as the Service Host process `svchost.exe` to evade detection and blend in with normal system activity.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Defense EvasionLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Defense Evasion (TA0005)(opens in a new tab or window)

Masquerading (T1036)(opens in a new tab or window)

License
Elastic License v2(opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

windows(opens in a new tab or window)

Query
FROM logs-* metadata _id, _version, _index
| where event.category == "process" and event.type == "start" and
  match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and
  not process.executable in ("C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and
  not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and
  not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe"""
| keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line

Install detection rules in Elastic Security

Detect Potential Masquerading as Svchost in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).