Detection rules › Sigma
Potentially Suspicious Child Processes Spawned by ConHost
Detects suspicious child processes related to Windows Shell utilities spawned by conhost.exe, which could indicate malicious activity using trusted system components.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Defense Evasion | T1202 Indirect Command Execution, T1218 System Binary Proxy Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_parent
ParentImage|endswith: '\conhost.exe'
Stage 2: all of selection_child
or:
Image|endswith: '\cmd.exe'
Image|endswith: '\cscript.exe'
Image|endswith: '\mshta.exe'
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
Image|endswith: '\regsvr32.exe'
Image|endswith: '\wscript.exe'
OriginalFileName: cmd.exe
OriginalFileName: cscript.exe
OriginalFileName: mshta.exe
OriginalFileName: powershell.exe
OriginalFileName: powershell_ise.exe
OriginalFileName: pwsh.dll
OriginalFileName: regsvr32.exe
OriginalFileName: wscript.exe
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
OriginalFileName | eq |
|
ParentImage | ends_with |
|