conhost.exe

  • File Path: C:\windows\system32\conhost.exe
  • Description: Console Window Host

Hashes

Type Hash
MD5 EAA3EE12B2CAA0365F2B4D495B50AD22
SHA1 26E0C2405C62E3DC6AB0527D0A5787C2484664E8
SHA256 F30686DD09B81D4080AB58DEF209173772FA132FA3762688274270AFA6407872
SHA384 4DE79298052B1FBE3241F8117BB4CF1D2EA3B9A375A9ECE10A33039006C885F91AD4DE1302C9E80B60F4470F9A758FC1
SHA512 54C8945DCC3313B72FABC7C377350E5AACD626342652F6761E2415A653D3FE6C443FFA02AB36FDF61725266CDFE4EA174E2E196768B1F99096227EDF66032774
SSDEEP 6144:DFfLdxsj3kCyrith2E/ZFgCcnUlPZYylSb/4wmb0MOZUWhGWjcj2m:RjYTks2E/vgCHPzIQqrtmq

Signature

  • Status: The file C:\windows\system32\conhost.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: CONHOST.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of conhost.exe being misused. While conhost.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_creation_system_file.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml CommandLine\|contains: 'conhost.exe 0xffffffff -ForceV1' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\conhost.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'CONHOST.EXE' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_susp_conhost.yml title: Conhost Parent Process Executions DRL 1.0
sigma proc_creation_win_susp_conhost.yml description: Detects the conhost execution as parent process. Can be used to evaded defense mechanism. DRL 1.0
sigma proc_creation_win_susp_conhost.yml ParentImage\|endswith: '\conhost.exe' DRL 1.0
sigma proc_creation_win_susp_conhost.yml - Unlikely, conhost is a child less process DRL 1.0
sigma proc_creation_win_system_exe_anomaly.yml - '\conhost.exe' DRL 1.0
sigma proc_creation_win_uac_wsreset.yml Image\|endswith: '\conhost.exe' DRL 1.0
atomic-red-team index.md - Atomic Test #3: Indirect Command Execution - conhost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Indirect Command Execution - conhost.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #3 - Indirect Command Execution - conhost.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #3 - Indirect Command Execution - conhost.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. MIT License. © 2018 Red Canary
atomic-red-team T1202.md conhost.exe “#{process}” MIT License. © 2018 Red Canary
signature-base apt_between-hk-and-burma.yar $file1 = “\Microsoft\Internet Explorer\conhost.exe” CC BY-NC 4.0
signature-base apt_oilrig.yar $two4 = “/Delete /F /TN Conhost & del” ascii wide CC BY-NC 4.0
signature-base apt_winnti.yar $a10 = “\conhost.exe” wide CC BY-NC 4.0
signature-base thor_inverse_matches.yar description = “Anomaly rule looking for certain strings in a system file (maybe false positive on certain systems) - file conhost.exe” CC BY-NC 4.0
signature-base thor_inverse_matches.yar filename == “conhost.exe” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.