Detects remote thread creation from CACTUSTORCH as described in references.

Read More

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

Read More

Detects a potentially suspicious parent of "csc.exe", which could be a sign of payload delivery.

Read More

Detects activity that could be related to Baby Shark malware

Read More

Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process

Read More

Detects execution of the "mshta" utility with an argument containing the "http" keyword, which could indicate that an attacker is executing a remotely hosted malicious hta file

Read More

Detects execution of javascript code using "mshta.exe".

Read More

Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution

Read More