Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
Sigma rule (View on GitHub)
1title: Powershell Executed From Headless ConHost Process
2id: 056c7317-9a09-4bd4-9067-d051312752ea
3related:
4 - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
5 type: derived
6status: test
7description: |
8 Detects the use of powershell commands from headless ConHost window.
9 The "--headless" flag hides the windows from the user upon execution.
10references:
11 - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
12author: Matt Anderson (Huntress)
13date: 2024-07-23
14tags:
15 - attack.defense-evasion
16 - attack.execution
17 - attack.t1059.001
18 - attack.t1059.003
19 - attack.t1564.003
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection_img:
25 - Image|endswith: '\conhost.exe'
26 - OriginalFileName: 'CONHOST.EXE'
27 selection_cli:
28 CommandLine|contains|all:
29 - '--headless'
30 - 'powershell'
31 condition: all of selection_*
32falsepositives:
33 - Unknown
34level: medium
References
Related rules
- HTML Help HH.EXE Suspicious Child Process
- HackTool - Covenant PowerShell Launcher
- PUA - AdvancedRun Execution
- Potential Baby Shark Malware Activity
- Rorschach Ransomware Execution Activity