{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/code_injection/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["execution","code_injection","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","Microsoft","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies instances where the Console Window Host (conhost.exe) process is spawned by a suspicious parent process. The conhost.exe process is a Windows system process that manages console windows. Its spawning by processes such as lsass.exe, services.exe, smss.exe, winlogon.exe, explorer.exe, dllhost.exe, rundll32.exe, regsvr32.exe, userinit.exe, wininit.exe, spoolsv.exe, or ctfmon.exe, is unusual and can be indicative of code injection, exploitation, or other malicious activities. The rule excludes specific rundll32.exe scenarios related to MSI installers and PCA to reduce false positives. This behavior is important for defenders as it can reveal attempts to hide malicious activity or bypass security controls by leveraging legitimate system processes. The rule leverages process monitoring data from various sources including Elastic Defend, Microsoft Defender XDR, and SentinelOne Cloud Funnel.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious code into a legitimate process (e.g., explorer.exe, dllhost.exe).\u003c/li\u003e\n\u003cli\u003eThe injected code executes, requiring a console window.\u003c/li\u003e\n\u003cli\u003eThe compromised parent process (e.g., explorer.exe) spawns conhost.exe.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the console window for further command execution.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, lateral movement, or data exfiltration.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to establish persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, credential harvesting, and the installation of malware. The attacker can use the compromised system as a launchpad for lateral movement within the network, potentially affecting numerous other systems. Organizations can experience data breaches, financial losses, reputational damage, and operational disruptions. Due to the high privileges of some parent processes, such as lsass.exe or services.exe, the attacker can gain elevated privileges, exacerbating the impact.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging with command line details using Sysmon or a similar tool to detect the spawning of \u003ccode\u003econhost.exe\u003c/code\u003e by suspicious parent processes.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Conhost Spawned By Suspicious Parent Process\u0026rdquo; Sigma rule to your SIEM and tune the rule to your environment, specifically focusing on the excluded processes.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by examining the parent process\u0026rsquo;s ancestry, command line, and network connections.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for \u003ccode\u003econhost.exe\u003c/code\u003e being launched by processes other than those listed in the rule\u0026rsquo;s exclusion list, specifically \u003ccode\u003erundll32.exe\u003c/code\u003e with specific arguments.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to prevent the execution of unauthorized processes, including \u003ccode\u003econhost.exe\u003c/code\u003e from unexpected locations.\u003c/li\u003e\n\u003cli\u003eCorrelate process creation events with network connection logs to identify any suspicious network activity originating from the compromised process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:22:00Z","date_published":"2024-01-03T18:22:00Z","id":"/briefs/2024-01-conhost-suspicious-parent/","summary":"Detection of Console Window Host (conhost.exe) being spawned by unusual parent processes, potentially indicating code injection or other malicious activity on Windows systems.","title":"Conhost Spawned By Suspicious Parent Process","url":"https://feed.craftedsignal.io/briefs/2024-01-conhost-suspicious-parent/"}],"language":"en","title":"CraftedSignal Threat Feed — Code_injection","version":"https://jsonfeed.org/version/1.1"}