Conhost Suspicious Command Execution
Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.
Sigma rule (View on GitHub)
1title: Conhost Suspicious Command Execution
2id: 21c034f0-ff15-4d4d-9c14-72fdb8ee23c9
3status: experimental
4description: Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.
5example_cmdline:
6 - 'conhost.exe --headless --width 190 --height 22 --signal 0x3e4 --server 0x3e8'
7author: TheDFIRReport
8references:
9 - https://thedfirreport.com/
10 - 'Event 25197'
11date: 2023/10/03
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith:
18 - '\conhost.exe'
19 CommandLine|endswith:
20 - ' --headless '
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
25tags:
26 - attack.defense_evasion
27 - attack.t1564.003
28 - dist.public
References
Related rules
- Malicious QakBot Dropped File Creation (Event 4663)
- Suspicious Calc Child Process
- Suspicious Process Injection to Explorer
- Gootloader JavaScript Execution in AppData Folder (RedCanary Threat Detection Report)
- ISO File Write to Suspicious Folder (RedCanary Threat Detection Report)