Informational
Process Information
- File Name
conhost.exe- File Path
\Device\HarddiskVolume3\Windows\System32\conhost.exe- Command Line
-
\??\C:\windows\system32\conhost.exe 0xffffffff -ForceV1 - Process ID
27100890786- Parent PID
27099548696- SHA256
-
6651a3beb0df1e66363a950c37dc9305f185d161fb03761e172ccfa0a4ab4f89VT - MD5
3e87d95ba32e19c565247bad5d810ca3- Disposition
-
0
Detection, standard detection.
Raw JSON Data
{
"metadata": {
"customerIDString": "84393bf974fd44bda943a25a6a7bc27f",
"offset": 158020,
"eventType": "EppDetectionSummaryEvent",
"eventCreationTime": 1766358465000,
"version": "1.0"
},
"event": {
"ProcessStartTime": 1766358403,
"ProcessEndTime": 1766358404,
"ProcessId": 27100890786,
"ParentProcessId": 27099548696,
"Hostname": "BOOK-R0BE6S1NC3",
"UserName": "BOOK-R0BE6S1NC3$",
"Name": "Attacker Methodology",
"Description": "A suspicious process was identified by CrowdStrike. Review the process tree.",
"Severity": 10,
"SeverityName": "Informational",
"FileName": "conhost.exe",
"FilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\conhost.exe",
"CommandLine": "\\??\\C:\\windows\\system32\\conhost.exe 0xffffffff -ForceV1",
"SHA256String": "6651a3beb0df1e66363a950c37dc9305f185d161fb03761e172ccfa0a4ab4f89",
"MD5String": "3e87d95ba32e19c565247bad5d810ca3",
"SHA1String": "0000000000000000000000000000000000000000",
"LogonDomain": "WORKGROUP",
"FalconHostLink": "https://falcon.us-2.crowdstrike.com/activity-v2/detections/84393bf974fd44bda943a25a6a7bc27f:ind:024efd237c2d4f87958607652cb04c8b:27100890786-10417-3833104?_cid=g04000x7oomvbbtvcerklzeap3llo7ue",
"AgentId": "024efd237c2d4f87958607652cb04c8b",
"CompositeId": "84393bf974fd44bda943a25a6a7bc27f:ind:024efd237c2d4f87958607652cb04c8b:27100890786-10417-3833104",
"LocalIP": "172.27.1.19",
"MACAddress": "00-72-ee-3e-51-84",
"Tactic": "Execution",
"Technique": "User Execution",
"Objective": "Follow Through",
"PatternDispositionDescription": "Detection, standard detection.",
"PatternDispositionValue": 0,
"PatternDispositionFlags": {
"Indicator": false,
"Detect": false,
"InddetMask": false,
"SensorOnly": false,
"Rooting": false,
"KillProcess": false,
"KillSubProcess": false,
"QuarantineMachine": false,
"QuarantineFile": false,
"PolicyDisabled": false,
"KillParent": false,
"OperationBlocked": false,
"ProcessBlocked": false,
"RegistryOperationBlocked": false,
"CriticalProcessDisabled": false,
"BootupSafeguardEnabled": false,
"FsOperationBlocked": false,
"HandleOperationDowngraded": false,
"KillActionFailed": false,
"BlockingUnsupportedOrDisabled": false,
"SuspendProcess": false,
"SuspendParent": false,
"ContainmentFileSystem": false
},
"ParentImageFileName": "powershell.exe",
"ParentCommandLine": "\u0022powershell.exe\u0022 -ExecutionPolicy Bypass -WindowStyle Hidden -File \u0022C:\\AtomicRedTeam\\atomic-random-runner-v2.ps1\u0022 -TestCount 3 -Silent",
"HostGroups": "4f5aa5f1cdc6441982cf5c58e4b5d75a",
"PatternId": 10417,
"SourceVendors": "CrowdStrike",
"SourceProducts": "Falcon Insight",
"DataDomains": "Endpoint",
"AggregateId": "aggind:024efd237c2d4f87958607652cb04c8b:17577316374",
"Type": "ldt",
"ParentImageFilePath": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"LocalIPv6": "",
"PlatformId": "0",
"PlatformName": "Windows",
"MitreAttack": [
{
"Tactic": "Execution",
"TacticID": "TA0002",
"Technique": "User Execution",
"TechniqueID": "T1204",
"PatternID": 10417
}
],
"CloudIndicator": false,
"RiskScore": 10
}
}