← Back to Explore
sigmainformationalHunting
Suspicious High IntegrityLevel Conhost Legacy Option
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Detection Query
selection:
IntegrityLevel:
- High
- S-1-16-12288
CommandLine|contains|all:
- conhost.exe
- "0xffffffff"
- -ForceV1
condition: selection
Author
frack113
Created
2022-12-09
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.defense-evasionattack.t1202
Raw Content
title: Suspicious High IntegrityLevel Conhost Legacy Option
id: 3037d961-21e9-4732-b27a-637bcc7bf539
status: test
description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
references:
- https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control
author: frack113
date: 2022-12-09
modified: 2024-12-01
tags:
- attack.defense-evasion
- attack.t1202
logsource:
product: windows
category: process_creation
detection:
selection:
IntegrityLevel:
- 'High'
- 'S-1-16-12288'
CommandLine|contains|all:
- 'conhost.exe'
- '0xffffffff'
- '-ForceV1'
condition: selection
falsepositives:
- Very Likely, including launching cmd.exe via Run As Administrator
level: informational