Suspicious MSHTA Child Process
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
Sigma rule (View on GitHub)
1title: Suspicious MSHTA Child Process
2id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
3status: test
4description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
5references:
6 - https://www.trustedsec.com/july-2015/malicious-htas/
7author: Michael Haag
8date: 2019/01/16
9modified: 2023/02/06
10tags:
11 - attack.defense_evasion
12 - attack.t1218.005
13 - car.2013-02-003
14 - car.2013-03-001
15 - car.2014-04-003
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_parent:
21 ParentImage|endswith: '\mshta.exe'
22 selection_child:
23 - Image|endswith:
24 - '\cmd.exe'
25 - '\powershell.exe'
26 - '\pwsh.exe'
27 - '\wscript.exe'
28 - '\cscript.exe'
29 - '\sh.exe'
30 - '\bash.exe'
31 - '\reg.exe'
32 - '\regsvr32.exe'
33 - '\bitsadmin.exe'
34 - OriginalFileName:
35 - 'Cmd.Exe'
36 - 'PowerShell.EXE'
37 - 'pwsh.dll'
38 - 'wscript.exe'
39 - 'cscript.exe'
40 - 'Bash.exe'
41 - 'reg.exe'
42 - 'REGSVR32.EXE'
43 - 'bitsadmin.exe'
44 condition: all of selection*
45falsepositives:
46 - Printer software / driver installations
47 - HP software
48level: high
References
-
Secure what's important to your business with our expertise, technical skill, and ethical character. Experience fundamentally different cybersecurity that turns it into an asset, making us a go-to partner for your business' success.
Read More
Related rules
- Potential Baby Shark Malware Activity
- HackTool - CACTUSTORCH Remote Thread Creation
- MSHTA Suspicious Execution 01
- Suspicious JavaScript Execution Via Mshta.EXE
- Mshta Executing from Registry