Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
Sigma rule (View on GitHub)
1title: Powershell Executed From Headless ConHost Process
2id: 056c7317-9a09-4bd4-9067-d051312752ea
3related:
4 - id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
5 type: derived
6status: test
7description: |
8 Detects the use of powershell commands from headless ConHost window.
9 The "--headless" flag hides the windows from the user upon execution.
10references:
11 - https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
12author: Matt Anderson (Huntress)
13date: 2024-07-23
14tags:
15 - attack.defense-evasion
16 - attack.execution
17 - attack.t1059.001
18 - attack.t1059.003
19logsource:
20 category: process_creation
21 product: windows
22detection:
23 selection_img:
24 - Image|endswith: '\conhost.exe'
25 - OriginalFileName: 'CONHOST.EXE'
26 selection_cli:
27 CommandLine|contains|all:
28 - '--headless'
29 - 'powershell'
30 condition: all of selection_*
31falsepositives:
32 - Unknown
33level: medium
References
-
Huntress has observed new behaviors in conjunction with the malware SocGholish. Read on to understand the implications of this threat and how you can better protect yourself.
Read More
Related rules
- HTML Help HH.EXE Suspicious Child Process
- Potential Baby Shark Malware Activity
- Rorschach Ransomware Execution Activity
- Suspicious HH.EXE Execution
- Potential APT FIN7 Exploitation Activity