conhost.exe

  • File Path: C:\Windows\system32\conhost.exe
  • Description: Console Window Host

Hashes

Type Hash
MD5 073E88797983A660B454098E9EF97067
SHA1 A1E4B2CC40A39BF64012D1411F92B12D1F9791E8
SHA256 57B0CCD3AEBC6C7126E7C19F5DAC492DF51D904A505C5F5B0CB02270D53F8684
SHA384 B26A3DF0F4E15E4E85BE05E4C1C44AF4A9FDF89E4CE9C6AABF794562B58A561EB4BB80A0C66DF02B54EBA8E22DE11ECA
SHA512 BCD629220D94B2AF5BFCB1ABAE204AAB7E0B22EAAD3CE6CE2333C10B02A09DAF511132BAC98598CED28CBBD046111B86FE073FB7C0A034C2DE7FBB66BA273FF8
SSDEEP 12288:vCizPzIITF3oN/baXEz3de4X+9MMBeVm/FzYeRBlPC:qizEITF3oBRzrSMbVYFzYGBA
IMP AFFE8C3BE3BBE4F0AC2EF124256F372D
PESHA1 BF58014BA5B120BED91B7FB8D8C688E44E3C4AE7
PE256 531859FBA0BF1F531D6E3005A023833087ECB639667B5B268C39AFBF9F03A069

Runtime Data

Usage (stdout):

[2J[m[HFor more information on a specific command, type HELP command-name
ASSOC          Displays or modifies file extension associations.
ATTRIB         Displays or changes file attributes.
BREAK          Sets or clears extended CTRL+C checking.
BCDEDIT        Sets properties in boot database to control boot loading.
CACLS          Displays or modifies access control lists (ACLs) of files.
CALL           Calls one batch program from another.
CD             Displays the name of or changes the current directory.
CHCP           Displays or sets the active code page number.
CHDIR          Displays the name of or changes the current directory.
CHKDSK         Checks a disk and displays a status report.
CHKNTFS        Displays or modifies the checking of disk at boot time.
CLS            Clears the screen.
CMD            Starts a new instance of the Windows command interpreter.
]0;C:\Windows\system32\conhost.exe[?25h[25l[30;1H








[6;1HCOLOR          Sets the default console foreground and background colors.[K
COMP           Compares the contents of two files or sets of files.[K
COMPACT        Displays or alters the compression of files on NTFS partitions.[K
CONVERT        Converts FAT volumes to NTFS.  You cannot convert the[K
               current drive.[K
COPY           Copies one or more files to another location.[K
DATE           Displays or sets the date.[K
DEL            Deletes one or more files.[K
DIR            Displays a list of files and subdirectories in a directory.[K
DISKPART       Displays or configures Disk Partition properties.[K
DOSKEY         Edits command lines, recalls Windows commands, and[K
               creates macros.[K
DRIVERQUERY    Displays current device driver status and properties.[K
ECHO           Displays messages, or turns command echoing on or off.[K
ENDLOCAL       Ends localization of environment changes in a batch file.[K
ERASE          Deletes one or more files.[K
EXIT           Quits the CMD.EXE program (command interpreter).[K
FC             Compares two files or sets of files, and displays the[K
               differences between them.[K
FIND           Searches for a text string in a file or files.[K
FINDSTR        Searches for strings in files.[K
FOR            Runs a specified command for each file in a set of files.[K
FORMAT         Formats a disk for use with Windows.[K
FSUTIL         Displays or configures the file system properties.[K
[K[?25h[25l





















[8;1HFTYPE          Displays or modifies file types used in file extension[K
               associations.[K
GOTO           Directs the Windows command interpreter to a labeled line in[K
               a batch program.[K
GPRESULT       Displays Group Policy information for machine or user.[K
GRAFTABL       Enables Windows to display an extended character set in[K
               graphics mode.[K
HELP           Provides Help information for Windows commands.[K
ICACLS         Display, modify, backup, or restore ACLs for files and[K
               directories.[K
IF             Performs conditional processing in batch programs.[K
LABEL          Creates, changes, or deletes the volume label of a disk.[K
MD             Creates a directory.[K
MKDIR          Creates a directory.[K
MKLINK         Creates Symbolic Links and Hard Links[K
MODE           Configures a system device.[K
MORE           Displays output one screen at a time.[K
MOVE           Moves one or more files from one directory to another[K
               directory.[K
OPENFILES      Displays files opened by remote users for a file share.[K
PATH           Displays or sets a search path for executable files.[K
PAUSE          Suspends processing of a batch file and displays a message.[K
[K[?25h[25l























