Windows Connhost Exe Started Forcefully

Description

The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attackrangelocal. After further testing we realized this is not specific to Ryuk.

   Help

Windows Connhost Exe Started Forcefully Help

You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

   Search

Open in Search