Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
Sigma rule (View on GitHub)
1title: Powershell Executed From Headless ConHost Process
2id: 056c7317-9a09-4bd4-9067-d051312752ea
3related:
4 - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
5 type: derived
6status: experimental
7description: |
8 Detects the use of powershell commands from headless ConHost window.
9 The "--headless" flag hides the windows from the user upon execution.
10references:
11 - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
12author: Matt Anderson (Huntress)
13date: 2024-07-23
14tags:
15 - attack.defense-evasion
16 - attack.t1059.001
17 - attack.t1059.003
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith: '\conhost.exe'
24 - OriginalFileName: 'CONHOST.EXE'
25 selection_cli:
26 CommandLine|contains|all:
27 - '--headless'
28 - 'powershell'
29 condition: all of selection_*
30falsepositives:
31 - Unknown
32level: medium
References
-
Huntress has observed new behaviors in conjunction with the malware SocGholish. Read on to understand the implications of this threat and how you can better protect yourself.
Read More
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Potential Baby Shark Malware Activity
- Rorschach Ransomware Execution Activity
- Suspicious HH.EXE Execution
- AWS EC2 Startup Shell Script Change