Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
- https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\conhost.exe'
ParentImage|endswith:
- '\explorer.exe'
# - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
# - '\ctfmon.exe' # Seen several times in a testing environment
# - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
- '\lsass.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\services.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\userinit.exe'
# - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
- '\wininit.exe'
- '\winlogon.exe'
filter_main_svchost:
ParentCommandLine|contains:
- '-k apphost -s AppHostSvc'
- '-k imgsvc'
- '-k localService -p -s RemoteRegistry'
- '-k LocalSystemNetworkRestricted -p -s NgcSvc'
- '-k NetSvcs -p -s NcaSvc'
- '-k netsvcs -p -s NetSetupSvc'
- '-k netsvcs -p -s wlidsvc'
- '-k NetworkService -p -s DoSvc'
- '-k wsappx -p -s AppXSvc'
- '-k wsappx -p -s ClipSVC'
- '-k wusvcs -p -s WaaSMedicSvc'
filter_optional_dropbox:
ParentCommandLine|contains:
- 'C:\Program Files (x86)\Dropbox\Client\'
- 'C:\Program Files\Dropbox\Client\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
imProcessCreate
| where (TargetProcessName endswith "\\conhost.exe" and ((ParentProcessName endswith "\\explorer.exe" or ParentProcessName endswith "\\lsass.exe" or ParentProcessName endswith "\\regsvr32.exe" or ParentProcessName endswith "\\rundll32.exe" or ParentProcessName endswith "\\services.exe" or ParentProcessName endswith "\\smss.exe" or ParentProcessName endswith "\\spoolsv.exe" or ParentProcessName endswith "\\svchost.exe" or ParentProcessName endswith "\\userinit.exe" or ParentProcessName endswith "\\wininit.exe" or ParentProcessName endswith "\\winlogon.exe") or (ActingProcessName endswith "\\explorer.exe" or ActingProcessName endswith "\\lsass.exe" or ActingProcessName endswith "\\regsvr32.exe" or ActingProcessName endswith "\\rundll32.exe" or ActingProcessName endswith "\\services.exe" or ActingProcessName endswith "\\smss.exe" or ActingProcessName endswith "\\spoolsv.exe" or ActingProcessName endswith "\\svchost.exe" or ActingProcessName endswith "\\userinit.exe" or ActingProcessName endswith "\\wininit.exe" or ActingProcessName endswith "\\winlogon.exe"))) and (not((ActingProcessCommandLine contains "-k apphost -s AppHostSvc" or ActingProcessCommandLine contains "-k imgsvc" or ActingProcessCommandLine contains "-k localService -p -s RemoteRegistry" or ActingProcessCommandLine contains "-k LocalSystemNetworkRestricted -p -s NgcSvc" or ActingProcessCommandLine contains "-k NetSvcs -p -s NcaSvc" or ActingProcessCommandLine contains "-k netsvcs -p -s NetSetupSvc" or ActingProcessCommandLine contains "-k netsvcs -p -s wlidsvc" or ActingProcessCommandLine contains "-k NetworkService -p -s DoSvc" or ActingProcessCommandLine contains "-k wsappx -p -s AppXSvc" or ActingProcessCommandLine contains "-k wsappx -p -s ClipSVC" or ActingProcessCommandLine contains "-k wusvcs -p -s WaaSMedicSvc"))) and (not((ActingProcessCommandLine contains "C:\\Program Files (x86)\\Dropbox\\Client\\" or ActingProcessCommandLine contains "C:\\Program Files\\Dropbox\\Client\\")))| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |