It is normal to see many svchost processes running on a single machine. It usually has elevated privileges and a tremendous amount of trust from Windows and third-party applications, leading to its abuse during a variety of attacks. Automated, opportunistic malware as well as manual, targeted tools commonly abuse this process in a few ways:
Name masquerading - More common to commodity, non-targeted attacks, malware will disguise itself as an svchost process by changing one or more characters in the name (e.g. svch0st, svchosts, scvhost, suchost, svchost32, etc.). These tend to be simple to identify by a human, but they can be more complicated to detect by algorithms or automated detection solutions if they are more than one character off the true name “svchost.”
Path masquerading - Not uncommon to commodity malware but more common to targeted attack scenarios, malware or other tools used abused malicious purposes may disguise itself with an “svchost.exe” filename but located in a directory of the attacker’s choosing. It is not a legitimate svchost process. The legitimate svchost will always run from C:\Windows\System32 or C:\Windows\SysWOW64. If “svchost.exe” is running from any other directory, it is worth investigation. With endpoint process data, each running process’ path is simple to examine and, hence, simple to detect svchost path abuse.
Process migration - This type of abuse is more common to targeted or advanced attacks. Rather than running a malicious tool with the name “svchost.exe,” process migration allows an attacker to use a legitimate, currently running svchost process to effect their objectives. This typically occurs after privileged remote access is already gained to a system through a malicious remote administration tool (RAT). This sort of svchost abuse may be identifiable by uncommon behaviors of svchost, such as its launching of unusual executables, accessing unusual websites or IP addresses, performing host or network reconnaissance, or some combination thereof.