T1036.005 Match Legitimate Resource Name or Location Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SystemProcessPaths = dynamic([
  @"C:\Windows\System32\svchost.exe",
  @"C:\Windows\System32\csrss.exe",
  @"C:\Windows\System32\lsass.exe",
  @"C:\Windows\System32\services.exe",
  @"C:\Windows\System32\smss.exe",
  @"C:\Windows\System32\wininit.exe",
  @"C:\Windows\System32\conhost.exe",
  @"C:\Windows\System32\dllhost.exe",
  @"C:\Windows\System32\RuntimeBroker.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe", "taskhostw.exe", "spoolsv.exe", "msdtc.exe", "wuauclt.exe", "vmtoolsd.exe")
| where not(FolderPath in~ (SystemProcessPaths))
| where not(FolderPath startswith @"C:\Windows\System32\" or FolderPath startswith @"C:\Windows\SysWOW64\")
| extend ParentMismatch = case(
    FileName =~ "svchost.exe" and InitiatingProcessFileName !~ "services.exe", true,
    FileName =~ "csrss.exe" and InitiatingProcessFileName !in~ ("smss.exe", "csrss.exe"), true,
    FileName =~ "lsass.exe" and InitiatingProcessFileName !~ "wininit.exe", true,
    FileName =~ "services.exe" and InitiatingProcessFileName !~ "wininit.exe", true,
    false)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine,
         InitiatingProcessFileName, ParentMismatch, SHA256
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Process: Process Metadata Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

VMware Tools (vmtoolsd.exe) running from non-default install locations in virtualized environments
Application compatibility fixes that redirect binary execution paths
Windows Feature on Demand or Windows Sandbox creating system binary copies in temporary locations
Some endpoint protection tools that create copies of system binaries for analysis

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\svchost.exe" OR Image="*\\csrss.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe" OR Image="*\\smss.exe" OR Image="*\\wininit.exe" OR Image="*\\conhost.exe" OR Image="*\\dllhost.exe" OR Image="*\\RuntimeBroker.exe" OR Image="*\\msdtc.exe" OR Image="*\\wuauclt.exe")
  NOT (Image="C:\\Windows\\System32\\*" OR Image="C:\\Windows\\SysWOW64\\*" OR Image="C:\\Windows\\explorer.exe")
| eval ProcessName=mvindex(split(Image, "\\"), -1)
| eval ParentName=mvindex(split(ParentImage, "\\"), -1)
| eval ParentMismatch=case(
    lower(ProcessName)=="svchost.exe" AND lower(ParentName)!="services.exe", "TRUE",
    lower(ProcessName)=="csrss.exe" AND lower(ParentName)!="smss.exe", "TRUE",
    lower(ProcessName)=="lsass.exe" AND lower(ParentName)!="wininit.exe", "TRUE",
    1==1, "FALSE")
| table _time, host, User, Image, ParentImage, ParentMismatch, CommandLine, Hashes
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Process: Process Metadata Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

VMware Tools running from non-default install locations
Application compatibility fixes that redirect binary execution paths
Windows Feature on Demand creating system binary copies in temporary locations

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe", "msdtc.exe", "wuauclt.exe", "taskhostw.exe", "spoolsv.exe")
  and not (
    process.executable like~ "C:\\Windows\\System32\\*" or
    process.executable like~ "C:\\Windows\\SysWOW64\\*"
  )
  or (
    process.name == "svchost.exe" and process.parent.name != "services.exe" and
    process.executable like~ "C:\\Windows\\System32\\svchost.exe"
  )
  or (
    process.name == "lsass.exe" and process.parent.name != "wininit.exe" and
    process.executable like~ "C:\\Windows\\System32\\lsass.exe"
  )
  or (
    process.name == "csrss.exe" and process.parent.name not in ("smss.exe", "csrss.exe") and
    process.executable like~ "C:\\Windows\\System32\\csrss.exe"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (endpoint)

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Security or AV products that launch wrapper processes with system process names in their own installation directories for sandboxing or hooking purposes
Software deployment tools (e.g., SCCM, Ansible) that temporarily stage executables in non-standard locations during installation routines
Virtualization or container runtimes that emulate Windows process hierarchies with modified parent relationships (e.g., Wine, compatibility layers)

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  "Process Name",
  "Process Path",
  "Parent Process Name",
  "Command",
  sourceip
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (382, 399)
  AND QIDNAME(qid) ILIKE '%process create%'
  AND (
    "Process Name" ILIKE 'svchost.exe'
    OR "Process Name" ILIKE 'csrss.exe'
    OR "Process Name" ILIKE 'lsass.exe'
    OR "Process Name" ILIKE 'services.exe'
    OR "Process Name" ILIKE 'smss.exe'
    OR "Process Name" ILIKE 'wininit.exe'
    OR "Process Name" ILIKE 'conhost.exe'
    OR "Process Name" ILIKE 'dllhost.exe'
    OR "Process Name" ILIKE 'RuntimeBroker.exe'
    OR "Process Name" ILIKE 'msdtc.exe'
    OR "Process Name" ILIKE 'wuauclt.exe'
  )
  AND NOT (
    "Process Path" ILIKE 'C:\Windows\System32\%'
    OR "Process Path" ILIKE 'C:\Windows\SysWOW64\%'
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Sysmon (QRadar DSM) Microsoft Windows Security Event Log (QRadar DSM)

Required Tables

events

False Positives

Legitimate software installers that temporarily extract and run system process copies during upgrade workflows before moving them to their final destination
Forensic or IR tools that stage process binaries in analysis directories and execute them for hash comparison or metadata extraction
Custom enterprise monitoring agents that launch named child processes matching system process names for internal categorization or legacy compatibility

