Potential LethalHTA Technique Execution
Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
Sigma rule (View on GitHub)
1title: Potential LethalHTA Technique Execution
2id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
3status: test
4description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
5references:
6 - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
7author: Markus Neis
8date: 2018-06-07
9modified: 2023-02-07
10tags:
11 - attack.defense-evasion
12 - attack.t1218.005
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\svchost.exe'
19 Image|endswith: '\mshta.exe'
20 condition: selection
21falsepositives:
22 - Unknown
23level: high
References
-
The following blog post introduces a new lateral movement technique that combines the power of DCOM and HTA. The research on this t...
Read More
Related rules
- Csc.EXE Execution Form Potentially Suspicious Parent
- HackTool - CACTUSTORCH Remote Thread Creation
- MSHTA Suspicious Execution 01
- Potential Baby Shark Malware Activity
- Remotely Hosted HTA File Executed Via Mshta.EXE