LoFP LoFP / legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.

Techniques

Sample rules

Potentially Suspicious Child Processes Spawned by ConHost

Description

Detects suspicious child processes related to Windows Shell utilities spawned by conhost.exe, which could indicate malicious activity using trusted system components.

Detection logic

condition: all of selection_*
selection_child:
- Image|endswith:
  - \cmd.exe
  - \cscript.exe
  - \mshta.exe
  - \powershell_ise.exe
  - \powershell.exe
  - \pwsh.exe
  - \regsvr32.exe
  - \wscript.exe
- OriginalFileName:
  - cmd.exe
  - cscript.exe
  - mshta.exe
  - powershell_ise.exe
  - powershell.exe
  - pwsh.dll
  - regsvr32.exe
  - wscript.exe
selection_parent:
  ParentImage|endswith: \conhost.exe