consent.exe

  • File Path: C:\Windows\system32\consent.exe
  • Description: Consent UI for administrative applications

Hashes

Type Hash
MD5 E43A9155F6B33B869B33EF3E42686A95
SHA1 6D722CA9F9EB63A2286DDC012B3D2BE7A5EBC5FE
SHA256 B2F1ADF4123953EB808FFEA652E0F0F894315E5205E25129C007C8BA10A2E79D
SHA384 126F8D0654CC87D6D2ED3C9C58444992FEDDC2FBCDD2E3EE1DABD2B202E8146A281B18DB9E181037AC6072AB9841C582
SHA512 3E2CB8721DAA431AD4FE98A447AAC589CB0D59A03B835134B95F7FCF9FE2580B3C4D8FA4E2F613298A65C1E41ADFA3B5D129F015121617B5CE283583A680E8E9
SSDEEP 1536:fhPwZ9//62wgsLLO3aeEA3XKTIUQdud9V6BILDblLVQ+Ffss728apgczk5pPoO:fR29EgsSaSSXjMwble+FfsfpgczkL7

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: consent.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of consent.exe being misused. While consent.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_consent_comctl32.yml title: UAC Bypass Using Consent and Comctl32 - File DRL 1.0
sigma file_event_win_uac_bypass_consent_comctl32.yml description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) DRL 1.0
sigma file_event_win_uac_bypass_consent_comctl32.yml TargetFilename\|startswith: 'C:\Windows\System32\consent.exe.@' DRL 1.0
sigma file_event_win_uac_bypass_ieinstal.yml TargetFilename\|endswith: 'consent.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1388.yml description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1388.yml ParentImage\|endswith: '\consent.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml title: UAC Bypass Using Consent and Comctl32 - Process DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml ParentImage\|endswith: '\consent.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ieinstal.yml Image\|endswith: 'consent.exe' DRL 1.0
atomic-red-team T1134.004.md <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) MIT License. © 2018 Red Canary
signature-base exploit_cve_2015_5119.yar yaraexchange = “No distribution without author’s consent” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.