.. / OpenConsole.exe
Star

Execute

Console Window host for Windows Terminal

Paths:

C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe
C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os86\OpenConsole.exe
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\Terminal\ServiceHub\os64\OpenConsole.exe

Resources:

https://twitter.com/nas_bench/status/1537563834478645252

Acknowledgements:

Nasreddine Bencherchali (@nas_bench)

Detection:

IOC: OpenConsole.exe spawning unexpected processes
Sigma: https://github.com/SigmaHQ/sigma/blob/9e0ef7251b075f15e7abafbbec16d3230c5fa477/rules/windows/process_creation/proc_creation_win_lolbin_openconsole.yml

Execute

Execute calc with OpenConsole.exe as parent process

OpenConsole.exe calc

Usecase: Use OpenConsole.exe as a proxy binary to evade defensive counter-measures
Privileges required: User
OS: Windows 10, Windows 11
MITRE ATT&CK®: T1202

.. / OpenConsole.exe Star

Execute

.. / OpenConsole.exe
Star