Suspicious Mshta.EXE Execution Patterns

calendar Jan 1, 2024 · attack.execution attack.t1106  ·
Share on: linkedin copy

Detects suspicious mshta process execution patterns

Sigma rule (View on GitHub)

 1title: Suspicious Mshta.EXE Execution Patterns
 2id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
 3status: test
 4description: Detects suspicious mshta process execution patterns
 5references:
 6    - https://en.wikipedia.org/wiki/HTML_Application
 7    - https://www.echotrail.io/insights/search/mshta.exe
 8    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
 9author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
10date: 2021/07/17
11modified: 2023/02/21
12tags:
13    - attack.execution
14    - attack.t1106
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith: '\mshta.exe'
21        - OriginalFileName: 'MSHTA.EXE'
22    selection_susp:
23        # Suspicious parents
24        ParentImage|endswith:
25            - '\cmd.exe'
26            - '\cscript.exe'
27            - '\powershell.exe'
28            - '\pwsh.exe'
29            - '\regsvr32.exe'
30            - '\rundll32.exe'
31            - '\wscript.exe'
32        # Suspicious folders
33        CommandLine|contains:
34            - '\AppData\Local\'
35            - 'C:\ProgramData\'
36            - 'C:\Users\Public\'
37            - 'C:\Windows\Temp\'
38    filter_img:
39        # Filter legit Locations
40        - Image|startswith:
41              - 'C:\Windows\System32\'
42              - 'C:\Windows\SysWOW64\'
43        # Suspicious extensions
44        - CommandLine|contains:
45              - '.htm'
46              - '.hta'
47        # Filter simple execution
48        - CommandLine|endswith:
49              - 'mshta.exe'
50              - 'mshta'
51    condition: all of selection_* or (selection_img and not filter_img)
52falsepositives:
53    - Unknown
54level: high

References

Related rules

to-top