Mshta Executing from Registry

 1title: Mshta Executing from Registry
 2id: 8f6de20d-0616-4cf1-875e-24ccabb2e78c
 3status: Experimental
 4description: Detects a Mshta executing code from the registry
 5author: TheDFIRReport
 6references:
 7  - https://lolbas-project.github.io/lolbas/Binaries/Mshta/
 8  - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
 9date: 2023/01/08
10logsource:
11  category: process_creation
12  product: windows
13detection:
14  selection:
15    CommandLine|contains|all:
16      - 'wscript.shell'
17      - 'new ActiveXObject'
18      - 'regread'
19    Image|endswith:
20      - 'mshta.exe'
21  condition: selection
22fields:
23  - CommandLine
24falsepositives:
25  - Unknown
26level: high
27tags:
28  - attack.defense_evasion
29  - attack.t1218.005

References

• Mshta | LOLBAS

  Download: INetCache INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file'...

  
  Read More

• Unwrapping Ursnifs Gifts - The DFIR Report

  

  In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment … Read More

  
  Read More

Related rules

• Bumblebee WmiPrvSE execution pattern
• Enable WDigest using PowerShell (ps_module)
• Potential Winnti Dropper Activity
• Cisco File Deletion
• Space After Filename - macOS