Date: 06/24/2025
Severity: Medium
Summary
Detects the execution of a child process through "conhost.exe" using the "--headless" flag. The "--headless" flag suppresses the display of any windows, keeping the process hidden from the user.
Indicators of Compromise (IOC) List
ParentImage : | '\conhost.exe' |
ParentCommandLine : | '--headless' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | resourcename like "Windows Security" and eventtype = "4688" and parentprocessname like "\conhost.exe" and parentcommandline like "--headless" |
Detection Query : | technologygroup = "EDR" and parentprocessname like "\conhost.exe" and parentcommandline like "--headless" |
Detection Query : | ((resourcename = "Sysmon" AND eventtype = "1" ) AND parentimage like "\conhost.exe" ) AND parentcommandline = "--headless" |
Detection Query : | ((technologygroup = "EDR" ) AND parentimage like "\conhost.exe" ) AND parentcommandline = "--headless" |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_conhost_headless_execution.yml