legitimate administrative tasks using `conhost.exe` to spawn child processes such as `cmd.exe`, `powershell.exe`, or `regsvr32.exe`.

t1202
t1218
windows
sigma

Techniques

t1202
t1218

Sample rules

Potentially Suspicious Child Processes Spawned by ConHost

source: sigma
technicques:
- t1202
- t1218

Description

Detects suspicious child processes related to Windows Shell utilities spawned by conhost.exe, which could indicate malicious activity using trusted system components.

Detection logic

condition: all of selection_*
selection_child:
- Image|endswith:
  - \cmd.exe
  - \cscript.exe
  - \mshta.exe
  - \powershell_ise.exe
  - \powershell.exe
  - \pwsh.exe
  - \regsvr32.exe
  - \wscript.exe
- OriginalFileName:
  - cmd.exe
  - cscript.exe
  - mshta.exe
  - powershell_ise.exe
  - powershell.exe
  - pwsh.dll
  - regsvr32.exe
  - wscript.exe
selection_parent:
  ParentImage|endswith: \conhost.exe