Mshta Making Network Connections

calendar Apr 16, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Defense Evasion Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/09/02"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often
13leveraged by adversaries to execute malicious scripts and evade detection.
14"""
15from = "now-20m"
16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Mshta Making Network Connections"
20risk_score = 47
21rule_id = "c2d90150-0133-451c-a783-533e736c12d7"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"]
24type = "eql"
25
26query = '''
27sequence by process.entity_id with maxspan=10m
28  [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
29     not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
30     not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
31          process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
32     not process.args : "ADSelfService_Enroll.hta"]
33  [network where host.os.type == "windows" and process.name : "mshta.exe"]
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1218"
41name = "System Binary Proxy Execution"
42reference = "https://attack.mitre.org/techniques/T1218/"
43[[rule.threat.technique.subtechnique]]
44id = "T1218.005"
45name = "Mshta"
46reference = "https://attack.mitre.org/techniques/T1218/005/"
47
48
49
50[rule.threat.tactic]
51id = "TA0005"
52name = "Defense Evasion"
53reference = "https://attack.mitre.org/tactics/TA0005/"

Related rules

to-top