Mshta Making Network Connections
Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often
11leveraged by adversaries to execute malicious scripts and evade detection.
12"""
13from = "now-20m"
14index = [
15 "logs-endpoint.events.process-*",
16 "logs-endpoint.events.network-*",
17 "winlogbeat-*",
18 "logs-windows.sysmon_operational-*",
19]
20language = "eql"
21license = "Elastic License v2"
22name = "Mshta Making Network Connections"
23risk_score = 47
24rule_id = "c2d90150-0133-451c-a783-533e736c12d7"
25severity = "medium"
26tags = [
27 "Domain: Endpoint",
28 "OS: Windows",
29 "Use Case: Threat Detection",
30 "Tactic: Defense Evasion",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33]
34type = "eql"
35
36query = '''
37sequence by process.entity_id with maxspan=10m
38 [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
39 not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
40 not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
41 process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
42 not process.args : "ADSelfService_Enroll.hta"]
43 [network where host.os.type == "windows" and process.name : "mshta.exe"]
44'''
45
46
47[[rule.threat]]
48framework = "MITRE ATT&CK"
49[[rule.threat.technique]]
50id = "T1218"
51name = "System Binary Proxy Execution"
52reference = "https://attack.mitre.org/techniques/T1218/"
53[[rule.threat.technique.subtechnique]]
54id = "T1218.005"
55name = "Mshta"
56reference = "https://attack.mitre.org/techniques/T1218/005/"
57
58
59
60[rule.threat.tactic]
61id = "TA0005"
62name = "Defense Evasion"
63reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate