conhost.exe

File Path: C:\windows\system32\conhost.exe
Description: Console Window Host

Hashes

Type	Hash
MD5	`EAA3EE12B2CAA0365F2B4D495B50AD22`
SHA1	`26E0C2405C62E3DC6AB0527D0A5787C2484664E8`
SHA256	`F30686DD09B81D4080AB58DEF209173772FA132FA3762688274270AFA6407872`
SHA384	`4DE79298052B1FBE3241F8117BB4CF1D2EA3B9A375A9ECE10A33039006C885F91AD4DE1302C9E80B60F4470F9A758FC1`
SHA512	`54C8945DCC3313B72FABC7C377350E5AACD626342652F6761E2415A653D3FE6C443FFA02AB36FDF61725266CDFE4EA174E2E196768B1F99096227EDF66032774`
SSDEEP	`6144:DFfLdxsj3kCyrith2E/ZFgCcnUlPZYylSb/4wmb0MOZUWhGWjcj2m:RjYTks2E/vgCHPzIQqrtmq`

Signature

Status: The file C:\windows\system32\conhost.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
Serial: ``
Thumbprint: ``
Issuer:
Subject:

File Metadata

Original Filename: CONHOST.EXE.MUI
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
Product Version: 6.3.9600.16384
Language: English (United States)

Possible Misuse

The following table contains possible examples of conhost.exe being misused. While conhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	file_event_win_creation_system_file.yml	`- '\conhost.exe'`	DRL 1.0
sigma	proc_creation_win_cobaltstrike_process_patterns.yml	`CommandLine\\|contains: 'conhost.exe 0xffffffff -ForceV1'`	DRL 1.0
sigma	proc_creation_win_exploit_cve_2020_1350.yml	`- '\System32\conhost.exe'`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- 'CONHOST.EXE'`	DRL 1.0
sigma	proc_creation_win_renamed_binary.yml	`- '\conhost.exe'`	DRL 1.0
sigma	proc_creation_win_susp_conhost.yml	`title: Conhost Parent Process Executions`	DRL 1.0
sigma	proc_creation_win_susp_conhost.yml	`description: Detects the conhost execution as parent process. Can be used to evaded defense mechanism.`	DRL 1.0
sigma	proc_creation_win_susp_conhost.yml	`ParentImage\\|endswith: '\conhost.exe'`	DRL 1.0
sigma	proc_creation_win_susp_conhost.yml	`- Unlikely, conhost is a child less process`	DRL 1.0
sigma	proc_creation_win_system_exe_anomaly.yml	`- '\conhost.exe'`	DRL 1.0
sigma	proc_creation_win_uac_wsreset.yml	`Image\\|endswith: '\conhost.exe'`	DRL 1.0
atomic-red-team	index.md	- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1202.md	- Atomic Test #3 - Indirect Command Execution - conhost.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1202.md	## Atomic Test #3 - Indirect Command Execution - conhost.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1202.md	conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer.	MIT License. © 2018 Red Canary
atomic-red-team	T1202.md	conhost.exe “#{process}”	MIT License. © 2018 Red Canary
signature-base	apt_between-hk-and-burma.yar	$file1 = “\Microsoft\Internet Explorer\conhost.exe”	CC BY-NC 4.0
signature-base	apt_oilrig.yar	$two4 = “/Delete /F /TN Conhost & del” ascii wide	CC BY-NC 4.0
signature-base	apt_winnti.yar	$a10 = “\conhost.exe” wide	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe”	CC BY-NC 4.0
signature-base	thor_inverse_matches.yar	filename == “conhost.exe”	CC BY-NC 4.0