consent.exe
- File Path:
C:\windows\system32\consent.exe - Description: Consent UI for administrative applications
Hashes
| Type | Hash |
|---|---|
| MD5 | 600D506FEA867E0BAEAFFEFCE54F35B3 |
| SHA1 | D90DE430940F1AFD9D9A26A1B14B67289E0B095C |
| SHA256 | 86D8631C075400AF09ECBFC531D64B187696D6AA277AD6D58E718E17DDCD4616 |
| SHA384 | B21AC5B8391FBD4CDC36FEAF273859473720B252AA0AEC9456BCB167DB3A02501142576A6D1D9813027A75E94D8D54D2 |
| SHA512 | EF31D9C2012E9F7E29D3F532A90F10BF6CEED3DF97484C6A0542CA8928468E2C42824C8E2CFFD7231978CFC0FE630D2B8E81250461D5A0AA9C7326CF305B84C7 |
| SSDEEP | 1536:OVlMqW+kj1wu4kWp09Y/VnKvwWNORTiL5pC94zw4Pp3XTh0:srmYm5OliLo4zw4RTh0 |
Signature
- Status: Signature verified.
- Serial:
33000000BCE120FDD27CC8EE930000000000BC - Thumbprint:
E85459B23C232DB3CB94C7A56D47678F58E8E51E - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: consent.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of consent.exe being misused. While consent.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | title: UAC Bypass Using Consent and Comctl32 - File |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_consent_comctl32.yml | TargetFilename\|startswith: 'C:\Windows\System32\consent.exe.@' |
DRL 1.0 |
| sigma | file_event_win_uac_bypass_ieinstal.yml | TargetFilename\|endswith: 'consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1388.yml | description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM |
DRL 1.0 |
| sigma | proc_creation_win_exploit_cve_2019_1388.yml | ParentImage\|endswith: '\consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | title: UAC Bypass Using Consent and Comctl32 - Process |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_consent_comctl32.yml | ParentImage\|endswith: '\consent.exe' |
DRL 1.0 |
| sigma | proc_creation_win_uac_bypass_ieinstal.yml | Image\|endswith: 'consent.exe' |
DRL 1.0 |
| atomic-red-team | T1134.004.md | <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) |
MIT License. © 2018 Red Canary |
| signature-base | exploit_cve_2015_5119.yar | yaraexchange = “No distribution without author’s consent” | CC BY-NC 4.0 |
MIT License. Copyright (c) 2020-2021 Strontic.