MSHTA Suspicious Execution 01

 1title: MSHTA Suspicious Execution 01
 2id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
 3status: test
 4description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
 5references:
 6    - http://blog.sevagas.com/?Hacking-around-HTA-files
 7    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
 8    - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
 9    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
10    - https://twitter.com/mattifestation/status/1326228491302563846
11author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
12date: 2019/02/22
13modified: 2022/11/07
14tags:
15    - attack.defense_evasion
16    - attack.t1140
17    - attack.t1218.005
18    - attack.execution
19    - attack.t1059.007
20    - cve.2020.1599
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        Image|endswith: '\mshta.exe'
27        CommandLine|contains:
28            - 'vbscript'
29            - '.jpg'
30            - '.png'
31            - '.lnk'
32            # - '.chm'  # could be prone to false positives
33            - '.xls'
34            - '.doc'
35            - '.zip'
36            - '.dll'
37            # - '.exe'
38    condition: selection
39falsepositives:
40    - False positives depend on scripts and administrative tools used in the monitored environment
41level: high

References

• Hacking around HTA files - [ Sevagas]

  

  License : Copyright Emeric Nasi (@EmericNasi), some rights reserved This work is licensed under a Creative Commons Attribution 4.0 International License. I. About HTA The goal of this post is not t...

  
  Read More

• Clientside Exploitation in 2018 - How Pentesting Has Changed

  

  Exploitation in 2018 - How Pentesting Has Changed Hi 0x00sec! This is the next installment of my pentesting series. If you missed my last two articles, you can read the first one here and the second one here. They are heavily OSINT focussed, and naturally, the next article should be about active recon, however, I move in erratic ways and such the next installment is about exploitation, and specifically, how the field has changed up until now. Please note, I am not an expert in pentesting histor...

  
  Read More

• XSLT Stylesheet Scripting Using <msxsl:script>

  

  Learn more about: XSLT Stylesheet Scripting Using

  
  Read More

• Pentesting and .hta (bypassing PowerShell Constrained Language Mode)

  

  When I’m on an engagement and I’m given a SOE and a domain account, I usually want to use a tool like PowerShell Empire to remotely…

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• PowerShell -encodedcommand Switch
• Base64 Encoding in CMD or Powershell
• PowerShell Base64 Encoding
• HackTool - Covenant PowerShell Launcher
• Potential PowerShell Obfuscation Via WCHAR