conhost.exe

  • File Path: C:\WINDOWS\system32\conhost.exe
  • Description: Console Window Host

Hashes

Type Hash
MD5 C5E9B1D1103EDCEA2E408E9497A5A88F
SHA1 11996F32DD85863A8C3BFF6D520F788A9211C8F7
SHA256 BAF97B2A629723947539CFF84E896CD29565AB4BB68B0CEC515EB5C5D6637B69
SHA384 AC7A24C079ACEB73459195DFB004A8E83D08DF6B8FB4F2086C93CE9B9AC59DE625ACE054D8E4E819B21454F624F8BB3F
SHA512 C89BC2FEE4AE283BB69826B881CBF535021A2093C03FADCE6A6AD61500EC433BCCEB6A7891A37967122CEF38515237CC9912EC6C0C31D8E8DE5D3D3536E22642
SSDEEP 24576:lw7XHXSGNllqbnh07sgypfLt2k7b5CiXUfa3:w3pIbnh07SpZ7NCiXUfa3

Runtime Data

Usage (stdout):

[2J[?25l[m[30;1H







[HCHCP           Displays or sets the active code page number.
CHDIR          Displays the name of or changes the current directory.
CHKDSK         Checks a disk and displays a status report.
CHKNTFS        Displays or modifies the checking of disk at boot time.
CLS            Clears the screen.
CMD            Starts a new instance of the Windows command interpreter.
COLOR          Sets the default console foreground and background colors.
COMP           Compares the contents of two files or sets of files.
COMPACT        Displays or alters the compression of files on NTFS partitions.
CONVERT        Converts FAT volumes to NTFS.  You cannot convert the
               current drive.
COPY           Copies one or more files to another location.
DATE           Displays or sets the date.
DEL            Deletes one or more files.
DIR            Displays a list of files and subdirectories in a directory.
DISKPART       Displays or configures Disk Partition properties.
DOSKEY         Edits command lines, recalls Windows commands, and
               creates macros.
DRIVERQUERY    Displays current device driver status and properties.
ECHO           Displays messages, or turns command echoing on or off.
ENDLOCAL       Ends localization of environment changes in a batch file.
ERASE          Deletes one or more files.
EXIT           Quits the CMD.EXE program (command interpreter).
FC             Compares two files or sets of files, and displays the
               differences between them.
FIND           Searches for a text string in a file or files.
FINDSTR        Searches for strings in files.
FOR            Runs a specified command for each file in a set of files.
FORMAT         Formats a disk for use with Windows.

]0;C:\WINDOWS\system32\help.exe[?25h[?25l






















[7;1HFSUTIL         Displays or configures the file system properties.[55X[55C
FTYPE          Displays or modifies file types used in file extension[51X[51C
               associations.[92X[92C
GOTO           Directs the Windows command interpreter to a labeled line in[45X[45C
               a batch program.[89X[89C
GPRESULT       Displays Group Policy information for machine or user.[51X[51C
GRAFTABL       Enables Windows to display an extended character set in[50X[50C
               graphics mode.[91X[91C
HELP           Provides Help information for Windows commands.[58X[58C
ICACLS         Display, modify, backup, or restore ACLs for files and[51X[51C
               directories.[93X[93C
IF             Performs conditional processing in batch programs.[55X[55C
LABEL          Creates, changes, or deletes the volume label of a disk.[49X[49C
MD             Creates a directory.[85X[85C
MKDIR          Creates a directory.[85X[85C
MKLINK         Creates Symbolic Links and Hard Links[68X[68C
MODE           Configures a system device.[78X[78C
MORE           Displays output one screen at a time.[68X[68C
MOVE           Moves one or more files from one directory to another[52X[52C
               directory.[95X[95C
OPENFILES      Displays files opened by remote users for a file share.[50X[50C
PATH           Displays or sets a search path for executable files.[53X[53C
PAUSE          Suspends processing of a batch file and displays a message.[46X[46C
[120X[120C
[?25h[?25l


















[11;1HPOPD           Restores the previous value of the current directory saved by[44X[44C
               PUSHD.[99X[99C
PRINT          Prints a text file.[86X[86C
PROMPT         Changes the Windows command prompt.[70X[70C
PUSHD          Saves the current directory then changes it.[61X[61C
RD             Removes a directory.[85X[85C
RECOVER        Recovers readable information from a bad or defective disk.[46X[46C
REM            Records comments (remarks) in batch files or CONFIG.SYS.[49X[49C
REN            Renames a file or files.[81X[81C
RENAME         Renames a file or files.[81X[81C
REPLACE        Replaces files.[90X[90C
RMDIR          Removes a directory.[85X[85C
ROBOCOPY       Advanced utility to copy files and directory trees[55X[55C
SET            Displays, sets, or removes Windows environment variables.[48X[48C
SETLOCAL       Begins localization of environment changes in a batch file.[46X[46C
SC             Displays or configures services (background processes).[50X[50C
SCHTASKS       Schedules commands and programs to run on a computer.[52X[52C
SHIFT          Shifts the position of replaceable parameters in batch files.[44X[44C
SHUTDOWN       Allows proper local or remote shutdown of machine.[55X[55C
[120X[120C
[?25h[?25l


















[11;1HSORT           Sorts input.[93X[93C
START          Starts a separate window to run a specified program or command.[42X[42C
SUBST          Associates a path with a drive letter.[67X[67C
SYSTEMINFO     Displays machine specific properties and configuration.[50X[50C
TASKLIST       Displays all currently running tasks including services.[49X[49C
TASKKILL       Kill or stop a running process or application.[59X[59C
TIME           Displays or sets the system time.[72X[72C
TITLE          Sets the window title for a CMD.EXE session.[61X[61C
TREE           Graphically displays the directory structure of a drive or[47X[47C
               path.[100X[100C
TYPE           Displays the contents of a text file.[68X[68C
VER            Displays the Windows version.[76X[76C
VERIFY         Tells Windows whether to verify that your files are written[46X[46C
               correctly to a disk.[85X[85C
VOL            Displays a disk volume label and serial number.[58X[58C
XCOPY          Copies files and directory trees.[72X[72C
WMIC           Displays WMI information inside interactive command shell.[47X[47C
[120X[120C
For more information on tools see the command-line reference in the online help.[40X[40C
[120X[120C
[?25h

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONHOST.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of conhost.exe being misused. While conhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml CommandLine\|contains: 'conhost.exe 0xffffffff -ForceV1' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\conhost.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'CONHOST.EXE' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_susp_conhost.yml title: Conhost Parent Process Executions DRL 1.0
sigma proc_creation_win_susp_conhost.yml description: Detects the conhost execution as parent process. Can be used to evaded defense mechanism. DRL 1.0
sigma proc_creation_win_susp_conhost.yml ParentImage\|endswith: '\conhost.exe' DRL 1.0
sigma proc_creation_win_susp_conhost.yml - Unlikely, conhost is a child less process DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_uac_wsreset.yml Image\|endswith: '\conhost.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Indirect Command Execution - conhost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Indirect Command Execution - conhost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #3 - Indirect Command Execution - conhost.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #3 - Indirect Command Execution - conhost.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. MIT License. © 2018 Red Canary
atomic-red-team T1202.md conhost.exe “#{process}” MIT License. © 2018 Red Canary
signature-base apt_between-hk-and-burma.yar $file1 = “\Microsoft\Internet Explorer\conhost.exe” CC BY-NC 4.0
signature-base apt_oilrig.yar $two4 = “/Delete /F /TN Conhost & del” ascii wide CC BY-NC 4.0
signature-base apt_winnti.yar $a10 = “\conhost.exe” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “conhost.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.