consent.exe
- File Path:
C:\Windows\system32\consent.exe - Description: Consent UI for administrative applications
Hashes
| Type | Hash |
|---|---|
| MD5 | 27992D7EBE51AEC655A088DE88BAD5C9 |
| SHA1 | 9329B2362078DE27242DD4534F588AF3264BF0BF |
| SHA256 | 8F112431143A22BAAAFB448EEFD63BF90E7691C890AC69A296574FD07BA03EC6 |
| SHA384 | E42F693B1A7A4EE8E31FA033FEB4B05367A25C3AEC9835366985357D002BCC46C09C1EE7FA4C987CB51DFE06B5E97BF8 |
| SHA512 | 7D129C79A594D57DFB3C0726C8B51C263A551D991F47703BB06811E4AE68A7DD09F17476A540C16E51C0D9CA46527F399581A1A5F3A41C6FA73431F3A2E70ABC |
| SSDEEP | 1536:nzWTXOK1vnpop7BIFFlUDKcCjXifIOAmQt/f4k7eDkXV+JEIuaikX4sVQbf/7X2r:ydKtTqyfumQF7NoJeSX4sC7mzkMv |
| IMP | 522D83761201075834F05037F5307949 |
| PESHA1 | 4447852F03AB225E6F4073760A9006AA76498608 |
| PE256 | 8EFC32DE5E57A43DADD621C5728E677CAB95411AC9F28CDD0F39E61B19D34F7F |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\System32\ADVAPI32.dll |
| C:\Windows\SYSTEM32\Amsi.dll |
| C:\Windows\System32\bcryptPrimitives.dll |
| C:\Windows\System32\combase.dll |
| C:\Windows\system32\consent.exe |
| C:\Windows\System32\CRYPT32.dll |
| C:\Windows\System32\cryptsp.dll |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\IMM32.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\MSASN1.dll |
| C:\Windows\System32\MSCTF.dll |
| C:\Windows\SYSTEM32\MsCtfMonitor.DLL |
| C:\Windows\SYSTEM32\MSIMG32.dll |
| C:\Windows\system32\MSUTB.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\System32\msvcrt.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\OLEAUT32.dll |
| C:\Windows\System32\profapi.dll |
| C:\Windows\System32\RPCRT4.dll |
| C:\Windows\System32\sechost.dll |
| C:\Windows\SYSTEM32\SspiCli.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\SYSTEM32\USERENV.dll |
| C:\Windows\System32\win32u.dll |
| C:\Windows\SYSTEM32\WINSTA.dll |
| C:\Windows\SYSTEM32\WMsgAPI.dll |
| C:\Windows\SYSTEM32\WTSAPI32.dll |
| C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\COMCTL32.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: consent.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.17763.1 (WinBuild.160101.0800)
- Product Version: 10.0.17763.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/8f112431143a22baaafb448eefd63bf90e7691c890ac69a296574fd07ba03ec6/detection/
Possible Misuse
The following table contains possible examples of consent.exe being misused. While consent.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | title: UAC Bypass Using Consent and Comctl32 - File |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | TargetFilename\|startswith: 'C:\Windows\System32\consent.exe.@' |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_ieinstal.yml | TargetFilename\|endswith: 'consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1388.yml | description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1388.yml | ParentImage\|endswith: '\consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | title: UAC Bypass Using Consent and Comctl32 - Process |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | ParentImage\|endswith: '\consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_ieinstal.yml | Image\|endswith: 'consent.exe' |
DRL 1.0 |
| atomic-red-team | T1134.004.md | <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) |
MIT License. © 2018 Red Canary |
| signature-base | exploit_cve_2015_5119.yar | yaraexchange = “No distribution without author’s consent” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.