Conhost Spawned By Uncommon Parent Process

Severity: medium
Author: Tim Rauch, Elastic (idea)
Source: upstream

Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059` Command and Scripting Interpreter

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `selection`

or:
ParentImage|endswith: '\explorer.exe'
ParentImage|endswith: '\lsass.exe'
ParentImage|endswith: '\regsvr32.exe'
ParentImage|endswith: '\rundll32.exe'
ParentImage|endswith: '\services.exe'
ParentImage|endswith: '\smss.exe'
ParentImage|endswith: '\spoolsv.exe'
ParentImage|endswith: '\svchost.exe'
ParentImage|endswith: '\userinit.exe'
ParentImage|endswith: '\wininit.exe'
ParentImage|endswith: '\winlogon.exe'
Image|endswith: '\conhost.exe'

Stage 2: `not 1 of filter_main_svchost`

or:
ParentCommandLine|contains: '-k LocalSystemNetworkRestricted -p -s NgcSvc'
ParentCommandLine|contains: '-k NetSvcs -p -s NcaSvc'
ParentCommandLine|contains: '-k NetworkService -p -s DoSvc'
ParentCommandLine|contains: '-k apphost -s AppHostSvc'
ParentCommandLine|contains: '-k imgsvc'
ParentCommandLine|contains: '-k localService -p -s RemoteRegistry'
ParentCommandLine|contains: '-k netsvcs -p -s NetSetupSvc'
ParentCommandLine|contains: '-k netsvcs -p -s wlidsvc'
ParentCommandLine|contains: '-k wsappx -p -s AppXSvc'
ParentCommandLine|contains: '-k wsappx -p -s ClipSVC'
ParentCommandLine|contains: '-k wusvcs -p -s WaaSMedicSvc'

Stage 3: `not 1 of filter_optional_dropbox`

or:
ParentCommandLine|contains: 'C:\Program Files (x86)\Dropbox\Client\'
ParentCommandLine|contains: 'C:\Program Files\Dropbox\Client\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Image`	ends_with	`\conhost.exe` corpus 7 (sigma 7)
`ParentCommandLine`	match	`-k LocalSystemNetworkRestricted -p -s NgcSvc` `-k NetSvcs -p -s NcaSvc` `-k NetworkService -p -s DoSvc` `-k apphost -s AppHostSvc` `-k imgsvc` `-k localService -p -s RemoteRegistry` `-k netsvcs -p -s NetSetupSvc` `-k netsvcs -p -s wlidsvc` `-k wsappx -p -s AppXSvc` `-k wsappx -p -s ClipSVC` `-k wusvcs -p -s WaaSMedicSvc` `C:\Program Files (x86)\Dropbox\Client\` `C:\Program Files\Dropbox\Client\`
`ParentImage`	ends_with	`\explorer.exe` corpus 11 (sigma 11) `\lsass.exe` corpus 3 (sigma 3) `\regsvr32.exe` corpus 11 (sigma 11) `\rundll32.exe` corpus 12 (sigma 12) `\services.exe` corpus 7 (sigma 7) `\smss.exe` corpus 3 (sigma 3) `\spoolsv.exe` corpus 4 (sigma 4) `\svchost.exe` corpus 8 (sigma 8) `\userinit.exe` corpus 3 (sigma 3) `\wininit.exe` corpus 2 (sigma 2) `\winlogon.exe` corpus 3 (sigma 3)