heroui logo

Uncommon Child Process Of Conhost.EXE

Sigma Rules

View Source
Summary
This detection rule identifies uncommon child processes associated with 'conhost.exe', which is the Microsoft Console Window Host process in Windows operating systems. Often utilized in legitimate workflows, 'conhost.exe' can also be exploited by attackers to facilitate process injection or to execute malicious code within a seemingly legitimate context. The rule specifically looks for processes that are spawned by 'conhost.exe' but do not match common characteristics of legitimate activity, thereby flagging potential misuse of this process. The criteria for detection includes checking if the parent image ends with '\conhost.exe', while ensuring that the child process does not match a series of filters that would signify benign behavior. Instances where the Image field is null or empty, or if the provider name matches common, non-threatening activities, are excluded from detection. The use of this rule can enhance monitoring efforts on Windows systems by focusing on atypical process behaviors that could indicate underlying malicious activities.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
  • Application Log
Created: 2020-10-25