mirror of
				https://github.com/LOLBAS-Project/LOLBAS
				synced 2025-10-25 14:55:19 +02:00 
			
		
		
		
	Adding Conhost.exe LOLBAS
This commit is contained in:
		
							
								
								
									
										23
									
								
								yml/OSBinaries/Conhost.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								yml/OSBinaries/Conhost.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| --- | ||||
| Name: Conhost.exe | ||||
| Description: Console Window host | ||||
| Author: Wietze Beukema | ||||
| Created: 2022-04-05 | ||||
| Commands: | ||||
|   - Command: "conhost.exe calc.exe" | ||||
|     Description: Execute calc.exe with conhost.exe as parent process | ||||
|     Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures | ||||
|     Category: Execute | ||||
|     Privileges: User | ||||
|     MitreID: T1202 | ||||
|     OperatingSystem: Windows 10, Windows 11 | ||||
| Full_Path: | ||||
|   - Path: c:\windows\system32\conhost.exe | ||||
| Detection: | ||||
|   - IOC: conhost.exe spawning unexpected processes | ||||
| Resources: | ||||
|   - Link: https://twitter.com/Wietze/status/1511397781159751680 | ||||
| Acknowledgement: | ||||
|   - Person: Wietze | ||||
|     Handle: '@wietze' | ||||
| --- | ||||
		Reference in New Issue
	
	Block a user