Techniques
Sample rules
Potentially Suspicious Child Processes Spawned by ConHost
- source: sigma
- technicques:
- t1202
- t1218
Description
Detects suspicious child processes related to Windows Shell utilities spawned by conhost.exe
, which could indicate malicious activity using trusted system components.
Detection logic
condition: all of selection_*
selection_child:
- Image|endswith:
- \cmd.exe
- \cscript.exe
- \mshta.exe
- \powershell_ise.exe
- \powershell.exe
- \pwsh.exe
- \regsvr32.exe
- \wscript.exe
- OriginalFileName:
- cmd.exe
- cscript.exe
- mshta.exe
- powershell_ise.exe
- powershell.exe
- pwsh.dll
- regsvr32.exe
- wscript.exe
selection_parent:
ParentImage|endswith: \conhost.exe