LOLBAS/yml/OSBinaries/Conhost.yml

36 lines
1.3 KiB
YAML
Raw Normal View History

2022-04-05 19:38:43 +02:00
---
Name: Conhost.exe
Description: Console Window host
Author: Wietze Beukema
Created: 2022-04-05
Commands:
- Command: "conhost.exe calc.exe"
Description: Execute calc.exe with conhost.exe as parent process
Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
- Command: "conhost.exe --headless calc.exe"
Description: Execute calc.exe with conhost.exe as parent process
Usecase: Specify --headless parameter to hide child process window (if applicable)
Category: Execute
Privileges: User
MitreID: T1202
OperatingSystem: Windows 10, Windows 11
2022-04-05 19:38:43 +02:00
Full_Path:
- Path: c:\windows\system32\conhost.exe
Detection:
- IOC: conhost.exe spawning unexpected processes
- Sigma: https://github.com/SigmaHQ/sigma/blob/bea6f18d350d9c9fdc067f93dde0e9b11cc22dc2/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
2022-04-05 19:38:43 +02:00
Resources:
2022-04-07 16:50:39 +02:00
- Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
2022-04-05 19:38:43 +02:00
- Link: https://twitter.com/Wietze/status/1511397781159751680
- Link: https://twitter.com/embee_research/status/1559410767564181504
- Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
2022-04-05 19:38:43 +02:00
Acknowledgement:
2022-04-07 16:50:39 +02:00
- Person: Adam
Handle: '@hexacorn'
2022-04-05 19:38:43 +02:00
- Person: Wietze
Handle: '@wietze'