Mshta Making Network Connections

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often
 11leveraged by adversaries to execute malicious scripts and evade detection.
 12"""
 13from = "now-20m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "logs-endpoint.events.network-*",
 17    "winlogbeat-*",
 18    "logs-windows.sysmon_operational-*",
 19]
 20language = "eql"
 21license = "Elastic License v2"
 22name = "Mshta Making Network Connections"
 23note = """## Triage and analysis
 24
 25> **Disclaimer**:
 26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 27
 28### Investigating Mshta Making Network Connections
 29
 30Mshta.exe is a legitimate Windows utility used to execute Microsoft HTML Application (HTA) files. Adversaries exploit it to run malicious scripts, leveraging its trusted status to bypass security measures. The detection rule identifies suspicious network activity by Mshta.exe, excluding known benign processes, to flag potential threats. This approach helps in identifying unauthorized network connections indicative of malicious intent.
 31
 32### Possible investigation steps
 33
 34- Review the process tree to understand the parent-child relationship of mshta.exe, focusing on any unusual or unexpected parent processes that are not excluded by the rule, such as Microsoft.ConfigurationManagement.exe or known benign executables.
 35- Analyze the command-line arguments used by mshta.exe to identify any suspicious or unexpected scripts being executed, especially those not matching the excluded ADSelfService_Enroll.hta.
 36- Examine the network connections initiated by mshta.exe, including destination IP addresses, domains, and ports, to identify any connections to known malicious or suspicious endpoints.
 37- Check for any related alerts or logs from the same host around the time of the mshta.exe activity to identify potential lateral movement or additional malicious behavior.
 38- Investigate the user account associated with the mshta.exe process to determine if it has been compromised or is exhibiting unusual activity patterns.
 39
 40### False positive analysis
 41
 42- Mshta.exe may be triggered by legitimate software updates or installations, such as those from Microsoft Configuration Management. To handle this, add exceptions for processes with parent names like Microsoft.ConfigurationManagement.exe.
 43- Certain applications like Amazon Assistant and TeamViewer may use Mshta.exe for legitimate purposes. Exclude these by specifying their executable paths, such as C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe and C:\\TeamViewer\\TeamViewer.exe.
 44- Custom scripts or internal tools that utilize HTA files for automation might cause false positives. Identify these scripts and exclude them by their specific arguments, such as ADSelfService_Enroll.hta.
 45- Regularly review and update the list of exceptions to ensure that only verified benign activities are excluded, minimizing the risk of overlooking genuine threats.
 46
 47### Response and remediation
 48
 49- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 50- Terminate the mshta.exe process if it is confirmed to be making unauthorized network connections.
 51- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious scripts or files.
 52- Review and analyze the process tree and network connections associated with mshta.exe to identify any additional compromised processes or systems.
 53- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated.
 54- Implement application whitelisting to prevent unauthorized execution of mshta.exe and similar system binaries.
 55- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
 56references = [
 57    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
 58]
 59risk_score = 47
 60rule_id = "c2d90150-0133-451c-a783-533e736c12d7"
 61severity = "medium"
 62tags = [
 63    "Domain: Endpoint",
 64    "OS: Windows",
 65    "Use Case: Threat Detection",
 66    "Tactic: Defense Evasion",
 67    "Data Source: Elastic Defend",
 68    "Data Source: Sysmon",
 69    "Resources: Investigation Guide",
 70]
 71type = "eql"
 72
 73query = '''
 74sequence by process.entity_id with maxspan=10m
 75  [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
 76     not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
 77     not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
 78          process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
 79     not process.args : "ADSelfService_Enroll.hta"]
 80  [network where host.os.type == "windows" and process.name : "mshta.exe"]
 81'''
 82
 83
 84[[rule.threat]]
 85framework = "MITRE ATT&CK"
 86[[rule.threat.technique]]
 87id = "T1218"
 88name = "System Binary Proxy Execution"
 89reference = "https://attack.mitre.org/techniques/T1218/"
 90[[rule.threat.technique.subtechnique]]
 91id = "T1218.005"
 92name = "Mshta"
 93reference = "https://attack.mitre.org/techniques/T1218/005/"
 94
 95
 96
 97[rule.threat.tactic]
 98id = "TA0005"
 99name = "Defense Evasion"
100reference = "https://attack.mitre.org/tactics/TA0005/"