Remotely Hosted HTA File Executed Via Mshta.EXE
Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
Sigma rule (View on GitHub)
1title: Remotely Hosted HTA File Executed Via Mshta.EXE
2id: b98d0db6-511d-45de-ad02-e82a98729620
3status: test
4description: Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file
5references:
6 - https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2022-08-08
9modified: 2023-02-06
10tags:
11 - attack.defense-evasion
12 - attack.execution
13 - attack.t1218.005
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\mshta.exe'
20 - OriginalFileName: 'MSHTA.EXE'
21 selection_cli:
22 CommandLine|contains:
23 - 'http://'
24 - 'https://'
25 - 'ftp://'
26 condition: all of selection_*
27falsepositives:
28 - Unknown
29level: high
References
-
We found an AvosLocker ransomware variant using a legitimate antivirus component to disable detection and blocking solutions.
Read More
Related rules
- Csc.EXE Execution Form Potentially Suspicious Parent
- HackTool - CACTUSTORCH Remote Thread Creation
- MSHTA Suspicious Execution 01
- Potential Baby Shark Malware Activity
- AMSI Bypass Pattern Assembly GetType