This detection rule identifies attempts to masquerade as the legitimate Windows Service Host process `svchost.exe`, which is critical for hosting several Windows services. Malicious actors often rename their executables to `svchost.exe` to blend in with normal operating system activity while evading detection. The rule employs an ESQL query that searches logs for processes named `svchost.exe` that are not running from expected Windows directories (C:\Windows\SysWOW64 or C:\Windows\System32), indicating potential impersonation. Suggested investigation steps include reviewing the related process fields for legitimacy, correlating additional telemetry data for more insights, and checking code signatures. A strong risk score of 73 highlights the potential severity of such threats. Response measures involve isolating affected hosts, terminating suspicious processes, and conducting thorough full system scans.