Conhost Spawned By Suspicious Parent Process

  1[metadata]
  2creation_date = "2020/08/17"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects when the Console Window Host (conhost.exe) process is spawned by a suspicious parent process, which could be
 11indicative of code injection.
 12"""
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Conhost Spawned By Suspicious Parent Process"
 25references = [
 26    "https://cloud.google.com/blog/topics/threat-intelligence/monitoring-windows-console-activity-part-one",
 27]
 28risk_score = 73
 29rule_id = "05b358de-aa6d-4f6c-89e6-78f74018b43b"
 30severity = "high"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Execution",
 36    "Resources: Investigation Guide",
 37    "Data Source: Elastic Endgame",
 38    "Data Source: Elastic Defend",
 39    "Data Source: Sysmon",
 40    "Data Source: Microsoft Defender XDR",
 41    "Data Source: SentinelOne",
 42]
 43timestamp_override = "event.ingested"
 44type = "eql"
 45
 46query = '''
 47process where host.os.type == "windows" and event.type == "start" and
 48  process.name : "conhost.exe" and
 49  process.parent.name : ("lsass.exe", "services.exe", "smss.exe", "winlogon.exe", "explorer.exe", "dllhost.exe", "rundll32.exe",
 50                         "regsvr32.exe", "userinit.exe", "wininit.exe", "spoolsv.exe", "ctfmon.exe") and
 51  not (process.parent.name : "rundll32.exe" and
 52       process.parent.args : ("?:\\Windows\\Installer\\MSI*.tmp,zzzzInvokeManagedCustomActionOutOfProc",
 53                              "?:\\WINDOWS\\system32\\PcaSvc.dll,PcaPatchSdbTask",
 54                              "?:\\WINDOWS\\system32\\davclnt.dll,DavSetCookie"))
 55'''
 56
 57note = """## Triage and analysis
 58
 59### Investigating Conhost Spawned By Suspicious Parent Process
 60
 61#### Possible investigation steps
 62
 63- Is the alerting "conhost.exe" the native console host, and which parent requested the console?
 64  - Why: Windows creates "conhost.exe" for console clients; service, COM, logon, or shell parents rarely need direct console allocation.
 65  - Focus: `process.executable`, `process.pe.original_file_name`, `process.code_signature.subject_name`, `process.parent.executable`, and `process.parent.command_line`.
 66  - Implication: escalate if "conhost.exe" is renamed, outside the Windows directory, mismatched to its PE name, not Microsoft-signed, or if parent path and command line contradict its name; lower only when native child and parent identity fit one exact MSI, compatibility, or WebDAV helper action explaining direct parentage.
 67
 68- Does the parent identity, lineage, and session fit a legitimate console allocation path?
 69  - Focus: `process.parent.executable`, `process.parent.command_line`, `process.parent.code_signature.subject_name`, `process.Ext.ancestry`, and `process.Ext.session_info.logon_type`.
 70  - Implication: escalate when system/logon, COM/LOLBin, or shell/input parents run from unexpected paths, have unfamiliar signers, appear in unexpected ancestry, or allocate a console in a mismatched session; lower when signed parent command line and session fit one bounded MSI custom action, Program Compatibility Assistant, or WebDAV workflow.
 71
 72- Did the same parent launch a shell, script host, LOLBin, or payload around the alert?
 73  - Focus: same-host child process events by `process.parent.entity_id`; if absent, use `host.id`, `process.parent.pid`, and a tight alert-time window, then read child `process.executable`, `process.command_line`, and signer. $investigate_2
 74  - Hint: if clean but parent identity remains suspicious, check for pre-existing console or shell processes in the same `host.id` and session before closure.
 75  - Implication: escalate when the parent starts shells, script hosts, downloaders, task/service tools, or unsigned payloads; lower only when "conhost.exe" is the lone unusual child and earlier evidence proves an exact bounded parent workflow, but do not close on this alone because attackers can reuse an existing console or shell.
 76
 77- If file or registry telemetry is available, did the same parent stage artifacts or change configuration?
 78  - Focus: match parent `process.parent.entity_id` to actor `process.entity_id` on `host.id`; if absent, match parent/actor PID in a tight alert window, then read `file.path`. $investigate_3
 79  - Hint: use the same joins for `registry.path`. $investigate_4 Missing file or registry telemetry is unresolved, not benign.
