MSHTA Suspicious Execution 01

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism

Sigma rule (View on GitHub)

 1title: MSHTA Suspicious Execution 01
 2id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
 3status: test
 4description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism
 5references:
 6    - http://blog.sevagas.com/?Hacking-around-HTA-files
 7    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
 8    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
 9    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
10    - https://twitter.com/mattifestation/status/1326228491302563846
11author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)
12date: 2019-02-22
13modified: 2022-11-07
14tags:
15    - attack.defense-evasion
16    - attack.t1140
17    - attack.t1218.005
18    - attack.execution
19    - attack.t1059.007
20    - cve.2020-1599
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        Image|endswith: '\mshta.exe'
27        CommandLine|contains:
28            - 'vbscript'
29            - '.jpg'
30            - '.png'
31            - '.lnk'
32            # - '.chm'  # could be prone to false positives
33            - '.xls'
34            - '.doc'
35            - '.zip'
36            - '.dll'
37            # - '.exe'
38    condition: selection
39falsepositives:
40    - False positives depend on scripts and administrative tools used in the monitored environment
41level: high

References

Related rules

to-top