188. Adversaries Abuse Console Window Host More and More Often

Hello everyone!

We already talked about Console Window Host (conhost.exe) abuse. Usually threat actors used it with the "--headless" flag to hide the windows from the user upon execution.

Unit42 conducted a research on malicious LNK files, and guess what? Yes, Console Window Host is among most often used system targets:

  • powershell.exe
  • cmd.exe
  • rundll32.exe
  • conhost.exe
  • wscript.exe
  • forfiles.exe
  • mshta.exe

What does it mean? It definitely worth a hunting query:

event_type: "processcreatewin"

AND

proc_file_name: "conhost.exe"

AND

cmdline: "headless"

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge