consent.exe
- File Path:
C:\Windows\system32\consent.exe - Description: Consent UI for administrative applications
Hashes
| Type | Hash |
|---|---|
| MD5 | 33BEB08302F0EAE71133D6254AB1DBDA |
| SHA1 | 6513C2959A876B3B5726CD938284285C8772ECFC |
| SHA256 | 15D0D3E45FD8312A00852A4F3E75F3E1FAADD4B592C3E230E722CFEFA3DDCA2F |
| SHA384 | 3A94FED8472766A9A06A9579CF1C188A3D9677B93498D2401B9F5742BE5331B3787E4E297D9EB784F9B777BF8B99F9CB |
| SHA512 | D3F039E5DEAA4AD349075EA4C4416B71BDE69E0D6C4437EB5A74FF6E872D56919C1551D8B264967A1E54DBD8F6F2C57E691431DE514B6182D0C1A2BDDFFD9CA9 |
| SSDEEP | 3072:fMsYHiZ/JTRS58CqTudzHE5RGtQhsCNzWKl:fMaZBU5OTudzHaWQOCNz |
| IMP | ACAFC223D6C3FCAE537D9630A0021EFD |
| PESHA1 | 593EFE4FD96A3277ED10AA8C1058EC09A0015382 |
| PE256 | 6D64588B90696A16EE10978597A515E8C316C7D017960DFA76D4C77527A27144 |
Runtime Data
Loaded Modules:
| Path |
|---|
| C:\Windows\system32\consent.exe |
| C:\Windows\System32\GDI32.dll |
| C:\Windows\System32\gdi32full.dll |
| C:\Windows\System32\KERNEL32.DLL |
| C:\Windows\System32\KERNELBASE.dll |
| C:\Windows\System32\msvcp_win.dll |
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\ucrtbase.dll |
| C:\Windows\System32\USER32.dll |
| C:\Windows\System32\win32u.dll |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266 - Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: consent.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.19041.1 (WinBuild.160101.0800)
- Product Version: 10.0.19041.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/68
- VirusTotal Link: https://www.virustotal.com/gui/file/15d0d3e45fd8312a00852a4f3e75f3e1faadd4b592c3e230e722cfefa3ddca2f/detection/
Possible Misuse
The following table contains possible examples of consent.exe being misused. While consent.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | title: UAC Bypass Using Consent and Comctl32 - File |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | TargetFilename\|startswith: 'C:\Windows\System32\consent.exe.@' |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_ieinstal.yml | TargetFilename\|endswith: 'consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1388.yml | description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1388.yml | ParentImage\|endswith: '\consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | title: UAC Bypass Using Consent and Comctl32 - Process |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | ParentImage\|endswith: '\consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_ieinstal.yml | Image\|endswith: 'consent.exe' |
DRL 1.0 |
| atomic-red-team | T1134.004.md | <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) |
MIT License. © 2018 Red Canary |
| signature-base | exploit_cve_2015_5119.yar | yaraexchange = “No distribution without author’s consent” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.