From f85294b90dfc61383d0e9ada48bacd3f00f8c71b Mon Sep 17 00:00:00 2001
From: Mohana Shankar D <48013681+msdlearn@users.noreply.github.com>
Date: Sat, 3 Aug 2024 07:01:32 +0530
Subject: [PATCH] Update T1564.003.yaml (#2884)

Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
---
 atomics/T1564.003/T1564.003.yaml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/atomics/T1564.003/T1564.003.yaml b/atomics/T1564.003/T1564.003.yaml
index c1356003..aafdfbd3 100644
--- a/atomics/T1564.003/T1564.003.yaml
+++ b/atomics/T1564.003/T1564.003.yaml
@@ -40,3 +40,17 @@ atomic_tests:
     cleanup_command: |
       taskkill /im #{browser} /f
     name: command_prompt
+- name: Hidden Window-Conhost Execution
+  description: |
+    Launch conhost.exe in "headless" mode, it means that no visible window will pop up on the victim's machine. 
+    This could be a sign of "conhost" usage as a LOLBIN or potential process injection activity.
+    conhost.exe can be used as proxy the execution of arbitrary commands
+  supported_platforms:
+    - windows
+  executor:
+    command: |
+      conhost.exe --headless calc.exe
+    cleanup_command: |
+      Stop-Process -Name calc*
+    name: powershell
+    elevation_required: true