Mshta Making Network Connections
Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often leveraged by adversaries to execute malicious scripts and evade detection.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/02"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies Mshta.exe making outbound network connections. This may indicate adversarial activity, as Mshta is often
13leveraged by adversaries to execute malicious scripts and evade detection.
14"""
15from = "now-20m"
16index = [
17 "logs-endpoint.events.process-*",
18 "logs-endpoint.events.network-*",
19 "winlogbeat-*",
20 "logs-windows.sysmon_operational-*",
21]
22language = "eql"
23license = "Elastic License v2"
24name = "Mshta Making Network Connections"
25references = [
26 "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper",
27]
28risk_score = 47
29rule_id = "c2d90150-0133-451c-a783-533e736c12d7"
30severity = "medium"
31tags = [
32 "Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Defense Evasion",
36 "Data Source: Elastic Defend",
37 "Data Source: Sysmon",
38]
39type = "eql"
40
41query = '''
42sequence by process.entity_id with maxspan=10m
43 [process where host.os.type == "windows" and event.type == "start" and process.name : "mshta.exe" and
44 not process.parent.name : "Microsoft.ConfigurationManagement.exe" and
45 not (process.parent.executable : "C:\\Amazon\\Amazon Assistant\\amazonAssistantService.exe" or
46 process.parent.executable : "C:\\TeamViewer\\TeamViewer.exe") and
47 not process.args : "ADSelfService_Enroll.hta"]
48 [network where host.os.type == "windows" and process.name : "mshta.exe"]
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1218"
56name = "System Binary Proxy Execution"
57reference = "https://attack.mitre.org/techniques/T1218/"
58[[rule.threat.technique.subtechnique]]
59id = "T1218.005"
60name = "Mshta"
61reference = "https://attack.mitre.org/techniques/T1218/005/"
62
63
64
65[rule.threat.tactic]
66id = "TA0005"
67name = "Defense Evasion"
68reference = "https://attack.mitre.org/tactics/TA0005/"
References
Related rules
- Adding Hidden File Attribute via Attrib
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Attempt to Install Kali Linux via WSL
- Bypass UAC via Event Viewer
- Clearing Windows Console History