Conhost Suspicious Command Execution
Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.
Sigma rule (View on GitHub)
1title: Conhost Suspicious Command Execution
2id: 21c034f0-ff15-4d4d-9c14-72fdb8ee23c9
3status: experimental
4description: Detects use of conhost in "headless" mode. By running conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine.
5example_cmdline:
6 - 'conhost.exe --headless --width 190 --height 22 --signal 0x3e4 --server 0x3e8'
7author: TheDFIRReport
8references:
9 - https://thedfirreport.com/
10 - 'Event 25197'
11date: 2023/10/03
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith:
18 - '\conhost.exe'
19 CommandLine|endswith:
20 - ' --headless '
21 condition: selection
22falsepositives:
23 - Unknown
24level: high
25tags:
26 - attack.defense_evasion
27 - attack.t1564.003
28 - dist.public
References
Related rules
- HackTool - Covenant PowerShell Launcher
- Suspicious PowerShell WindowStyle Option
- Suspicious Unsigned Thor Scanner Execution
- Access To .Reg/.Hive Files By Uncommon Application
- Assembly Loading Via CL_LoadAssembly.ps1