security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d9c11b26ef6bb370cc0a262cc579dfd2945fdb2
blue-team-tools/rules/windows/process_creation/proc_creation_win_susp_conhost.yml
T
Nasreddine Bencherchali 8dbd03ff32 Fix FP In Testing
2022-10-07 13:26:33 +02:00

56 lines
2.1 KiB
YAML
Raw Blame History

title: Conhost Parent Process Executions
id: 7dc2dedd-7603-461a-bc13-15803d132355
status: experimental
description: Detects the conhost execution as parent process. Can be used to evaded defense mechanism.
references:
- http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
author: omkar72
date: 2020/10/25
modified: 2022/10/07
tags:
- attack.defense_evasion
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\conhost.exe'
filter_provider:
Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora
# Note that some of these git events occure because of a sppofed parent image
filter_git:
# Example FP:
# ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file
# ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228
Image|endswith: '\git.exe'
ParentCommandLine|contains:
- ' show --textconv '
- ' cat-file -s '
filter_git_show:
# Example FP:
# GrandparentCommandLine: git.exe cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d258
# ParentCommandLine: \??\C:\WINDOWS\system32\conhost.exe 0x4
# ParentImage: C:\Windows\System32\conhost.exe
# CommandLine: git.exe show --textconv :path/to/file
ParentCommandLine|contains: 'C:\WINDOWS\system32\conhost.exe 0x4'
CommandLine|contains:
- ' show --textconv '
- ' cat-file -s '
filter_image_conhost:
# Example FP:
# ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228
ParentCommandLine|contains: ' cat-file -s '
Image: C:\Windows\System32\conhost.exe
filter_image_conhost2:
ParentCommandLine: \??\C:\WINDOWS\system32\conhost.exe 0x4
Image: C:\Windows\System32\conhost.exe
condition: selection and not 1 of filter_*
fields:
- Image
- CommandLine
- ParentCommandLine
falsepositives:
- Unlikely, conhost is a child less process
level: medium
Reference in New Issue View Git Blame Copy Permalink