Suspicious JavaScript Execution Via Mshta.EXE
Detects execution of javascript code using "mshta.exe".
Sigma rule (View on GitHub)
1title: Suspicious JavaScript Execution Via Mshta.EXE
2id: 67f113fa-e23d-4271-befa-30113b3e08b1
3status: test
4description: Detects execution of javascript code using "mshta.exe".
5references:
6 - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md
8author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
9date: 2019/10/24
10modified: 2023/02/07
11tags:
12 - attack.defense_evasion
13 - attack.t1218.005
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection_img:
19 - Image|endswith: '\mshta.exe'
20 - OriginalFileName: 'MSHTA.EXE'
21 selection_cli:
22 CommandLine|contains: 'javascript'
23 condition: all of selection_*
24falsepositives:
25 - Unknown
26level: high
References
-
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Mshta Executing from Registry
- Renamed FTP.EXE Execution
- AD Object WriteDAC Access
- New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
- Renamed Jusched.EXE Execution