 80  - Implication: escalate when the parent writes executables or scripts, stages console clients, or changes persistence or security configuration; absent optional artifacts lower corroboration only and do not close.
 81
 82- If DNS or network telemetry is available, did the same parent contact staging, remote-control, or lateral destinations?
 83  - Focus: match parent `process.parent.entity_id` to actor `process.entity_id` on `host.id`; if absent, match parent/actor PID in a tight alert window, then read DNS "lookup_result" events (`dns.question.name`, `dns.resolved_ip`) separately from connections (`destination.ip`). $investigate_5
 84  - Hint: missing DNS or network telemetry is unresolved, not benign; correlate `dns.resolved_ip` to `destination.ip` before treating a domain as contacted.
 85  - Implication: escalate when the parent reaches public or internal destinations unrelated to the workflow, WebDAV/SMB destinations, or unexpected internal systems; lower only when destinations fit the same MSI, Program Compatibility Assistant, or WebDAV workflow proven by process evidence.
 86
 87- If the parent path, child execution, artifacts, or destinations remain suspicious or unexplained, do related alerts change scope or urgency?
 88  - Focus: recent `host.id` alerts, especially process injection, indirect execution, suspicious shell, credential, or C2 activity. $investigate_0
 89  - Hint: review the same `user.id` only when the local evidence suggests the operator or session may have moved to other systems. $investigate_1
 90  - Implication: broaden scope when the same host or user has related injection, shell, credential, or C2 alerts; keep the case local when isolated and earlier process evidence fits one exact recognized workflow.
 91
 92- Escalate for masqueraded parent, unexpected ancestry, unexplained console allocation, suspicious follow-on execution, staging, or remote-control corroboration; close only when native "conhost.exe" identity, parent identity/lineage, session, child processes, optional artifact or destination evidence, and related alerts align with one recognized installer, compatibility, or WebDAV workflow with no contradictions; if mixed or incomplete, preserve evidence and escalate.
 93
 94### False positive analysis
 95
 96- Installer repair, MSI custom actions, Program Compatibility Assistant activity, and WebDAV helpers can allocate "conhost.exe" from signed parents. Confirm parent path/command/signer, `process.executable`, `user.id`, and `host.id` describe one exact workflow, same-parent children show no shells, script hosts, LOLBins, or payloads, and optional file, registry, DNS, or network telemetry does not contradict it. Use change records, inventories, or owner confirmation only after telemetry fits.
 97- Without organizational context, telemetry-only confirmation must prove the current event fits that workflow. Historical alerts corroborate only when the same parent path, signer, command line, child, user/host, and bounded child pattern recur without contradictions; do not close on recurrence while parentage or follow-on execution remains unexplained.
 98- Before an exception, validate the minimum stable pattern: parent executable, command line, signer, child executable, `user.id`, and `host.id`. Avoid exceptions on "conhost.exe", parent name, or broad signers alone.
 99
100### Response and remediation
101
102- If confirmed benign, reverse temporary containment, document native child identity, parent path/signer/command, session, `user.id`, `host.id`, and corroboration, and create exceptions only for the recurring minimum pattern above.
103- If suspicious but unconfirmed, preserve the alert export, parent/child timeline, entity IDs, command lines, artifact/destination indicators, and owner/change evidence before containment. Apply reversible controls first: temporary destination blocking or heightened `host.id` / `user.id` monitoring; disable a task, service, or startup item only after identifying it as malicious. Escalate to isolation or account action only when follow-on execution, persistence, remote control, or credential abuse is confirmed and the asset can tolerate interruption.
104- If confirmed malicious, isolate the host when unauthorized parent execution, payload launch, persistence, or remote control is confirmed, after weighing host role. Record parent/payload process IDs and command lines before suspending or terminating processes, then block confirmed malicious destinations, hashes, or domains.
105- Eradicate only malicious parent/payload artifacts and configuration changes. Review other hosts/users for the same parent path, command line, child executable, artifact, or destination before deleting payloads, removing persistence, restoring settings, or closing the execution vector.
