Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Powershell Executed From Headless ConHost Process

Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Matt Anderson (Huntress)Created Tue Jul 23056c7317-9a09-4bd4-9067-d051312752eawindows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        - Image|endswith: '\conhost.exe'
        - OriginalFileName: 'CONHOST.EXE'
    selection_cli:
        CommandLine|contains|all:
            - '--headless'
            - 'powershell'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
huntress.com
Testing & Validation

Regression Tests

by SigmaHQ Team
Positive Detection Test1 matchevtx

Microsoft-Windows-Sysmon

EVTX JSON
MITRE ATT&CK
Related Rules
DerivedThreat Huntmedium

Headless Process Launched Via Conhost.EXE

Detects the launch of a child process via "conhost.exe" with the "--headless" flag. The "--headless" flag hides the windows from the user upon execution.

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata
Rule ID
056c7317-9a09-4bd4-9067-d051312752ea
Status
test
Level
medium
Type
Detection
Created
Tue Jul 23
Author
Matt Anderson (Huntress)
Path
rules/windows/process_creation/proc_creation_win_conhost_headless_powershell.yml
Raw Tags
attack.defense-evasionattack.executionattack.t1059.001attack.t1059.003attack.t1564.003
View on GitHub