Mshta Making Network Connections

calendar Oct 15, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/15"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often
13leveraged by adversaries to execute malicious scripts and evade detection.
14"""
15from = "now-20m"
16index = [
17    "logs-endpoint.events.process-*",
18    "logs-endpoint.events.network-*",
19    "winlogbeat-*",
20    "logs-windows.sysmon_operational-*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Mshta Making Network Connections"
25references = [
26    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
27]
28risk_score = 47
29rule_id = "c2d90150-0133-451c-a783-533e736c12d7"
30severity = "medium"
31tags = [
32    "Domain: Endpoint",
33    "OS: Windows",
34    "Use Case: Threat Detection",
35    "Tactic: Defense Evasion",
36    "Data Source: Elastic Defend",
37    "Data Source: Sysmon",
38]
39type = "eql"
40
41query = '''
42sequence by process.entity_id with maxspan=10m
43  [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
44     not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
45     not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
46          process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
47     not process.args : "ADSelfService_Enroll.hta"]
48  [network where host.os.type == "windows" and process.name : "mshta.exe"]
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1218"
56name = "System Binary Proxy Execution"
57reference = "https://attack.mitre.org/techniques/T1218/"
58[[rule.threat.technique.subtechnique]]
59id = "T1218.005"
60name = "Mshta"
61reference = "https://attack.mitre.org/techniques/T1218/005/"
62
63
64
65[rule.threat.tactic]
66id = "TA0005"
67name = "Defense Evasion"
68reference = "https://attack.mitre.org/tactics/TA0005/"

References

Related rules

to-top