I ran a search for "Malware Detection / Processes whose names are confusingly similar to those of critical systems processes are likley to be malicious (process.path:svchost.exe~1)" and get the following message, which is concerning to say the least. When I run a virus scan this doesn't show up. What should I make of this?
General
- mitre_tactics: N/A
- mitre_techniques: N/A
Details
- process_integrity_level:
- system
- parent_process_integrity_level:
- system
- process_access_privileges:
- elevated
- parent_process_access_privileges:
- elevated
- command_line:
- C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wlidsvc
- process_path:
- c:\windows\system32\svchost.exe
- pid:
- 16824
- user:
- NT AUTHORITY\SYSTEM
- parent_process_pid:
- 996
- parent_process_path:
- c:\windows\system32\services.exe
- parent_process_user:
- NT AUTHORITY\SYSTEM
- file_md5:
- f586835082f632dc8d9404d83bc16316
- file_sha256:
- 643ec58e82e0272c97c2a59f6020970d881af19c0ad5029db9c958c13b6558c7
- hostname:
- computername.domain.local
- event_name:
- suspicioustokenimpersonation
- other.os:
- windows
- other.user:
- NT AUTHORITY\SYSTEM
- other.event_type:
- alert
- other.detection_class:
- edr_detection
