2022-04-05 19:38:43 +02:00
|
|
|
---
|
|
|
|
|
Name: Conhost.exe
|
|
|
|
|
Description: Console Window host
|
|
|
|
|
Author: Wietze Beukema
|
|
|
|
|
Created: 2022-04-05
|
|
|
|
|
Commands:
|
|
|
|
|
- Command: "conhost.exe calc.exe"
|
|
|
|
|
Description: Execute calc.exe with conhost.exe as parent process
|
|
|
|
|
Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
|
|
|
|
|
Category: Execute
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID: T1202
|
|
|
|
|
OperatingSystem: Windows 10, Windows 11
|
2023-02-25 19:47:44 +01:00
|
|
|
- Command: "conhost.exe --headless calc.exe"
|
|
|
|
|
Description: Execute calc.exe with conhost.exe as parent process
|
|
|
|
|
Usecase: Specify --headless parameter to hide child process window (if applicable)
|
|
|
|
|
Category: Execute
|
|
|
|
|
Privileges: User
|
|
|
|
|
MitreID: T1202
|
|
|
|
|
OperatingSystem: Windows 10, Windows 11
|
2022-04-05 19:38:43 +02:00
|
|
|
Full_Path:
|
|
|
|
|
- Path: c:\windows\system32\conhost.exe
|
|
|
|
|
Detection:
|
|
|
|
|
- IOC: conhost.exe spawning unexpected processes
|
2023-10-18 17:30:34 +02:00
|
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml
|
2022-04-05 19:38:43 +02:00
|
|
|
Resources:
|
2022-04-07 16:50:39 +02:00
|
|
|
- Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
|
2022-04-05 19:38:43 +02:00
|
|
|
- Link: https://twitter.com/Wietze/status/1511397781159751680
|
2023-02-25 19:47:44 +01:00
|
|
|
- Link: https://twitter.com/embee_research/status/1559410767564181504
|
|
|
|
|
- Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
|
2022-04-05 19:38:43 +02:00
|
|
|
Acknowledgement:
|
2022-04-07 16:50:39 +02:00
|
|
|
- Person: Adam
|
|
|
|
|
Handle: '@hexacorn'
|
2022-04-05 19:38:43 +02:00
|
|
|
- Person: Wietze
|
|
|
|
|
Handle: '@wietze'
|
