Uncommon Child Process Of Conhost.EXE
Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
Sigma rule (View on GitHub)
1title: Uncommon Child Process Of Conhost.EXE
2id: 7dc2dedd-7603-461a-bc13-15803d132355
3status: test
4description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
5references:
6 - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
7author: omkar72
8date: 2020-10-25
9modified: 2023-12-11
10tags:
11 - attack.defense-evasion
12 - attack.t1202
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\conhost.exe'
19 filter_main_conhost:
20 Image|endswith: ':\Windows\System32\conhost.exe'
21 filter_main_null:
22 Image: null
23 filter_main_empty:
24 Image: ''
25 filter_optional_provider:
26 Provider_Name: 'SystemTraceProvider-Process' # Race condition with SystemTrace doesn't provide all fields.
27 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
28falsepositives:
29 - Unknown
30level: medium
References
-
Good bye threat hunting configs and filters of the past. Microsoft introduced Windows Terminal and there is no way back. While reading its actual source code today I noticed quite a lot of familiar...
Read More
Related rules
- Potentially Suspicious Child Process Of VsCode
- Potentially Suspicious Office Document Executed From Trusted Location
- Renamed CURL.EXE Execution
- Windows Binary Executed From WSL
- Custom File Open Handler Executes PowerShell