Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
Sigma rule (View on GitHub)
1title: Conhost.exe CommandLine Path Traversal
2id: ee5e119b-1f75-4b34-add8-3be976961e39
3status: test
4description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
5references:
6 - https://pentestlab.blog/2020/07/06/indirect-command-execution/
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022/06/14
9tags:
10 - attack.execution
11 - attack.t1059.003
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 ParentCommandLine|contains: 'conhost'
18 CommandLine|contains: '/../../'
19 condition: selection
20falsepositives:
21 - Unlikely
22level: high
References
-
The windows ecosystem provides multiple binaries that could be used by adversaries to execute arbitrary commands that will evade detection especially in environments that are monitoring binaries su…
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Remote Access Tool - ScreenConnect Command Execution
- Remote Access Tool - ScreenConnect File Transfer
- HackTool - CrackMapExec Execution
- Elise Backdoor Activity