T1036.009 | LoFP

T1036.009

Title	Tags
some legitimate system processes, software updaters, or compatibility tools may trigger this behavior, occurrences involving unknown, unsigned, or unusual parent processes should be investigated for potential malware activity, persistence mechanisms, or execution flow hijacking.	T1036.009 endpoint splunk
windows update or other windows installer processes may launch their own svchost.exe processes that are not directly spawned by services.exe in certain edge cases (e.g., during patches or updates).	T1036.009 endpoint splunk