Powershell Executed From Headless ConHost Process

Rule Info

Name
Powershell Executed From Headless ConHost Process
Author
Matt Anderson (Huntress)
Description
Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
Reference
https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
Date
2024-07-23 00:00:00
Modified
None
Id
056c7317-9a09-4bd4-9067-d051312752ea
Tags
attack.defense-evasion attack.execution attack.t1059.001 attack.t1059.003
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=056c7317-9a09-4bd4-9067-d051312752ea

Rule History

Author
Title
Date
Commit
github-actions[bot]
Merge PR #5448 from @nasbench - Promote older rules status from `experimental` to `test`
2025-06-02
ec827cccb
david-syk
Merge PR #5395 from @david-syk - Update MITRE ATT&CK tags
2025-05-20
a869abc3c
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
Matt Anderson
Merge PR #4919 from @MATTANDERS0N - Added new detections related BOINC
2024-07-23
6df2ba31b
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022