Potentially Suspicious Child Processes Spawned by ConHost

Detects suspicious child processes related to Windows Shell utilities spawned by conhost.exe, which could indicate malicious activity using trusted system components.

Sigma rule (View on GitHub)

 1title: Potentially Suspicious Child Processes Spawned by ConHost
 2id: dfa03a09-8b92-4d83-8e74-f72839b1c407
 3related:
 4    - id: 7dc2dedd-7603-461a-bc13-15803d132355
 5      type: similar
 6status: experimental
 7description: Detects suspicious child processes related to Windows Shell utilities spawned by `conhost.exe`, which could indicate malicious activity using trusted system components.
 8references:
 9    - https://tria.ge/241015-l98snsyeje/behavioral2
10author: Swachchhanda Shrawan Poudel (Nextron Systems)
11date: 2025-02-05
12tags:
13    - attack.t1202
14    - attack.defense-evasion
15    - attack.t1218
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith: '\conhost.exe'
22    selection_child:
23        - Image|endswith:
24              - '\cmd.exe'             # Windows Command Prompt
25              - '\cscript.exe'         # Windows Script Host (used for scripting exploits)
26              - '\mshta.exe'           # MSHTA (HTML Application Host, often abused)
27              - '\powershell_ise.exe'  # PowerShell ISE
28              - '\powershell.exe'      # Windows PowerShell
29              - '\pwsh.exe'            # PowerShell Core
30              - '\regsvr32.exe'        # Windows Registry Server (commonly used for exploits)
31              - '\wscript.exe'         # Windows Script Host (for executing scripts)
32        - OriginalFileName:
33              - 'cmd.exe'
34              - 'cscript.exe'
35              - 'mshta.exe'
36              - 'powershell_ise.exe'
37              - 'powershell.exe'
38              - 'pwsh.dll'
39              - 'regsvr32.exe'
40              - 'wscript.exe'
41    condition: all of selection_*
42falsepositives:
43    - Legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.
44level: high

References

Related rules

to-top