Conhost Spawned By Uncommon Parent Process
Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
Sigma rule (View on GitHub)
1title: Conhost Spawned By Uncommon Parent Process
2id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
3status: test
4description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
5references:
6 - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
7author: Tim Rauch, Elastic (idea)
8date: 2022/09/28
9modified: 2023/03/29
10tags:
11 - attack.execution
12 - attack.t1059
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith: '\conhost.exe'
19 ParentImage|endswith:
20 - '\explorer.exe'
21 # - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
22 # - '\ctfmon.exe' # Seen several times in a testing environment
23 # - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
24 - '\lsass.exe'
25 - '\regsvr32.exe'
26 - '\rundll32.exe'
27 - '\services.exe'
28 - '\smss.exe'
29 - '\spoolsv.exe'
30 - '\svchost.exe'
31 - '\userinit.exe'
32 # - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
33 - '\wininit.exe'
34 - '\winlogon.exe'
35 filter_main_svchost:
36 ParentCommandLine|contains:
37 - '-k apphost -s AppHostSvc'
38 - '-k imgsvc'
39 - '-k localService -p -s RemoteRegistry'
40 - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
41 - '-k NetSvcs -p -s NcaSvc'
42 - '-k netsvcs -p -s NetSetupSvc'
43 - '-k netsvcs -p -s wlidsvc'
44 - '-k NetworkService -p -s DoSvc'
45 - '-k wsappx -p -s AppXSvc'
46 - '-k wsappx -p -s ClipSVC'
47 filter_optional_dropbox:
48 ParentCommandLine|contains:
49 - 'C:\Program Files (x86)\Dropbox\Client\'
50 - 'C:\Program Files\Dropbox\Client\'
51 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
52falsepositives:
53 - Unknown
54level: medium
References
Related rules
- Potential CobaltStrike Process Patterns
- Potential Netcat Reverse Shell Execution
- Suspicious Browser Child Process - MacOS
- Windows Shell/Scripting Application File Write to Suspicious Folder
- Unusual Parent Process For Cmd.EXE