Proxy Execution via Console Window Host

  1[metadata]
  2creation_date = "2025/08/21"
  3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/04/29"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies abuse of the Console Window Host (conhost.exe) to execute commands via proxy. This behavior is used as a defense
 11evasion technique to blend-in malicious activity with legitimate Windows software.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.forwarded*",
 22    "logs-windows.sysmon_operational-*",
 23    "winlogbeat-*",
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Proxy Execution via Console Window Host"
 28references = ["https://lolbas-project.github.io/lolbas/Binaries/Conhost/"]
 29risk_score = 73
 30rule_id = "fcd16fe8-eb29-42b3-8aee-6c9ad777a2f6"
 31severity = "high"
 32tags = [
 33    "Domain: Endpoint",
 34    "OS: Windows",
 35    "Use Case: Threat Detection",
 36    "Tactic: Defense Evasion",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Windows Security Event Logs",
 40    "Data Source: Microsoft Defender XDR",
 41    "Data Source: Sysmon",
 42    "Data Source: SentinelOne",
 43    "Data Source: Crowdstrike",
 44    "Resources: Investigation Guide",
 45]
 46timestamp_override = "event.ingested"
 47type = "eql"
 48
 49query = '''
 50process where host.os.type == "windows" and event.type == "start" and
 51 process.name : "conhost.exe" and process.args : "--headless" and
 52  process.command_line : (
 53    "*powershell*", "*cmd *", "*cmd.exe *", "*script*", "*mshta*", "*curl *", "*curl.exe *", "*^*^*^*",
 54    "*.bat*", "*.cmd*", "*schtasks*", "*@SSL*", "*http*", "* \\\\*", "*.vbs*", "*.js*", "*mhsta*"
 55  ) and
 56  not (
 57    /* Winget-AutoUpdate via ServiceUI */
 58    process.parent.executable : "?:\\Program Files\\winget-autoupdate*\\serviceui.exe" or
 59    /* Winget-AutoUpdate notification via Task Scheduler */
 60    (
 61      process.parent.executable : "?:\\Windows\\System32\\svchost.exe" and process.parent.args : "-s" and
 62      process.parent.args : "Schedule" and process.command_line : "*WAU-Notify.ps1*"
 63    ) or
 64    /* Windows OpenSSH console host — SSH-specific detection handled by 8cd49fbc-a35a-4418-8688-133cc3a1e548 */
 65    process.parent.executable : (
 66      "?:\\Windows\\System32\\OpenSSH\\sshd.exe",
 67      "?:\\Windows\\System32\\OpenSSH\\sshd-session.exe",
 68      "?:\\Program Files\\OpenSSH*\\sshd.exe",
 69      "?:\\Program Files\\OpenSSH*\\sshd-session.exe"
 70    )
 71  )
 72'''
 73
 74note = """## Triage and analysis
 75
 76### Investigating Proxy Execution via Console Window Host
 77
 78#### Possible investigation steps
 79
 80- What command did the headless conhost instance proxy?
 81  - Why: `--headless` can hide the child window behind conhost, so command intent and child-process evidence outweigh conhost identity alone.
 82  - Focus: `process.command_line` for `--headless` and the proxied family: shell, script host, retrieval, UNC, caret-escaped, batch, or scheduled-task action.
 83  - Implication: escalate when headless conhost proxies script execution, remote retrieval, scheduled-task changes, or lateral-path commands; lower suspicion only when command, launcher, user, and host match remote-admin console management, deployment automation, or installer/update helper use and later process evidence does not contradict it.
 84- Is this the native conhost binary or a masqueraded copy?
 85  - Focus: `process.executable`, `process.pe.original_file_name`, `process.hash.sha256`, `process.code_signature.subject_name`, and `process.code_signature.trusted`; compare the path with `C:\\Windows\\System32\\conhost.exe`.
 86  - Implication: escalate when conhost is renamed, unsigned, user-writable, host-new by hash, or signed by an unexpected publisher; native signed identity lowers masquerade concern but not suspicious `--headless` proxy execution.
 87- Which launcher produced headless conhost?
