Conhost Spawned By Suspicious Parent Process

This detection identifies instances where the Console Window Host (conhost.exe) process is spawned by a suspicious parent process. The conhost.exe process is a Windows system process that manages console windows. Its spawning by processes such as lsass.exe, services.exe, smss.exe, winlogon.exe, explorer.exe, dllhost.exe, rundll32.exe, regsvr32.exe, userinit.exe, wininit.exe, spoolsv.exe, or ctfmon.exe, is unusual and can be indicative of code injection, exploitation, or other malicious activities. The rule excludes specific rundll32.exe scenarios related to MSI installers and PCA to reduce false positives. This behavior is important for defenders as it can reveal attempts to hide malicious activity or bypass security controls by leveraging legitimate system processes. The rule leverages process monitoring data from various sources including Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel.

Attack Chain

1. An attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).
2. The attacker injects malicious code into a legitimate process (e.g., explorer.exe, dllhost.exe).
3. The injected code executes, requiring a console window.
4. The compromised parent process (e.g., explorer.exe) spawns conhost.exe.
5. The attacker uses the console window for further command execution.
6. The attacker performs reconnaissance, lateral movement, or data exfiltration.
7. The attacker attempts to establish persistence on the system.
8. The attacker achieves their final objective, such as data theft or system compromise.

Impact

Successful exploitation can lead to complete system compromise, data theft, credential harvesting, and the installation of malware. The attacker can use the compromised system as a launchpad for lateral movement within the network, potentially affecting numerous other systems. Organizations can experience data breaches, financial losses, reputational damage, and operational disruptions. Due to the high privileges of some parent processes, such as lsass.exe or services.exe, the attacker can gain elevated privileges, exacerbating the impact.

Recommendation

• Enable process creation logging with command line details using Sysmon or a similar tool to detect the spawning of conhost.exe by suspicious parent processes.
• Deploy the “Conhost Spawned By Suspicious Parent Process” Sigma rule to your SIEM and tune the rule to your environment, specifically focusing on the excluded processes.
• Investigate any alerts generated by the Sigma rule by examining the parent process’s ancestry, command line, and network connections.
• Monitor process execution events for conhost.exe being launched by processes other than those listed in the rule’s exclusion list, specifically rundll32.exe with specific arguments.
• Implement application control policies to prevent the execution of unauthorized processes, including conhost.exe from unexpected locations.
• Correlate process creation events with network connection logs to identify any suspicious network activity originating from the compromised process.