Conhost Spawned By Uncommon Parent Process

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

Sigma rule (View on GitHub)

 1title: Conhost Spawned By Uncommon Parent Process
 2id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
 3status: test
 4description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
 5references:
 6    - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
 7author: Tim Rauch, Elastic (idea)
 8date: 2022-09-28
 9modified: 2023-03-29
10tags:
11    - attack.execution
12    - attack.t1059
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        Image|endswith: '\conhost.exe'
19        ParentImage|endswith:
20            - '\explorer.exe'
21            # - '\csrss.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
22            # - '\ctfmon.exe'  # Seen several times in a testing environment
23            # - '\dllhost.exe'  # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
24            - '\lsass.exe'
25            - '\regsvr32.exe'
26            - '\rundll32.exe'
27            - '\services.exe'
28            - '\smss.exe'
29            - '\spoolsv.exe'
30            - '\svchost.exe'
31            - '\userinit.exe'
32            # - '\wermgr.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
33            - '\wininit.exe'
34            - '\winlogon.exe'
35    filter_main_svchost:
36        ParentCommandLine|contains:
37            - '-k apphost -s AppHostSvc'
38            - '-k imgsvc'
39            - '-k localService -p -s RemoteRegistry'
40            - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
41            - '-k NetSvcs -p -s NcaSvc'
42            - '-k netsvcs -p -s NetSetupSvc'
43            - '-k netsvcs -p -s wlidsvc'
44            - '-k NetworkService -p -s DoSvc'
45            - '-k wsappx -p -s AppXSvc'
46            - '-k wsappx -p -s ClipSVC'
47    filter_optional_dropbox:
48        ParentCommandLine|contains:
49            - 'C:\Program Files (x86)\Dropbox\Client\'
50            - 'C:\Program Files\Dropbox\Client\'
51    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
52falsepositives:
53    - Unknown
54level: medium

References

Related rules

to-top