EchoTrail

conhost.exe

Author: Microsoft

Source: Wild

Summary

conhost.exe provides a text-based user interface for programs that require a text console. It uses a screen buffer and an input buffer. Cmd.exe and powershell.exe are examples of programs that use conhost.exe to provide a console for the user.

EchoTrail Prevalence Score (EPS)

96.71

Rank Analysis

Host Prevalence

95.3%

Execution Rank

1st

Behavioral Analysis

Top Hashes

4668bb2223ffb983a5f1273b9e3d9fa2c5ce4a0f1fb18ca5c1b285762020073c

35.78 %

Top Paths

C:\Windows\System32

99.99 %

Top Network Ports

443

96.09 %

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

It is normal to see conhost.exe being launched at nearly the same time as a command line interface tool or interpreter, such as CMD and PowerShell, is launched. The conhost process acts somewhat as a buffer for command line commands, much like bash history on a Unix/Linux system. However, in order to view command line history of a process, one must dump and inspect the memory space of the corresponding conhost.exe process. Given the nature of conhost.exe, it could be a useful analytic to examine which processes launch conhost.exe and inspecting which of those are not expected command line interpreters. This could behaviorally reveal malicious shells being used by attackers.