188. Adversaries Abuse Console Window Host More and More Often
Hello everyone!
We already talked about Console Window Host (conhost.exe) abuse. Usually threat actors used it with the "--headless" flag to hide the windows from the user upon execution.
Unit42 conducted a research on malicious LNK files, and guess what? Yes, Console Window Host is among most often used system targets:
- powershell.exe
- cmd.exe
- rundll32.exe
- conhost.exe
- wscript.exe
- forfiles.exe
- mshta.exe
What does it mean? It definitely worth a hunting query:
event_type: "processcreatewin"
AND
proc_file_name: "conhost.exe"
AND
cmdline: "headless"
See you tomorrow!
Comments
Post a Comment