Test - Windows Svchost.exe Parent Process Anomaly

contentctl.yml

@@ -65,9 +65,9 @@ apps:
 - uid: 742
   title: Splunk Add-on for Microsoft Windows
   appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS
-  version: 9.0.1
+  version: 9.1.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Splunk_TA_windows-9.0.1.spl
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-windows_910.tgz
 - uid: 5709
   title: Splunk Add-on for Sysmon
   appid: Splunk_TA_microsoft_sysmon

detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml

@@ -5,7 +5,7 @@ date: '2025-05-02'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects an anomaly where an svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows service DLLs, and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity.
+description: The following analytic detects an anomaly where an svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows service DLLs, and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity. 
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688