Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
Sigma rule (View on GitHub)
1title: Powershell Executed From Headless ConHost Process
2id: 056c7317-9a09-4bd4-9067-d051312752ea
3related:
4 - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
5 type: derived
6status: test
7description: |
8 Detects the use of powershell commands from headless ConHost window.
9 The "--headless" flag hides the windows from the user upon execution.
10references:
11 - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
12author: Matt Anderson (Huntress)
13date: 2024-07-23
14tags:
15 - attack.defense-evasion
16 - attack.execution
17 - attack.t1059.001
18 - attack.t1059.003
19 - attack.t1564.003
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\conhost.exe'
26 - OriginalFileName: 'CONHOST.EXE'
27 selection_cli:
28 CommandLine|contains|all:
29 - '--headless'
30 - 'powershell'
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
-
Huntress has observed new behaviors in conjunction with the malware SocGholish. Read on to understand the implications of this threat and how you can better protect yourself.
Read More
Related rules
- HTML Help HH.EXE Suspicious Child Process
- HackTool - Covenant PowerShell Launcher
- PUA - AdvancedRun Execution
- Potential Baby Shark Malware Activity
- Rorschach Ransomware Execution Activity