From d3873c48a48c8b05be34ffca2f884076962e0dcc Mon Sep 17 00:00:00 2001
From: omkargudhate22 <36105402+omkar72@users.noreply.github.com>
Date: Wed, 21 Oct 2020 22:21:54 +0530
Subject: [PATCH] Indirect command execution - conhost (#1265)

---
 atomics/T1202/T1202.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/atomics/T1202/T1202.yaml b/atomics/T1202/T1202.yaml
index c2df1b67..a6d6fe76 100644
--- a/atomics/T1202/T1202.yaml
+++ b/atomics/T1202/T1202.yaml
@@ -42,4 +42,20 @@ atomic_tests:
       forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
       forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
     name: command_prompt
+- name: Indirect Command Execution - conhost.exe
+  description: |
+    conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer.
+    Executing it through command line can create process ancestry anomalies
+    [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
+  supported_platforms:
+  - windows
+  input_arguments:
+    process:
+      description: Process to execute
+      type: string
+      default: notepad.exe
+  executor:
+    command: |
+      conhost.exe "#{process}"
+    name: command_prompt