From 9e4afc87e2e3ba383ae1fca0c4e17b471ecd6917 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 12 Nov 2025 16:27:52 +0000 Subject: [PATCH 01/12] [New] Potential Masquerading as Svchost --- ...fense_evasion_masquerading_as_svchost.toml | 91 +++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 rules/windows/defense_evasion_masquerading_as_svchost.toml diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml new file mode 100644 index 00000000000..cf6d6d081a3 --- /dev/null +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -0,0 +1,91 @@ +[metadata] +creation_date = "2025/11/12" +integration = ["windows"] +maturity = "production" +updated_date = "2025/11/12" + +[rule] +author = ["Elastic"] +description = """ +Identifies the creation of a svchost process with an unusual parent. This may indicate an attempt to masquerade a +malicious process. +""" +from = "now-9m" +language = "esql" +license = "Elastic License v2" +name = "Potential Masquerading as Svchost" +note = """ ## Triage and analysis + +### Investigating Potential Masquerading as Svchost + +PowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques like backtick-escaped variable expansion to evade detection. This method involves disguising malicious scripts to bypass security measures. The detection rule identifies scripts with excessive length and specific obfuscation patterns, flagging potential threats for further analysis. + +### Possible investigation steps + +- Review the `powershell.file.script_block_text` field to understand the content of the script and identify any suspicious or malicious commands. +- Examine the `file.path` and `file.name` fields to determine the origin and context of the script execution, which may provide insights into whether the script is part of a legitimate process or potentially malicious activity. +- Check the `host.name` and `agent.id` fields to identify the affected system and correlate with other security events or logs from the same host for additional context. +- Analyze the `user.id` field to determine which user account executed the script, and assess whether this activity aligns with the user's typical behavior or role. +- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution flow of the script and identify any related script blocks that may have been executed in sequence. +- Consider the `count` field to evaluate the extent of obfuscation used in the script, which may indicate the level of sophistication or intent behind the script. + +### False positive analysis + +- Scripts with legitimate administrative functions may use backtick-escaped variable expansion for complex string manipulations. Review the script's context and purpose to determine if it aligns with expected administrative tasks. +- Automated scripts generated by trusted software might include obfuscation patterns as part of their normal operation. Verify the source and integrity of the software to ensure it is from a reputable vendor. +- Developers and IT professionals may use obfuscation techniques during testing or development phases. Establish a process to whitelist known development environments or user accounts to reduce unnecessary alerts. +- PowerShell scripts that are part of legitimate security tools or monitoring solutions may trigger the rule. Identify and exclude these tools by their file path or script block ID to prevent false positives. +- Regularly update the list of known false positives based on historical data and feedback from users to refine the detection rule and improve its accuracy. + +### Response and remediation + +- Isolate the affected host immediately to prevent further spread of the potentially malicious script across the network. +- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of obfuscated scripts. +- Conduct a thorough review of the script block text and associated file paths to identify and remove any malicious scripts or files from the system. +- Reset credentials for any user accounts involved in the alert to mitigate the risk of compromised credentials being used for further attacks. +- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or additional compromised systems. +- Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of obfuscation techniques or related suspicious activities. +- Update endpoint protection and intrusion detection systems with indicators of compromise (IOCs) derived from the analysis to improve detection capabilities for similar threats in the future. +""" +risk_score = 73 +rule_id = "32f95776-6498-4f3c-a90c-d4f6083e3901" +severity = "high" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Defense Evasion", + "Resources: Investigation Guide", +] +timestamp_override = "event.ingested" +type = "esql" + +query = ''' +FROM logs-* metadata _id, _version, _index +| WHERE QSTR("event.category:process and event.type:start and process.name:svchost.exe~1 AND NOT process.name:svchost.exe") OR + (to_lower(process.name) == "svchost.exe" and + not to_lower(process.executable) like """c:\\windows\\system32\\svchost.exe""" and + not to_lower(process.executable) like """c:\\windows\\syswow64\\svchost.exe""" and + not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and + not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe""") +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1036" +name = "Masquerading" +reference = "https://attack.mitre.org/techniques/T1036/" +[[rule.threat.technique.subtechnique]] +id = "T1036.005" +name = "Match Legitimate Resource Name or Location" +reference = "https://attack.mitre.org/techniques/T1036/005/" + + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" + From 2ea8405ed1b2cade5efef648828405c1314ea65b Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 12 Nov 2025 16:43:58 +0000 Subject: [PATCH 02/12] Update defense_evasion_masquerading_as_svchost.toml --- ...fense_evasion_masquerading_as_svchost.toml | 45 +++++++++++-------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index cf6d6d081a3..db19d6eb7e2 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -16,36 +16,43 @@ license = "Elastic License v2" name = "Potential Masquerading as Svchost" note = """ ## Triage and analysis +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +## Triage and analysis + ### Investigating Potential Masquerading as Svchost -PowerShell, a powerful scripting language in Windows environments, can be exploited by adversaries using obfuscation techniques like backtick-escaped variable expansion to evade detection. This method involves disguising malicious scripts to bypass security measures. The detection rule identifies scripts with excessive length and specific obfuscation patterns, flagging potential threats for further analysis. +`svchost.exe` (Service Host) is a legitimate Windows system process responsible for hosting multiple Windows services. Adversaries may attempt to masquerade as `svchost.exe` to evade detection and blend in with normal system activity. This is often achieved by renaming a malicious executable to `svchost.exe`, placing it outside of standard Windows directories (e.g., `%SystemRoot%\System32`), or running it with unusual parent processes or command-line arguments. + +The detection rule identifies instances where an `svchost.exe` process executes from unexpected directories, exhibits anomalous command-line behavior, or originates from a non-standard parent process—indicating potential masquerading or process injection activity. ### Possible investigation steps -- Review the `powershell.file.script_block_text` field to understand the content of the script and identify any suspicious or malicious commands. -- Examine the `file.path` and `file.name` fields to determine the origin and context of the script execution, which may provide insights into whether the script is part of a legitimate process or potentially malicious activity. -- Check the `host.name` and `agent.id` fields to identify the affected system and correlate with other security events or logs from the same host for additional context. -- Analyze the `user.id` field to determine which user account executed the script, and assess whether this activity aligns with the user's typical behavior or role. -- Investigate the `powershell.file.script_block_id` and `powershell.sequence` fields to trace the execution flow of the script and identify any related script blocks that may have been executed in sequence. -- Consider the `count` field to evaluate the extent of obfuscation used in the script, which may indicate the level of sophistication or intent behind the script. +- Review the `process.executable` and `file.path` fields to confirm the location of the `svchost.exe` binary. Legitimate instances should reside in `C:\Windows\System32\` or `C:\Windows\SysWOW64\`. +- Examine the `process.parent.name` and `process.parent.executable` fields to determine which process spawned the suspicious `svchost.exe`. Unexpected parents (e.g., `explorer.exe`, `cmd.exe`, or `powershell.exe`) may indicate malicious activity. +- Check the `process.command_line` field for unusual arguments. Legitimate `svchost.exe` instances typically use the `-k` parameter followed by a valid service group name. +- Investigate the `process.code_signature` field to determine if the binary is signed by Microsoft. Unsigned or invalid signatures are strong indicators of masquerading. +- Correlate the event with other telemetry from the same `host.name` or `agent.id` to identify additional indicators such as file creation, network connections, or registry modifications related to the suspicious process. +- Review related file creation events to determine how and when the fake `svchost.exe` was introduced to the system (e.g., dropped by another malware component or downloaded from the network). ### False positive analysis -- Scripts with legitimate administrative functions may use backtick-escaped variable expansion for complex string