Conhost.exe indirect execution

  • Updated on Mar 11, 2024
  • Published on Dec 3, 2023
Prev Next

Attack technique

Technique name: Conhost.exe Indirect Execution

MITRE ATT&CK

  • Tactic: Defense Evasion, Persistence, Privilege Escalation, Initial Access
  • Technique:
    T1202 - Indirect Command Execution
    T1218 - System Binary Proxy Execution

Technique description
Conhost.exe acts as a mediator between the classic CRSS and cmd.exe. Essentially, it enables the Command Prompt to work with Windows Explorer, allowing features such as dragging and dropping text from explorer.exe to cmd.exe.
Conhost can also be used to launch arbitrary executables, known as Indirect process execution. The idea behind it is to use conhost.exe as a loader to break up a process-child relationship in order to evade security products and detections.

Insights from threat intelligence
Threat actors, particularly initial access brokers, often employ indirect process execution through conhost.exe as a key method in their initial access infection strategies. This approach is primarily utilized to disrupt the parent-child process relationships during process executions, thereby circumventing the detection mechanisms employed by security products. The technique has been associated with various known threat groups, and malware families such as IcedID, Qbot, and Guildma.

Seen in the wild since: 2018

Threat hunting theses breakdown

Suspicious indirect execution using conhost.exe

Relevant Data Sources: EDR Telemetry Logs

Thesis explanation
The thesis detecting unusual conhost.exe indirect execution involves discounting typical scenarios, like console sessions linked to physical or virtual consoles. An atypical instance is when conhost is tasked with executing a target parameter, a practice that is not commonly observed and thus raises suspicion.

Blind spots
None

Recommended investigation flow

  • Investigate the target parameter provided to the conhost.exe process.
    • Investigate child processes.
    • Investigate remote network connections.
    • Investigate file operations (files written, registry modification).
  • Investigate the parent process of conhost.exe, to understand how it has been executed (eg: explorer.exe with lnk object, wscript.exe etc)
  • Investigate the prevalence of the activity, does the target command line run repetitively in your organization?
  • In case no target file parameter is provided to conhost.exe, the lead can be considered as FP.

Hunters content

Detection: Suspicious Indirect Execution Using Conhost.exe

Hunting queries

GitHub