Powershell Executed From Headless ConHost Process

Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.

Sigma rule (View on GitHub)

 1title: Powershell Executed From Headless ConHost Process
 2id: 056c7317-9a09-4bd4-9067-d051312752ea
 3related:
 4    - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
 5      type: derived
 6status: test
 7description: |
 8    Detects the use of powershell commands from headless ConHost window.
 9    The "--headless" flag hides the windows from the user upon execution.    
10references:
11    - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
12author: Matt Anderson (Huntress)
13date: 2024-07-23
14tags:
15    - attack.defense-evasion
16    - attack.execution
17    - attack.t1059.001
18    - attack.t1059.003
19    - attack.t1564.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_img:
25        - Image|endswith: '\conhost.exe'
26        - OriginalFileName: 'CONHOST.EXE'
27    selection_cli:
28        CommandLine|contains|all:
29            - '--headless'
30            - 'powershell'
31    condition: all of selection_*
32falsepositives:
33    - Unknown
34level: medium

References

Related rules

to-top