106- Post-incident hardening: tighten the exposed MSI, Program Compatibility Assistant, or WebDAV workflow, and record variants such as existing-console reuse, injected "explorer.exe", or service-host console abuse.
107"""
108
109setup = """## Setup
110
111This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
112
113Setup instructions: https://ela.st/install-elastic-defend
114
115### Additional data sources
116
117This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
118
119- [Microsoft Defender XDR](https://ela.st/m365-defender)
120- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
121- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
122"""
123
124[rule.investigation_fields]
125field_names = [
126    "@timestamp",
127    "host.id",
128    "user.id",
129    "process.entity_id",
130    "process.pid",
131    "process.executable",
132    "process.pe.original_file_name",
133    "process.code_signature.subject_name",
134    "process.code_signature.trusted",
135    "process.parent.entity_id",
136    "process.parent.pid",
137    "process.parent.executable",
138    "process.parent.command_line",
139    "process.parent.code_signature.subject_name",
140    "process.parent.code_signature.trusted",
141]
142
143[transform]
144
145[[transform.investigate]]
146label = "Alerts associated with the host"
147description = ""
148providers = [
149  [
150    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
151    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
152  ]
153]
154relativeFrom = "now-48h/h"
155relativeTo = "now"
156
157[[transform.investigate]]
158label = "Alerts associated with the user"
159description = ""
160providers = [
161  [
162    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
163    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
164  ]
165]
166relativeFrom = "now-48h/h"
167relativeTo = "now"
168
169[[transform.investigate]]
170label = "Process starts from the same suspicious parent"
171description = ""
172providers = [
173  [
174    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
175    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
176    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
177    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
178  ],
179  [
180    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
181    { excluded = false, field = "process.parent.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" },
182    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
183    { excluded = false, field = "event.type", queryType = "phrase", value = "start", valueType = "string" }
184  ]
185]
186relativeFrom = "now-1h"
187relativeTo = "now"
188
189[[transform.investigate]]
190label = "File events from the same suspicious parent"
191description = ""
192providers = [
193  [
194    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
195    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
196    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
197  ],
198  [
199    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
200    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" },
201    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
202  ]
203]
204relativeFrom = "now-1h"
205relativeTo = "now"
206
207[[transform.investigate]]
208label = "Registry events from the same suspicious parent"
209description = ""
210providers = [
211  [
212    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
213    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
214    { excluded = false, field = "event.category", queryType = "phrase", value = "registry", valueType = "string" }
215  ],
216  [
217    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
218    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" },
219    { excluded = false, field = "event.category", queryType = "phrase", value = "registry", valueType = "string" }
220  ]
221]
222relativeFrom = "now-1h"
223relativeTo = "now"
224
225[[transform.investigate]]
226label = "Network events from the same suspicious parent"
227description = ""
228providers = [
229  [
230    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
231    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" },
232    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
233  ],
234  [
235    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
236    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.parent.pid}}", valueType = "string" },
237    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" }
238  ]
239]
240relativeFrom = "now-1h"
241relativeTo = "now"
242
243[[rule.threat]]
244framework = "MITRE ATT&CK"
245
246[[rule.threat.technique]]
247id = "T1059"
248name = "Command and Scripting Interpreter"
249reference = "https://attack.mitre.org/techniques/T1059/"
250
251[rule.threat.tactic]
252id = "TA0002"
253name = "Execution"
254reference = "https://attack.mitre.org/tactics/TA0002/"
255
256[[rule.threat]]
257framework = "MITRE ATT&CK"
258
259[[rule.threat.technique]]
260id = "T1036"
261name = "Masquerading"
262reference = "https://attack.mitre.org/techniques/T1036/"
263
264[rule.threat.tactic]
265id = "TA0005"
266name = "Defense Evasion"
267reference = "https://attack.mitre.org/tactics/TA0005/"
268
269[[rule.threat]]
270framework = "MITRE ATT&CK"
271
272[[rule.threat.technique]]
273id = "T1055"
274name = "Process Injection"
275reference = "https://attack.mitre.org/techniques/T1055/"
276
277[rule.threat.tactic]
278id = "TA0004"
279name = "Privilege Escalation"
280reference = "https://attack.mitre.org/tactics/TA0004/"