consent.exe

  • File Path: C:\WINDOWS\system32\consent.exe
  • Description: Consent UI for administrative applications

Hashes

Type Hash
MD5 EE2A1C85C472F89B146CC8EE598CCCBC
SHA1 6BFB38629570909D3D9EEDFC783A948CE7849105
SHA256 19FD0010DA92B654D1CA270247061A39EA13C0A58529FD8257A97E2EF7794911
SHA384 13565ABD0325439BB450F814EBF5F3FA2E0A13CAC4CF62E9147A7A9DE9CD20C005ACEE6990F036B0EC2B5F84606EDAA1
SHA512 FC63B0815D4D05FD43937A47C0BC39A0A5D417D14E06850F3F675A42B05D17661CA9508C35333E51DFBD08B7B2B2EE9975C6064A491B79C6F75B76B2A80D12FE
SSDEEP 3072:jl6QmvXarBwHwNRFj2LEwGL0xlsiMFz7D:jkvX9w3ILEwGYPJMFz

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: consent.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of consent.exe being misused. While consent.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_consent_comctl32.yml title: UAC Bypass Using Consent and Comctl32 - File DRL 1.0
sigma file_event_win_uac_bypass_consent_comctl32.yml description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) DRL 1.0
sigma file_event_win_uac_bypass_consent_comctl32.yml TargetFilename\|startswith: 'C:\Windows\System32\consent.exe.@' DRL 1.0
sigma file_event_win_uac_bypass_ieinstal.yml TargetFilename\|endswith: 'consent.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1388.yml description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM DRL 1.0
sigma proc_creation_win_exploit_cve_2019_1388.yml ParentImage\|endswith: '\consent.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml title: UAC Bypass Using Consent and Comctl32 - Process DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml description: Detects the pattern of UAC Bypass using consent.exe and comctl32.dll (UACMe 22) DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml ParentImage\|endswith: '\consent.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_ieinstal.yml Image\|endswith: 'consent.exe' DRL 1.0
atomic-red-team T1134.004.md <blockquote>Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the CreateProcess API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via svchost.exe or consent.exe) rather than the current user context.(Citation: Microsoft UAC Nov 2018) MIT License. © 2018 Red Canary
signature-base exploit_cve_2015_5119.yar yaraexchange = “No distribution without author’s consent” CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.