---
Name: Conhost.exe
Description: Console Window host
Author: Wietze Beukema
Created: 2022-04-05
Commands:
  - Command: "conhost.exe calc.exe"
    Description: Execute calc.exe with conhost.exe as parent process
    Usecase: Use conhost.exe as a proxy binary to evade defensive counter-measures
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 11
  - Command: "conhost.exe --headless calc.exe"
    Description: Execute calc.exe with conhost.exe as parent process
    Usecase: Specify --headless parameter to hide child process window (if applicable)
    Category: Execute
    Privileges: User
    MitreID: T1202
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: c:\windows\system32\conhost.exe
Detection:
  - IOC: conhost.exe spawning unexpected processes
  - Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/process_creation/proc_creation_win_conhost_susp_child_process.yml
Resources:
  - Link: https://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/
  - Link: https://twitter.com/Wietze/status/1511397781159751680
  - Link: https://twitter.com/embee_research/status/1559410767564181504
  - Link: https://twitter.com/ankit_anubhav/status/1561683123816972288
Acknowledgement:
  - Person: Adam
    Handle: '@hexacorn'
  - Person: Wietze
    Handle: '@wietze'