Tag
high
advisory
Suspicious Process Masquerading as SvcHost.exe
2 rules 1 TTPAdversaries are masquerading malicious processes as 'svchost.exe' by naming their binaries 'svchost.exe' and executing them from uncommon locations to evade detection.
Windows
process-masquerading
defense-evasion
svchost
2r
1t
medium
advisory
Suspicious Svchost.exe Spawning Cmd.exe
2 rules 2 TTPsDetects suspicious activity where svchost.exe spawns cmd.exe, potentially indicating malware masquerading or privilege escalation on Windows systems.
Windows
execution
svchost
cmd
2r
2t
high
threat
TinyCC Masquerading as Svchost for Shellcode Execution
2 rules 2 TTPsAttackers rename TinyCC (tcc.exe) to svchost.exe and use it to compile and execute C source files containing shellcode, using the `-nostdlib` and `-run` flags, as observed in the Lotus Blossom Chrysalis backdoor campaign, indicating potential evasion and malicious code execution.
Tiny C Compiler
Lotus Blossom
tinycc
shellcode
svchost
lotus-blossom
chrysalis
t1059.003
t1027
2r
2t