Mshta Making Network Connections
Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/04/08"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often
13leveraged by adversaries to execute malicious scripts and evade detection.
14"""
15from = "now-20m"
16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.network-*", "winlogbeat-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Mshta Making Network Connections"
20risk_score = 47
21rule_id = "c2d90150-0133-451c-a783-533e736c12d7"
22severity = "medium"
23tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Data Source: Sysmon"]
24type = "eql"
25
26query = '''
27sequence by process.entity_id with maxspan=10m
28 [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
29 not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
30 not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
31 process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
32 not process.args : "ADSelfService_Enroll.hta"]
33 [network where host.os.type == "windows" and process.name : "mshta.exe"]
34'''
35
36
37[[rule.threat]]
38framework = "MITRE ATT&CK"
39[[rule.threat.technique]]
40id = "T1218"
41name = "System Binary Proxy Execution"
42reference = "https://attack.mitre.org/techniques/T1218/"
43[[rule.threat.technique.subtechnique]]
44id = "T1218.005"
45name = "Mshta"
46reference = "https://attack.mitre.org/techniques/T1218/005/"
47
48
49
50[rule.threat.tactic]
51id = "TA0005"
52name = "Defense Evasion"
53reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Host Files System Changes via Windows Subsystem for Linux
- Incoming DCOM Lateral Movement with MMC
- InstallUtil Process Making Network Connections
- MsBuild Making Network Connections
- Network Connection via MsXsl