Find sigma rule
Attack: Indirect Command Execution
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)
Adversaries may abuse these features for Defense Evasion, specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of cmd or file extensions more commonly associated with malicious payloads.
MITRE
Tactic
- defense-evasion
technique
- T1202
Test : Indirect Command Execution - conhost.exe
OS
- windows
Description:
conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. Executing it through command line can create process ancestry anomalies [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/)
Executor
command_prompt
Sigma Rule
- proc_creation_win_conhost_susp_child_process.yml (id: 7dc2dedd-7603-461a-bc13-15803d132355)