Uncommon Child Process Of Conhost.EXE

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

Sigma rule (View on GitHub)

 1title: Uncommon Child Process Of Conhost.EXE
 2id: 7dc2dedd-7603-461a-bc13-15803d132355
 3related:
 4    - id: dfa03a09-8b92-4d83-8e74-f72839b1c407
 5      type: similar
 6status: test
 7description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
 8references:
 9    - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
10author: omkar72
11date: 2020-10-25
12modified: 2023-12-11
13tags:
14    - attack.defense-evasion
15    - attack.t1202
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        ParentImage|endswith: '\conhost.exe'
22    filter_main_conhost:
23        Image|endswith: ':\Windows\System32\conhost.exe'
24    filter_main_null:
25        Image: null
26    filter_main_empty:
27        Image: ''
28    filter_optional_provider:
29        Provider_Name: 'SystemTraceProvider-Process'  # Race condition with SystemTrace doesn't provide all fields.
30    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
31falsepositives:
32    - Unknown
33level: medium

References

Related rules

to-top