Update detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml

tccontre · nasbench · web-flow · commit 2e9bc8698347 · 2025-02-20T18:20:13.000+01:00
Co-authored-by: Nasreddine Bencherchali &lt;nasreddineb@splunk.com&gt;
diff --git a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml
@@ -5,7 +5,7 @@ date: '2025-02-11'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects an anomaly where a svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows services and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity.
+description: The following analytic detects an anomaly where an svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows service DLLs, and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