 88  - Focus: `process.parent.executable`, `process.parent.command_line`, and `process.parent.entity_id`.
 89  - Implication: escalate when the launcher is Office, a browser, a script host, a temp or user-writable binary, another LOLBin, or a remote-management tool outside its console-management pattern; lower suspicion when the same parent is a stable console, deployment, or update path for the same `user.id` and `host.id`.
 90- Do the user and session context fit the same admin or deployment use?
 91  - Focus: `user.id`, `host.id`, `process.Ext.session_info.logon_type`, and `process.Ext.authentication_id`.
 92  - Implication: escalate when session type, account, or authentication ID is unusual for that `host.id` and user cohort or ties to unrelated suspicious processes; lower suspicion when user, host cohort, session type, command, and lineage match the same remote-admin, deployment, or update use.
 93- Did headless conhost spawn the command family named in the alert?
 94  - Focus: child process starts on `host.id` where `process.parent.entity_id` matches alert `process.entity_id`; read `process.name`, `process.executable`, and `process.command_line`. $investigate_0
 95  - Hint: if `process.entity_id` is absent, query the same `host.id` with alert `process.pid` in a tight alert-time window; treat matches as weaker because PID reuse is possible.
 96  - Implication: escalate when conhost spawns shell, script-host, downloader, scheduled-task, or payload-like children; keep scope local only when no child execution appears and earlier evidence fits the same named admin, deployment, or update use.
 97- If local evidence is suspicious or unresolved, is this isolated or broader proxy execution?
 98  - Focus: process-start history for the same `host.id` and, if needed, `user.id`; compare `process.command_line`, `process.parent.executable`, and child-process patterns.
 99    - $investigate_1
100    - $investigate_2
101  - Hint: review related alerts for the same `host.id` and `user.id`, especially script execution, downloader, scheduled-task, credential-tool, or other proxy-execution activity.
102    - $investigate_3
103    - $investigate_4
104  - Implication: escalate scope when the same host or user shows repeated headless conhost proxy execution, suspicious launchers, or related script, downloader, scheduled-task, or credential-tool processes; lack of history does not clear suspicious command, lineage, session, or child-process evidence.
105
106- Escalate on unauthorized headless proxy execution plus suspicious identity, launcher, session, child-process, or repeat-alert corroboration; close only when command, identity, lineage, session, and child-process evidence bind to one named benign use case below; preserve evidence and escalate when evidence is mixed or incomplete.
107
108### False positive analysis
109
110- Remote-administration, console-management, deployment automation, installer, or update agents can launch headless conhost when a named tool uses console helpers. Confirm that native `process.executable`, stable `process.parent.executable`, `process.parent.code_signature.subject_name`, `process.parent.code_signature.trusted`, parent and child `process.command_line`, `user.id`, `host.id`, `process.Ext.session_info.logon_type`, and child-process pattern all align with that tool or product path. Tool inventories, change records, or owner confirmation can corroborate telemetry-backed use, but should not replace missing or contradictory process evidence. If command, parent, session, or child evidence diverges, or the first cohort event includes retrieval, UNC, script-host, or scheduled-task behavior outside that path, treat it as unresolved or suspicious.
111- Before creating an exception, verify that native `process.executable`, parent identity, exact `process.command_line`, `user.id`, `host.id`, and session type recur across prior alerts from this rule. Build the exception from that confirmed workflow pattern; avoid exceptions on `process.name`, the conhost filename, or `--headless` alone.
112
113### Response and remediation
114
115- If confirmed benign, reverse temporary containment and record the command intent, native conhost identity, parent lineage, `user.id`, `host.id`, session type, and child-process evidence that justified closure. Create an exception only when that same admin, deployment, or update pattern recurs consistently across prior alerts.
116- If suspicious but unconfirmed, preserve the alert, process tree export, command lines, hash and signer details, `process.entity_id`, `process.parent.entity_id`, `process.Ext.authentication_id`, child-process events, and any scripts or task definitions named in the command line before containment. Apply reversible containment first, such as heightened monitoring or temporary restrictions on the affected `user.id`, `host.id`, or parent tool, and avoid process termination until scope is clearer.