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| json field=_raw "EventID" as event_id nodrop
| json field=_raw "Image" as process_path nodrop
| json field=_raw "ParentImage" as parent_path nodrop
| json field=_raw "CommandLine" as command_line nodrop
| json field=_raw "User" as user nodrop
| json field=_raw "Hashes" as hashes nodrop
| where event_id = "1"
| parse regex field=process_path "(?:[^\\\\]+\\\\)*(?P<process_name>[^\\\\]+\.exe)$" nodrop
| parse regex field=parent_path "(?:[^\\\\]+\\\\)*(?P<parent_name>[^\\\\]+\.exe)$" nodrop
| where process_name in ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe", "msdtc.exe", "wuauclt.exe") (case insensitive)
| where !(process_path matches "C:\\Windows\\System32\\*") AND !(process_path matches "C:\\Windows\\SysWOW64\\*")
| if (process_name matches "(?i)svchost\.exe" and !(parent_name matches "(?i)services\.exe"), "TRUE", "FALSE") as parent_mismatch_svchost
| if (process_name matches "(?i)lsass\.exe" and !(parent_name matches "(?i)wininit\.exe"), "TRUE", "FALSE") as parent_mismatch_lsass
| if (process_name matches "(?i)csrss\.exe" and !(parent_name matches "(?i)smss\.exe"), "TRUE", "FALSE") as parent_mismatch_csrss
| if (parent_mismatch_svchost="TRUE" or parent_mismatch_lsass="TRUE" or parent_mismatch_csrss="TRUE", "TRUE", "FALSE") as any_parent_mismatch
| fields _messageTime, _collector, user, process_name, process_path, parent_name, parent_path, any_parent_mismatch, command_line, hashes
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Windows Sysmon source Sumo Logic Windows Security Event Log source

Required Tables

windows/sysmon windows/security

False Positives

Third-party endpoint management platforms (e.g., Tanium, BigFix) that shadow system process names in their working directories for health monitoring agents
Windows Subsystem for Linux (WSL) or containerized Windows environments where process paths may differ from standard host filesystem paths
Legitimate penetration testing or red team exercises using renamed process binaries during authorized engagements

Google Chronicle / SecOps

yaral

rule t1036_005_masquerading_system_process_name {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects processes using legitimate Windows system process names executing from non-standard paths (outside System32/SysWOW64), or with unexpected parent process relationships. Covers MITRE ATT&CK T1036.005."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.005"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path = $proc_path
    $e.target.process.file.full_path = $target_path
    $e.target.process.file.names[0] = $proc_name

    // Match known system process names
    re.regex($proc_name, `(?i)^(svchost|csrss|lsass|services|smss|wininit|conhost|dllhost|RuntimeBroker|msdtc|wuauclt|taskhostw|spoolsv)\.exe$`)

    // Not in standard system paths
    not re.regex($target_path, `(?i)^C:\\Windows\\(System32|SysWOW64)\\`)

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Windows Sysmon via Chronicle forwarder Microsoft Defender for Endpoint via Chronicle

Required Tables

UDM Events (PROCESS_LAUNCH type)

False Positives

Enterprise software packaging tools that extract and execute system process copies from temp or staging directories as part of installation verification steps
Incident response tooling that copies system binaries to analysis directories for hash comparison and version verification workflows
Legacy application compatibility shims or virtualization layers that remap system process paths to alternate locations on non-standard Windows configurations

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)\\(svchost|csrss|lsass|services|smss|wininit|conhost|dllhost|RuntimeBroker|msdtc|wuauclt|taskhostw|spoolsv)\.exe$/
| !ImageFileName = /(?i)^C:\\Windows\\(System32|SysWOW64)\\/
| ParentBaseFileName := replace(ParentImageFileName, /^.*\\/, "")
| ProcessName := replace(ImageFileName, /^.*\\/, "")
| ParentMismatch := case {
    ProcessName = /(?i)^svchost\.exe$/ and !ParentBaseFileName = /(?i)^services\.exe$/ : "true" ;
    ProcessName = /(?i)^lsass\.exe$/ and !ParentBaseFileName = /(?i)^wininit\.exe$/ : "true" ;
    ProcessName = /(?i)^csrss\.exe$/ and !ParentBaseFileName = /(?i)^(smss|csrss)\.exe$/ : "true" ;
    ProcessName = /(?i)^services\.exe$/ and !ParentBaseFileName = /(?i)^wininit\.exe$/ : "true" ;
    * : "false"
  }
| groupBy([ComputerName, UserName, ImageFileName, ParentImageFileName, CommandLine, SHA256HashData], function=count(aid, as=EventCount))
| sort(EventCount, order=desc)
| select([ComputerName, UserName, ProcessName, ImageFileName, ParentBaseFileName, ParentImageFileName, ParentMismatch, CommandLine, SHA256HashData, EventCount])

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 events) Falcon Data Replicator (FDR)

Required Tables

#event_simpleName=ProcessRollup2

False Positives

CrowdStrike Falcon sensor updates or self-healing processes that temporarily launch named child processes from non-standard sensor staging directories during version rollout
Application virtualization solutions (e.g., VMware ThinApp, Microsoft App-V) that encapsulate system process executables within virtual filesystem containers at non-standard paths
Custom IT operations scripts that spawn renamed copies of system executables in scratch directories for log collection or diagnostic data gathering purposes

Match Legitimate Resource Name or Location

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections