Mshta Executing from Registry

 1title: Mshta Executing from Registry
 2id: 8f6de20d-0616-4cf1-875e-24ccabb2e78c
 3status: Experimental
 4description: Detects a Mshta executing code from the registry
 5author: TheDFIRReport
 6references:
 7  - https://lolbas-project.github.io/lolbas/Binaries/Mshta/
 8  - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
 9date: 2023/01/08
10logsource:
11  category: process_creation
12  product: windows
13detection:
14  selection:
15    CommandLine|contains|all:
16      - 'wscript.shell'
17      - 'new ActiveXObject'
18      - 'regread'
19    Image|endswith:
20      - 'mshta.exe'
21  condition: selection
22fields:
23  - CommandLine
24falsepositives:
25  - Unknown
26level: high
27tags:
28  - attack.defense_evasion
29  - attack.t1218.005

References

• Mshta on LOLBAS

  

  Mshta.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

  
  Read More

• Unwrapping Ursnifs Gifts

  

  In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the env…

  
  Read More

Related rules

• Bumblebee WmiPrvSE execution pattern
• Enable WDigest using PowerShell (ps_module)
• ISO, VHD, LNK or IMG File Extracted from Zip (Sysmon)
• Web Browser Creates Zip Archive File (Sysmon)
• Suspicious Use of Rcedit Utility to Alter Executable Metadata