conhost.exe

  • File Path: C:\Windows\system32\conhost.exe
  • Description: Console Window Host

Hashes

Type Hash
MD5 D752C96401E2540A443C599154FC6FA9
SHA1 00667A0F0C0D5E9DA697E9FF54ECDDD449259354
SHA256 046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0
SHA384 AD67D3EDBB13C362730836F72850B01A0E5A0F8C5155D50FC21A1BBE6799B356C54C0CD182C644A17BDD48C240AB244A
SHA512 DDEFBDD11FF0A4B3F47155331479E4D01852C1EA7670A7E449F3AD5F0AA0EAFED4146B91AEDC50328BC1BF80395B1E7E51E42A0B8507BBBFDEE5ACD9867073F4
SSDEEP 384:MJrgzqNPdIb4NQUFiuBGPnUixUXeYKSWhnWUOufano5wACtQMyBs:MFVVdvQUnGPUixUOYK1SuYotCtGBs

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONHOST.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\winsrv.dll 40

Possible Misuse

The following table contains possible examples of conhost.exe being misused. While conhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml CommandLine\|contains: 'conhost.exe 0xffffffff -ForceV1' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\conhost.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'CONHOST.EXE' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_susp_conhost.yml title: Conhost Parent Process Executions DRL 1.0
sigma proc_creation_win_susp_conhost.yml description: Detects the conhost execution as parent process. Can be used to evaded defense mechanism. DRL 1.0
sigma proc_creation_win_susp_conhost.yml ParentImage\|endswith: '\conhost.exe' DRL 1.0
sigma proc_creation_win_susp_conhost.yml - Unlikely, conhost is a child less process DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_uac_wsreset.yml Image\|endswith: '\conhost.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Indirect Command Execution - conhost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Indirect Command Execution - conhost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #3 - Indirect Command Execution - conhost.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #3 - Indirect Command Execution - conhost.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. MIT License. © 2018 Red Canary
atomic-red-team T1202.md conhost.exe “#{process}” MIT License. © 2018 Red Canary
signature-base apt_between-hk-and-burma.yar $file1 = “\Microsoft\Internet Explorer\conhost.exe” CC BY-NC 4.0
signature-base apt_oilrig.yar $two4 = “/Delete /F /TN Conhost & del” ascii wide CC BY-NC 4.0
signature-base apt_winnti.yar $a10 = “\conhost.exe” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “conhost.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.