manipulations. Review the script's context and purpose to determine if it aligns with expected administrative tasks. -- Automated scripts generated by trusted software might include obfuscation patterns as part of their normal operation. Verify the source and integrity of the software to ensure it is from a reputable vendor. -- Developers and IT professionals may use obfuscation techniques during testing or development phases. Establish a process to whitelist known development environments or user accounts to reduce unnecessary alerts. -- PowerShell scripts that are part of legitimate security tools or monitoring solutions may trigger the rule. Identify and exclude these tools by their file path or script block ID to prevent false positives. -- Regularly update the list of known false positives based on historical data and feedback from users to refine the detection rule and improve its accuracy. +- Some legitimate third-party applications may use executables named `svchost.exe` within their own installation paths. Verify the vendor, file hash, and digital signature to determine legitimacy. +- In virtualized or sandboxed environments, custom service hosts may appear with similar naming conventions. Validate these against known baseline configurations. +- Ensure that system recovery or diagnostic tools using temporary binaries are not misidentified as malicious. Review event timing and system logs to confirm. +- Regularly maintain an inventory of known legitimate `svchost.exe` locations and hashes to minimize false positives across managed hosts. ### Response and remediation -- Isolate the affected host immediately to prevent further spread of the potentially malicious script across the network. -- Terminate any suspicious PowerShell processes identified by the alert to halt the execution of obfuscated scripts. -- Conduct a thorough review of the script block text and associated file paths to identify and remove any malicious scripts or files from the system. -- Reset credentials for any user accounts involved in the alert to mitigate the risk of compromised credentials being used for further attacks. -- Escalate the incident to the security operations team for a deeper investigation into potential lateral movement or additional compromised systems. -- Implement enhanced monitoring on the affected host and similar systems to detect any recurrence of obfuscation techniques or related suspicious activities. -- Update endpoint protection and intrusion detection systems with indicators of compromise (IOCs) derived from the analysis to improve detection capabilities for similar threats in the future. +- Isolate the affected host immediately to prevent lateral movement or further compromise. +- Terminate any suspicious `svchost.exe` processes executing from non-standard locations. +- Quarantine and remove the rogue binary after verification through hash reputation or sandbox analysis. +- Perform a full system scan to identify additional malicious files or persistence mechanisms associated with the masqueraded process. +- Review and reset any credentials used by the compromised process if credential theft or impersonation is suspected. +- Analyze recent network activity from the affected host for potential data exfiltration or command-and-control communication. +- Escalate the incident to the security operations or incident response team for deeper investigation and forensic analysis. +- Implement detections to monitor for future attempts of process masquerading, and update security baselines and EDR exclusions accordingly. """ risk_score = 73 rule_id = "32f95776-6498-4f3c-a90c-d4f6083e3901" From 4de736fdd00c4a883a1bd093e07dae68c89413af Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 12 Nov 2025 16:58:13 +0000 Subject: [PATCH 03/12] Update defense_evasion_masquerading_as_svchost.toml --- rules/windows/defense_evasion_masquerading_as_svchost.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index db19d6eb7e2..e136cd4ec35 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -7,8 +7,7 @@ updated_date = "2025/11/12" [rule] author = ["Elastic"] description = """ -Identifies the creation of a svchost process with an unusual parent. This may indicate an attempt to masquerade a -malicious process. +Identifies attempts to masquerade as the Service Host process `svchost.exe` to evade detection and blend in with normal system activity. """ from = "now-9m" language = "esql" From 40d69819381d279cd58e48d3a601dbed22fdd9b0 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 12 Nov 2025 17:27:20 +0000 Subject: [PATCH 04/12] Update defense_evasion_masquerading_as_svchost.toml --- ...fense_evasion_masquerading_as_svchost.toml | 40 ------------------- 1 file changed, 40 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index e136cd4ec35..26cb9c3b46c 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -13,46 +13,6 @@ from = "now-9m" language = "esql" license = "Elastic License v2" name = "Potential Masquerading as Svchost" -note = """ ## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -## Triage and analysis - -### Investigating Potential Masquerading as Svchost - -`svchost.exe` (Service Host) is a legitimate Windows system process responsible for hosting multiple Windows services. Adversaries may attempt to masquerade as `svchost.exe` to evade detection and blend in with normal system activity. This is often achieved by renaming a malicious executable to `svchost.exe`, placing it outside of standard Windows directories (e.g., `%SystemRoot%\System32`), or running it with unusual parent processes or command-line arguments. - -The detection rule identifies instances where an `svchost.exe` process executes from unexpected directories, exhibits anomalous command-line behavior, or originates from a non-standard parent process—indicating potential masquerading or process injection activity. - -### Possible investigation steps - -- Review the `process.executable` and `file.path` fields to confirm the location of the `svchost.exe` binary. Legitimate instances should reside in `C:\Windows\System32\` or `C:\Windows\SysWOW64\`. -- Examine the `process.parent.name` and `process.parent.executable` fields to determine which process spawned the suspicious `svchost.exe`. Unexpected parents (e.g., `explorer.exe`, `cmd.exe`, or `powershell.exe`) may indicate malicious activity. -- Check the `process.command_line` field for unusual arguments. Legitimate `svchost.exe` instances typically use the `-k` parameter followed by a valid service group name. -- Investigate the `process.code_signature` field to determine if the binary is signed by Microsoft. Unsigned or invalid signatures are strong indicators of masquerading. -- Correlate the event with other telemetry from the same `host.name` or `agent.id` to identify additional indicators such as file creation, network connections, or registry modifications related to the suspicious process. -- Review related file creation events to determine how and when the fake `svchost.exe` was introduced to the system (e.g., dropped by another malware component or downloaded from the network). - -### False positive analysis - -- Some legitimate third-party applications may use executables named `svchost.exe` within their own installation paths. Verify the vendor, file hash, and digital signature to determine legitimacy. -- In virtualized or sandboxed environments, custom service hosts may appear with similar naming conventions. Validate these against known baseline configurations. -- Ensure that system recovery or diagnostic tools using temporary binaries are not misidentified as malicious. Review event timing and system logs to confirm. -- Regularly maintain an inventory of known legitimate `svchost.exe` locations and hashes to minimize false positives across managed hosts. - -### Response and remediation - -- Isolate the affected host immediately to prevent lateral movement or further compromise. -- Terminate any suspicious `svchost.exe` processes executing from non-standard locations. -- Quarantine and remove the rogue binary after verification through hash reputation or sandbox analysis. -- Perform a full system scan to identify additional malicious files or persistence mechanisms associated with the masqueraded process. -- Review and reset any credentials used by the compromised process if credential theft or impersonation is suspected. -- Analyze recent network activity from the affected host for potential data exfiltration or command-and-control communication. -- Escalate the incident to the security operations or incident response team for deeper investigation and forensic analysis. -- Implement detections to monitor for future attempts of process masquerading, and update security baselines and EDR exclusions accordingly. -""" risk_score = 73 rule_id = "32f95776-6498-4f3c-a90c-d4f6083e3901" severity = "high" From 56276ec5e21d7dee684074a4199bc9d90de6523b Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 12 Nov 2025 17:36:21 +0000 Subject: [PATCH 05/12] Update defense_evasion_masquerading_as_svchost.toml --- rules/windows/defense_evasion_masquerading_as_svchost.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index 26cb9c3b46c..2601683514e 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -34,6 +34,7 @@ FROM logs-* metadata _id, _version, _index not to_lower(process.executable) like """c:\\windows\\syswow64\\svchost.exe""" and not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe""") +| keep host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line ''' From dcc9a21eea6b9ee85f71105154803da0770c1012 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 12 Nov 2025 17:49:55 +0000 Subject: [PATCH 06/12] Update defense_evasion_masquerading_as_svchost.toml --- rules/windows/defense_evasion_masquerading_as_svchost.