This detection rule identifies potentially malicious processes that are masquerading as the legitimate Windows service host process, 'svchost.exe'. Attackers often employ techniques to disguise their malicious executables, making them appear to be benign operating system processes. This rule focuses on the existence of any process named 'svchost.exe' that is not running from the standard directories, which are typically 'C:\Windows\System32\svchost.exe' or 'C:\Windows\SysWOW64\svchost.exe'. By filtering out instances that originate from these directories, the rule significantly reduces false positive alerts, allowing security teams to focus on genuine threats. Any process with the correct name but running from an unusual path is flagged, providing an important signal that warrants further investigation. This is crucial for environments that need to maintain high security standards, as it takes advantage of behavioral patterns associated with common evasion tactics employed by cyber adversaries. The rule employs high severity levels to prioritize alerts, ensuring that security teams can promptly respond to potential threats.