Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Sigma rule (View on GitHub)
1title: Suspicious High IntegrityLevel Conhost Legacy Option
2id: 3037d961-21e9-4732-b27a-637bcc7bf539
3status: test
4description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
5references:
6 - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29
7 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
8 - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
9author: frack113
10date: 2022-12-09
11modified: 2024-12-01
12tags:
13 - attack.defense-evasion
14 - attack.t1202
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 IntegrityLevel:
21 - 'High'
22 - 'S-1-16-12288'
23 CommandLine|contains|all:
24 - 'conhost.exe'
25 - '0xffffffff'
26 - '-ForceV1'
27 condition: selection
28falsepositives:
29 - Very Likely, including launching cmd.exe via Run As Administrator
30level: informational
References
-
In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…
Read More -
Related rules
- Renamed PingCastle Binary Execution
- Renamed PAExec Execution
- Uncommon Child Process Of Conhost.EXE
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Office Document Executed From Trusted Location