Techniques
Sample rules
Suspicious High IntegrityLevel Conhost Legacy Option
- source: sigma
- technicques:
- t1202
Description
ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context.
Detection logic
condition: selection
selection:
CommandLine|contains|all:
- conhost.exe
- '0xffffffff'
- -ForceV1
IntegrityLevel:
- High
- S-1-16-12288