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index 2601683514e..76d80659e0a 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -20,8 +20,7 @@ tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Defense Evasion", - "Resources: Investigation Guide", + "Tactic: Defense Evasion" ] timestamp_override = "event.ingested" type = "esql" From 702abecd00f6e7d4639493783718485dc11da0f6 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 12 Nov 2025 17:59:36 +0000 Subject: [PATCH 07/12] Update defense_evasion_masquerading_as_svchost.toml --- ...fense_evasion_masquerading_as_svchost.toml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index 76d80659e0a..10364914b55 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -13,6 +13,41 @@ from = "now-9m" language = "esql" license = "Elastic License v2" name = "Potential Masquerading as Svchost" +note = """ ## Triage and analysis + +> **Disclaimer**: +> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. + +### Investigating Potential Masquerading as Svchost + +svchost.exe is a legitimate Windows system process responsible for hosting multiple Windows services. Adversaries may attempt to masquerade as svchost.exe to evade detection and blend in with normal system activity. This is often achieved by renaming a malicious executable to svchost.exe, placing it outside of standard Windows directories or running it with unusual parent processes or command-line arguments. + +### Possible investigation steps + +- Review the process.executable and process.parent.executable fields to confirm the location and unexpected parents.. +- Check the process.command_line field for unusual arguments. Legitimate svchost.exe instances typically use the -k parameter followed by a valid service group name. +- Investigate the process.code_signature field to determine if the binary is signed by Microsoft. Unsigned or invalid signatures are strong indicators of masquerading. +- Correlate the event with other telemetry from the same host to identify additional indicators such as file creation, network connections, or registry modifications related to the suspicious process. +- Review related file creation events to determine how and when the fake svchost.exe was introduced to the system (e.g. dropped by another malware component or downloaded from the network). + +### False positive analysis + +- Some legitimate third-party applications may use executables named svchost.exe within their own installation paths. Verify the vendor, file hash, and digital signature to determine legitimacy. +- In virtualized or sandboxed environments, custom service hosts may appear with similar naming conventions. Validate these against known baseline configurations. +- Ensure that system recovery or diagnostic tools using temporary binaries are not misidentified as malicious. Review event timing and system logs to confirm. +- Regularly maintain an inventory of known legitimate `svchost.exe` locations and hashes to minimize false positives across managed hosts. + +### Response and remediation + +- Isolate the affected host immediately to prevent lateral movement or further compromise. +- Terminate any suspicious svchost.exe processes executing from non-standard locations. +- Quarantine and remove the rogue binary after verification through hash reputation or sandbox analysis. +- Perform a full system scan to identify additional malicious files or persistence mechanisms associated with the masqueraded process. +- Review and reset any credentials used by the compromised process if credential theft or impersonation is suspected. +- Analyze recent network activity from the affected host for potential data exfiltration or command-and-control communication. +- Escalate the incident to the security operations or incident response team for deeper investigation and forensic analysis. +- Implement detections to monitor for future attempts of process masquerading, and update security baselines and EDR exclusions accordingly. +""" risk_score = 73 rule_id = "32f95776-6498-4f3c-a90c-d4f6083e3901" severity = "high" From 0e67bebb1d442440942cfefb2b64cbe9023ff861 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Wed, 12 Nov 2025 18:09:21 +0000 Subject: [PATCH 08/12] Update defense_evasion_masquerading_as_svchost.toml --- rules/windows/defense_evasion_masquerading_as_svchost.toml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index 10364914b55..c8614e7cb9e 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -44,7 +44,7 @@ svchost.exe is a legitimate Windows system process responsible for hosting multi - Quarantine and remove the rogue binary after verification through hash reputation or sandbox analysis. - Perform a full system scan to identify additional malicious files or persistence mechanisms associated with the masqueraded process. - Review and reset any credentials used by the compromised process if credential theft or impersonation is suspected. -- Analyze recent network activity from the affected host for potential data exfiltration or command-and-control communication. +- Analyze recent