Back to blog
Mar 20266 min read

svchost is a Honeypot

Why your injection target matters more than your loader

You build a shellcode loader. You add AES encryption, dynamic API resolution, PPID spoofing, indirect syscalls. You pick your target process: svchost.exe. And Defender flags it within seconds. Not because your loader was bad, but because your target was predictable.

Every public C2 framework, every shellcode injection PoC on GitHub, every stager defaults to svchost. Defender's behavioural engine knows this. It's not scanning your shellcode, it's watching what process does something it shouldn't.

What Defender Actually Watches

Modern endpoint detection doesn't just pattern-match bytes. It builds behavioural baselines per process. Every process has a "normal" profile: what it spawns, what it connects to, what handles it opens. Deviate from that profile and you get flagged.

defender-baseline.yml
# svchost.exe [HEAVILY MONITORED]
expected_parent: services.exe
expected_args: -k netsvcs, -k LocalService, ...
network_baseline: DNS, DHCP, Windows Update
flags: INJECTION_TARGET, HIGH_SCRUTINY
# taskhostw.exe [LOW SCRUTINY]
expected_parent: svchost.exe, taskeng.exe
expected_args: (varies per task)
network_baseline: BROAD (depends on scheduled task)
flags: NORMAL_VARIANCE, LOW_SCRUTINY

svchost has the tightest behavioural baseline of any Windows process. Defender knows exactly what a legitimate svchost instance should look like. Your injected svchost, spawned with no -k arguments and making HTTPS callbacks to a C2 server, is about as subtle as a fire alarm.

The Process Tree Problem

Even with PPID spoofing, Defender and EDR products are getting smarter. They don't just check the parent PID. They validate the entire creation chain. Here's what a normal svchost tree looks like vs what your injected one produces:

LEGITIMATE
wininit.exe
services.exe
svchost.exe -k netsvcs
svchost.exe -k LocalService
svchost.exe -k NetworkService
PROBABLY YOUR LOADER
loader.exe
svchost.exe (no args)
^ PPID spoofed to services.exe
^ No -k flag
^ Outbound HTTPS to unknown IP

Better Targets

The ideal sacrifice process has three properties: multiple instances are normal, its behavioural baseline is broad, and it isn't on every red team blog as an injection target.

ProcessMulti-InstanceBaseline WidthEDR Scrutiny
svchost.exeYesNarrowCRITICAL
RuntimeBroker.exeYesMediumMODERATE
taskhostw.exeYesWideLOW
sihost.exeSometimesWideLOW

The Case for taskhostw.exe

taskhostw.exe is the Windows Task Host Worker. Its entire purpose is to run arbitrary code on behalf of scheduled tasks. Different tasks make network connections, read files, write to the registry, spawn child processes. Its behavioural baseline is inherently noisy.

When your shellcode makes an HTTPS callback from inside taskhostw, it blends into a behavioural profile that already includes varied network activity. When it touches LSASS for credential access, Defender for Identity is less likely to flag it because taskhostw interacts with various subsystems as part of normal scheduled task execution.

detection-logic.pseudo
// Defender behavioural rule for svchost
if process == "svchost.exe" :
if parent != "services.exe" : ALERT
if args !~ "-k *" : ALERT
if outbound_https to unknown : ALERT
// Defender behavioural rule for taskhostw
if process == "taskhostw.exe" :
if outbound_https : NORMAL // tasks do this
if file_write : NORMAL // tasks do this
if registry_modify : NORMAL // tasks do this

Swapping Your Target

If you're using Early Bird APC injection, the change is one line. Instead of spawning svchost in a suspended state, spawn taskhostw:

stager.c
CreateProcessW(L"C:\\Windows\\System32\\svchost.exe", ...)
CreateProcessW(L"C:\\Windows\\System32\\taskhostw.exe", ...)

That's it. Same injection technique, same shellcode, same encryption. Different detection outcome. The art isn't in the loader, it's in understanding what the defender is looking at.

The Takeaway

Stop defaulting to svchost. Stop copying injection targets from GitHub repos written in 2019. Think about what process you're hiding inside and whether its normal behaviour profile covers what your implant needs to do.

The best loader in the world gets burned if it's running inside a process that Defender has been trained to watch since Windows 10 shipped. Pick boring processes with broad baselines. Be forgettable.

EvasionProcess InjectionMalware Dev

This post reflects research and testing against Windows Defender as of early 2026. Detection logic evolves. Test your tooling regularly.