Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Sigma rule (View on GitHub)
1title: Suspicious High IntegrityLevel Conhost Legacy Option
2id: 3037d961-21e9-4732-b27a-637bcc7bf539
3status: test
4description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
5references:
6 - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29
7 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
8 - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
9author: frack113
10date: 2022-12-09
11modified: 2024-12-01
12tags:
13 - attack.stealth
14 - attack.t1202
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 IntegrityLevel:
21 - 'High'
22 - 'S-1-16-12288'
23 CommandLine|contains|all:
24 - 'conhost.exe'
25 - '0xffffffff'
26 - '-ForceV1'
27 condition: selection
28falsepositives:
29 - Very Likely, including launching cmd.exe via Run As Administrator
30level: informational
References
Related rules
- Custom File Open Handler Executes PowerShell
- Diagnostic Library Sdiageng.DLL Loaded By Msdt.EXE
- Findstr Launching .lnk File
- Indirect Command Execution From Script File Via Bash.EXE
- Indirect Command Execution via SFTP ProxyCommand