sigmamediumHunting

Uncommon Child Process Of Conhost.EXE

Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.

MITRE ATT&CK

T1202

defense-evasion

Detection Query

selection:
  ParentImage|endswith: \conhost.exe
filter_main_conhost:
  Image|endswith: :\Windows\System32\conhost.exe
filter_main_null:
  Image: null
filter_main_empty:
  Image: ""
filter_optional_provider:
  Provider_Name: SystemTraceProvider-Process
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

omkar72

Created

2020-10-25

Data Sources

windowsProcess Creation Events

Platforms

windows

References

http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/

Tags

attack.defense-evasionattack.t1202

Raw Content

title: Uncommon Child Process Of Conhost.EXE
id: 7dc2dedd-7603-461a-bc13-15803d132355
related:
    - id: dfa03a09-8b92-4d83-8e74-f72839b1c407
      type: similar
status: test
description: Detects uncommon "conhost" child processes. This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
references:
    - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
author: omkar72
date: 2020-10-25
modified: 2023-12-11
tags:
    - attack.defense-evasion
    - attack.t1202
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\conhost.exe'
    filter_main_conhost:
        Image|endswith: ':\Windows\System32\conhost.exe'
    filter_main_null:
        Image: null
    filter_main_empty:
        Image: ''
    filter_optional_provider:
        Provider_Name: 'SystemTraceProvider-Process'  # Race condition with SystemTrace doesn't provide all fields.
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium