Uncommon Child Process Of Conhost.EXE
Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
Sigma rule (View on GitHub)
1title: Uncommon Child Process Of Conhost.EXE
2id: 7dc2dedd-7603-461a-bc13-15803d132355
3related:
4 - id: dfa03a09-8b92-4d83-8e74-f72839b1c407
5 type: similar
6status: test
7description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
8references:
9 - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
10author: omkar72
11date: 2020-10-25
12modified: 2023-12-11
13tags:
14 - attack.defense-evasion
15 - attack.t1202
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith: '\conhost.exe'
22 filter_main_conhost:
23 Image|endswith: ':\Windows\System32\conhost.exe'
24 filter_main_null:
25 Image: null
26 filter_main_empty:
27 Image: ''
28 filter_optional_provider:
29 Provider_Name: 'SystemTraceProvider-Process' # Race condition with SystemTrace doesn't provide all fields.
30 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
31falsepositives:
32 - Unknown
33level: medium
References
-
Good bye threat hunting configs and filters of the past. Microsoft introduced Windows Terminal and there is no way back. While reading its actual source code today I noticed quite a lot of familiar...
Read More
Related rules
- Potentially Suspicious Child Processes Spawned by ConHost
- Potential Arbitrary Command Execution Using Msdt.EXE
- Potential Arbitrary Command Execution Via FTP.EXE
- Suspicious Cabinet File Execution Via Msdt.EXE
- Proxy Execution via Vshadow