117- If confirmed malicious, contain the host or affected account when command intent, launcher lineage, session context, or child-process evidence establishes unauthorized proxy execution. Record the process identifiers, command lines, signer and hash evidence, user and host anchors, and child-process chain before terminating processes, deleting scripts, disabling scheduled tasks, or isolating accounts.
118- Eradicate only the scripts, task definitions, copied tools, or persistence mechanisms identified during the investigation, then remediate the launcher, automation path, or access path that allowed headless conhost to proxy the command.
119- Rotate credentials only when the user and session evidence or adjacent case evidence confirms account misuse, remote abuse, or privileged account compromise; otherwise keep identity action proportional to the confirmed process evidence.
120- After containment, scope other hosts and users for the same `process.command_line`, `process.parent.executable`, `process.hash.sha256`, parent signer, or child-process pattern. Retain the process telemetry and response notes needed to distinguish repeat benign console automation from repeat proxy execution.
121"""
122
123setup = """## Setup
124
125This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
126
127Setup instructions: https://ela.st/install-elastic-defend
128
129### Additional data sources
130
131This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
132
133- [CrowdStrike](https://ela.st/crowdstrike-integration)
134- [Microsoft Defender XDR](https://ela.st/m365-defender)
135- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
136- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
137- [Windows Process Creation Logs](https://ela.st/audit-process-creation)
138"""
139
140[rule.investigation_fields]
141field_names = [
142    "@timestamp",
143    "host.name",
144    "host.id",
145    "user.name",
146    "user.id",
147    "process.entity_id",
148    "process.pid",
149    "process.executable",
150    "process.pe.original_file_name",
151    "process.command_line",
152    "process.Ext.authentication_id",
153    "process.Ext.session_info.logon_type",
154    "process.parent.executable",
155    "process.parent.command_line",
156    "process.code_signature.trusted",
157]
158
159[transform]
160
161[[transform.investigate]]
162label = "Child process starts from the same conhost instance"
163description = ""
164providers = [
165  [
166    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
167    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
168    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
169  ]
170]
171relativeFrom = "now-1h"
172relativeTo = "now"
173
174[[transform.investigate]]
175label = "Process history on the same host"
176description = ""
177providers = [
178  [
179    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
180    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
181  ]
182]
183relativeFrom = "now-48h/h"
184relativeTo = "now"
185
186[[transform.investigate]]
187label = "Process history for the same user"
188description = ""
189providers = [
190  [
191    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
192    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
193  ]
194]
195relativeFrom = "now-48h/h"
196relativeTo = "now"
197
198[[transform.investigate]]
199label = "Alerts associated with the host"
200description = ""
201providers = [
202  [
203    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
204    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
205  ]
206]
207relativeFrom = "now-48h/h"
208relativeTo = "now"
209
210[[transform.investigate]]
211label = "Alerts associated with the user"
212description = ""
213providers = [
214  [
215    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
216    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
217  ]
218]
219relativeFrom = "now-48h/h"
220relativeTo = "now"
221
222[[rule.threat]]
223framework = "MITRE ATT&CK"
224
225[[rule.threat.technique]]
226id = "T1202"
227name = "Indirect Command Execution"
228reference = "https://attack.mitre.org/techniques/T1202/"
229
230[rule.threat.tactic]
231id = "TA0005"
232name = "Defense Evasion"
233reference = "https://attack.mitre.org/tactics/TA0005/"
234
235[[rule.threat]]
236framework = "MITRE ATT&CK"
237
238[[rule.threat.technique]]
239id = "T1059"
240name = "Command and Scripting Interpreter"
241reference = "https://attack.mitre.org/techniques/T1059/"
242
243[[rule.threat.technique.subtechnique]]
244id = "T1059.001"
245name = "PowerShell"
246reference = "https://attack.mitre.org/techniques/T1059/001/"
247
248[[rule.threat.technique.subtechnique]]
249id = "T1059.003"
250name = "Windows Command Shell"
251reference = "https://attack.mitre.org/techniques/T1059/003/"
252
253[rule.threat.tactic]
254id = "TA0002"
255name = "Execution"
256reference = "https://attack.mitre.org/tactics/TA0002/"