[6;1HPOPD           Restores the previous value of the current directory saved by[K
               PUSHD.[K
PRINT          Prints a text file.[K
PROMPT         Changes the Windows command prompt.[K
PUSHD          Saves the current directory then changes it.[K
RD             Removes a directory.[K
RECOVER        Recovers readable information from a bad or defective disk.[K
REM            Records comments (remarks) in batch files or CONFIG.SYS.[K
REN            Renames a file or files.[K
RENAME         Renames a file or files.[K
REPLACE        Replaces files.[K
RMDIR          Removes a directory.[K
ROBOCOPY       Advanced utility to copy files and directory trees[K
SET            Displays, sets, or removes Windows environment variables.[K
SETLOCAL       Begins localization of environment changes in a batch file.[K
SC             Displays or configures services (background processes).[K
SCHTASKS       Schedules commands and programs to run on a computer.[K
SHIFT          Shifts the position of replaceable parameters in batch files.[K
SHUTDOWN       Allows proper local or remote shutdown of machine.[K
SORT           Sorts input.[K
START          Starts a separate window to run a specified program or command.[K
SUBST          Associates a path with a drive letter.[K
SYSTEMINFO     Displays machine specific properties and configuration.[K
TASKLIST       Displays all currently running tasks including services.[K
[K[?25h[25l













[16;1HTASKKILL       Kill or stop a running process or application.[K
TIME           Displays or sets the system time.[K
TITLE          Sets the window title for a CMD.EXE session.[K
TREE           Graphically displays the directory structure of a drive or[K
               path.[K
TYPE           Displays the contents of a text file.[K
VER            Displays the Windows version.[K
VERIFY         Tells Windows whether to verify that your files are written[K
               correctly to a disk.[K
VOL            Displays a disk volume label and serial number.[K
XCOPY          Copies files and directory trees.[K
WMIC           Displays WMI information inside interactive command shell.[K
[K
For more information on tools see the command-line reference in the online help.[K
[K[?25h

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\combase.dll
C:\Windows\system32\conhost.exe
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONHOST.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/57b0ccd3aebc6c7126e7c19f5dac492df51d904a505c5f5b0cb02270d53f8684/detection

Possible Misuse

The following table contains possible examples of conhost.exe being misused. While conhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml CommandLine\|contains: 'conhost.exe 0xffffffff -ForceV1' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\conhost.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'CONHOST.EXE' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_susp_conhost.yml title: Conhost Parent Process Executions DRL 1.0
sigma proc_creation_win_susp_conhost.yml description: Detects the conhost execution as parent process. Can be used to evaded defense mechanism. DRL 1.0
sigma proc_creation_win_susp_conhost.yml ParentImage\|endswith: '\conhost.exe' DRL 1.0
sigma proc_creation_win_susp_conhost.yml - Unlikely, conhost is a child less process DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_uac_wsreset.yml Image\|endswith: '\conhost.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Indirect Command Execution - conhost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Indirect Command Execution - conhost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #3 - Indirect Command Execution - conhost.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #3 - Indirect Command Execution - conhost.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. MIT License. © 2018 Red Canary
atomic-red-team T1202.md conhost.exe “#{process}” MIT License. © 2018 Red Canary
signature-base apt_between-hk-and-burma.yar $file1 = “\Microsoft\Internet Explorer\conhost.exe” CC BY-NC 4.0
signature-base apt_oilrig.yar $two4 = “/Delete /F /TN Conhost & del” ascii wide CC BY-NC 4.0
signature-base apt_winnti.yar $a10 = “\conhost.exe” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “conhost.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.