[BUG]Detection Overlap Between “Windows Scheduled Task Service Spawned Shell” and “Possible Lateral Movement Powershell Spawn

[thegreatmhn]

While testing detection content in Enterprise Security Content Update (ESCU) from Splunk, I observed significant overlap between the following two analytics:

ESCU – Windows Scheduled Task Service Spawned Shell

ESCU – Possible Lateral Movement Powershell Spawn

Both detections trigger when powershell.exe (or another shell) is spawned by svchost.exe.

Because the Windows Task Scheduler service runs under svchost.exe, legitimate scheduled task executions frequently satisfy the parent-process condition in both rules. This results in duplicate alerts for the same event.

Problem

svchost.exe is a generic Windows service host process that runs numerous services, including:

Task Scheduler (Schedule)

WinRM

RPC

Various system services

Using svchost.exe as a broad parent-process indicator in the Possible Lateral Movement Powershell Spawn analytic reduces precision and causes:

Duplicate detections

Analyst fatigue

Reduced clarity between persistence vs lateral movement scenarios

Increased false positive volume in environments with legitimate scheduled tasks

The current logic makes it difficult to clearly separate:

Scheduled task–based execution

Service-based execution

Actual remote/lateral PowerShell activity

Recommended Action

I recommend one of the following:

Option 1 – Deprecate the “Windows Scheduled Task Service Spawned Shell” analytic

If the lateral movement analytic is intended to cover this behavior more generically, the scheduled task–specific rule may be redundant and could be deprecated.

Option 2 – Remove svchost.exe from the parent condition in “Possible Lateral Movement Powershell Spawn”

This would:

Eliminate the overlap

Preserve analytic separation of concerns

Improve detection fidelity

Reduce duplicate alerts

If retaining svchost.exe is necessary, additional context (service group filtering, remote execution indicators, or network telemetry correlation) should be required instead of using it as a standalone suspicious parent.