Suspicious MSHTA Child Process

 1title: Suspicious MSHTA Child Process
 2id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
 3status: test
 4description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
 5references:
 6    - https://www.trustedsec.com/july-2015/malicious-htas/
 7author: Michael Haag
 8date: 2019-01-16
 9modified: 2023-02-06
10tags:
11    - attack.defense-evasion
12    - attack.t1218.005
13    - car.2013-02-003
14    - car.2013-03-001
15    - car.2014-04-003
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_parent:
21        ParentImage|endswith: '\mshta.exe'
22    selection_child:
23        - Image|endswith:
24              - '\cmd.exe'
25              - '\powershell.exe'
26              - '\pwsh.exe'
27              - '\wscript.exe'
28              - '\cscript.exe'
29              - '\sh.exe'
30              - '\bash.exe'
31              - '\reg.exe'
32              - '\regsvr32.exe'
33              - '\bitsadmin.exe'
34        - OriginalFileName:
35              - 'Cmd.Exe'
36              - 'PowerShell.EXE'
37              - 'pwsh.dll'
38              - 'wscript.exe'
39              - 'cscript.exe'
40              - 'Bash.exe'
41              - 'reg.exe'
42              - 'REGSVR32.EXE'
43              - 'bitsadmin.exe'
44    condition: all of selection*
45falsepositives:
46    - Printer software / driver installations
47    - HP software
48level: high