sigmamediumHunting

Conhost Spawned By Uncommon Parent Process

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

MITRE ATT&CK

T1059

execution

Detection Query

selection:
  Image|endswith: \conhost.exe
  ParentImage|endswith:
    - \explorer.exe
    - \lsass.exe
    - \regsvr32.exe
    - \rundll32.exe
    - \services.exe
    - \smss.exe
    - \spoolsv.exe
    - \svchost.exe
    - \userinit.exe
    - \wininit.exe
    - \winlogon.exe
filter_main_svchost:
  ParentCommandLine|contains:
    - -k apphost -s AppHostSvc
    - -k imgsvc
    - -k localService -p -s RemoteRegistry
    - -k LocalSystemNetworkRestricted -p -s NgcSvc
    - -k NetSvcs -p -s NcaSvc
    - -k netsvcs -p -s NetSetupSvc
    - -k netsvcs -p -s wlidsvc
    - -k NetworkService -p -s DoSvc
    - -k wsappx -p -s AppXSvc
    - -k wsappx -p -s ClipSVC
    - -k wusvcs -p -s WaaSMedicSvc
filter_optional_dropbox:
  ParentCommandLine|contains:
    - C:\Program Files (x86)\Dropbox\Client\
    - C:\Program Files\Dropbox\Client\
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*

Author

Tim Rauch, Elastic (idea)

Created

2022-09-28

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html

Tags

attack.executionattack.t1059

Raw Content

title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
    - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
    - attack.execution
    - attack.t1059
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\conhost.exe'
        ParentImage|endswith:
            - '\explorer.exe'
            # - '\csrss.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
            # - '\ctfmon.exe'  # Seen several times in a testing environment
            # - '\dllhost.exe'  # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
            - '\lsass.exe'
            - '\regsvr32.exe'
            - '\rundll32.exe'
            - '\services.exe'
            - '\smss.exe'
            - '\spoolsv.exe'
            - '\svchost.exe'
            - '\userinit.exe'
            # - '\wermgr.exe'  # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
            - '\wininit.exe'
            - '\winlogon.exe'
    filter_main_svchost:
        ParentCommandLine|contains:
            - '-k apphost -s AppHostSvc'
            - '-k imgsvc'
            - '-k localService -p -s RemoteRegistry'
            - '-k LocalSystemNetworkRestricted -p -s NgcSvc'
            - '-k NetSvcs -p -s NcaSvc'
            - '-k netsvcs -p -s NetSetupSvc'
            - '-k netsvcs -p -s wlidsvc'
            - '-k NetworkService -p -s DoSvc'
            - '-k wsappx -p -s AppXSvc'
            - '-k wsappx -p -s ClipSVC'
            - '-k wusvcs -p -s WaaSMedicSvc'
    filter_optional_dropbox:
        ParentCommandLine|contains:
            - 'C:\Program Files (x86)\Dropbox\Client\'
            - 'C:\Program Files\Dropbox\Client\'
    condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
    - Unknown
level: medium