network activity from the affected host for potential data exfiltration or commandand-control communication. - Escalate the incident to the security operations or incident response team for deeper investigation and forensic analysis. - Implement detections to monitor for future attempts of process masquerading, and update security baselines and EDR exclusions accordingly. """ @@ -55,7 +55,8 @@ tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", - "Tactic: Defense Evasion" + "Tactic: Defense Evasion", + "Resources: Investigation Guide" ] timestamp_override = "event.ingested" type = "esql" From 86c8f80ffe755f3a33ddf193ac3f921548d14ee7 Mon Sep 17 00:00:00 2001 From: Samirbous Date: Thu, 13 Nov 2025 11:02:34 +0000 Subject: [PATCH 09/12] Update defense_evasion_masquerading_as_svchost.toml --- .../defense_evasion_masquerading_as_svchost.toml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index c8614e7cb9e..6fd43e37de9 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -63,13 +63,12 @@ type = "esql" query = ''' FROM logs-* metadata _id, _version, _index -| WHERE QSTR("event.category:process and event.type:start and process.name:svchost.exe~1 AND NOT process.name:svchost.exe") OR - (to_lower(process.name) == "svchost.exe" and - not to_lower(process.executable) like """c:\\windows\\system32\\svchost.exe""" and - not to_lower(process.executable) like """c:\\windows\\syswow64\\svchost.exe""" and - not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and - not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe""") -| keep host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line +| where event.category == "process" and event.type == "start" and + match(process.name, "svchost.exe", { "fuzziness": "AUTO", "max_expansions": 10 }) and + not process.executable in ("C:\\Windows\\System32\\sihost.exe", "C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and + not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and + not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe""" +| keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line ''' From 5e0621bf1fd2d718e429751b90a8548f6099fcf7 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Thu, 13 Nov 2025 11:49:07 +0000 Subject: [PATCH 10/12] Update defense_evasion_masquerading_as_svchost.toml --- rules/windows/defense_evasion_masquerading_as_svchost.toml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index 6fd43e37de9..6520aa45c7d 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -64,8 +64,8 @@ type = "esql" query = ''' FROM logs-* metadata _id, _version, _index | where event.category == "process" and event.type == "start" and - match(process.name, "svchost.exe", { "fuzziness": "AUTO", "max_expansions": 10 }) and - not process.executable in ("C:\\Windows\\System32\\sihost.exe", "C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and + match(process.name, "svchost.exe", { "fuzziness": 1, "max_expansions": 10 }) and + not process.executable in ("C:\\Windows\\SysWOW64\\svchost.exe", "C:\\Windows\\System32\\svchost.exe") and not process.executable like """\\Device\\HarddiskVolume*\\Windows\\System32\\svchost.exe""" and not process.executable like """\\Device\\HarddiskVolume*\\Windows\\SysWOW64\\svchost.exe""" | keep event.dataset, host.name, host.id, user.id, user.name, process.executable, process.parent.executable, process.command_line From 6d5462950f4c5a78f55f59a4c3faf2e9663244cb Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 19 Nov 2025 09:23:47 +0000 Subject: [PATCH 11/12] Update defense_evasion_masquerading_as_svchost.toml --- rules/windows/defense_evasion_masquerading_as_svchost.toml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index 6520aa45c7d..a4fee887dc1 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -3,6 +3,9 @@ creation_date = "2025/11/12" integration = ["windows"] maturity = "production" updated_date = "2025/11/12" +min_stack_version = "9.1.0" +min_stack_comments = "The esql match operator was introduced in version 9.1.0" + [rule] author = ["Elastic"] From 5d5a219d57c0e1dfb6e7450362d1d8a2b2ca08e5 Mon Sep 17 00:00:00 2001 From: Samirbous <64742097+Samirbous@users.noreply.github.com> Date: Wed, 19 Nov 2025 09:26:43 +0000 Subject: [PATCH 12/12] Update defense_evasion_masquerading_as_svchost.toml --- rules/windows/defense_evasion_masquerading_as_svchost.toml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/defense_evasion_masquerading_as_svchost.toml b/rules/windows/defense_evasion_masquerading_as_svchost.toml index a4fee887dc1..248a51b9a36 100644 --- a/rules/windows/defense_evasion_masquerading_as_svchost.toml +++ b/rules/windows/defense_evasion_masquerading_as_svchost.toml @@ -13,6 +13,7 @@ description = """ Identifies attempts to masquerade as the Service Host process `svchost.exe` to evade detection and blend in with normal system activity. """ from = "now-9m" +interval = "8m" language = "esql" license = "Elastic License v2" name = "Potential Masquerading as Svchost"