Potentially Suspicious Child Processes Spawned by ConHost

 1title: Potentially Suspicious Child Processes Spawned by ConHost
 2id: dfa03a09-8b92-4d83-8e74-f72839b1c407
 3related:
 4    - id: 7dc2dedd-7603-461a-bc13-15803d132355
 5      type: similar
 6status: experimental
 7description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
 8references:
 9    - https://tria.ge/241015-l98snsyeje/behavioral2
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-02-05
12tags:
13    - attack.t1202
14    - attack.defense-evasion
15    - attack.t1218
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith: '\conhost.exe'
22    selection_child:
23        - Image|endswith:
24              - '\cmd.exe'             # Windows Command Prompt
25              - '\cscript.exe'         # Windows Script Host (used for scripting exploits)
26              - '\mshta.exe'           # MSHTA (HTML Application Host, often abused)
27              - '\powershell_ise.exe'  # PowerShell ISE
28              - '\powershell.exe'      # Windows PowerShell
29              - '\pwsh.exe'            # PowerShell Core
30              - '\regsvr32.exe'        # Windows Registry Server (commonly used for exploits)
31              - '\wscript.exe'         # Windows Script Host (for executing scripts)
32        - OriginalFileName:
33              - 'cmd.exe'
34              - 'cscript.exe'
35              - 'mshta.exe'
36              - 'powershell_ise.exe'
37              - 'powershell.exe'
38              - 'pwsh.dll'
39              - 'regsvr32.exe'
40              - 'wscript.exe'
41    condition: all of selection_*
42falsepositives:
43    - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
44level: high