Potentially Suspicious Child Processes Spawned by ConHost
Detects suspicious child processes related to Windows Shell utilities spawned by conhost.exe
, which could indicate malicious activity using trusted system components.
Sigma rule (View on GitHub)
1title: Potentially Suspicious Child Processes Spawned by ConHost
2id: dfa03a09-8b92-4d83-8e74-f72839b1c407
3related:
4 - id: 7dc2dedd-7603-461a-bc13-15803d132355
5 type: similar
6status: experimental
7description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
8references:
9 - https://tria.ge/241015-l98snsyeje/behavioral2
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-02-05
12tags:
13 - attack.t1202
14 - attack.defense-evasion
15 - attack.t1218
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_parent:
21 ParentImage|endswith: '\conhost.exe'
22 selection_child:
23 - Image|endswith:
24 - '\cmd.exe' # Windows Command Prompt
25 - '\cscript.exe' # Windows Script Host (used for scripting exploits)
26 - '\mshta.exe' # MSHTA (HTML Application Host, often abused)
27 - '\powershell_ise.exe' # PowerShell ISE
28 - '\powershell.exe' # Windows PowerShell
29 - '\pwsh.exe' # PowerShell Core
30 - '\regsvr32.exe' # Windows Registry Server (commonly used for exploits)
31 - '\wscript.exe' # Windows Script Host (for executing scripts)
32 - OriginalFileName:
33 - 'cmd.exe'
34 - 'cscript.exe'
35 - 'mshta.exe'
36 - 'powershell_ise.exe'
37 - 'powershell.exe'
38 - 'pwsh.dll'
39 - 'regsvr32.exe'
40 - 'wscript.exe'
41 condition: all of selection_*
42falsepositives:
43 - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
44level: high
References
Related rules
- Potential Binary Impersonating Sysinternals Tools
- Renamed ZOHO Dctask64 Execution
- Potentially Suspicious Child Process Of VsCode
- Potential Arbitrary File Download Via Cmdl32.EXE
- Suspicious Child Process Of BgInfo.EXE