forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathmshta_launching_scripts.yml
More file actions
109 lines (109 loc) · 3.77 KB
/
mshta_launching_scripts.yml
File metadata and controls
109 lines (109 loc) · 3.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
asset_type: Endpoint
confidence: medium
creation_date: '2018-08-07'
data_metadata:
data_models:
- Endpoint
data_source:
- Endpoint Intel
providing_technologies:
- Carbon Black Response
- CrowdStrike Falcon
- Sysmon
- Tanium
- Ziften
description: This search looks for the execution of "mshta.exe" with command-line
arguments that launch a script. The search will return the first time and last time
these command-line arguments were used for these executions, as well as the target
system, the user, process "mshta.exe" and its parent process.
detect:
splunk:
correlation_rule:
notable:
nes_fields: dest, process, parent_process_name
rule_description: Mshta.exe is seen to be executing scripts via the command-line
arguments
rule_title: Mshta.exe is executing scripts on $dest$
risk:
risk_object: dest
risk_object_type:
- system
risk_score: 50
schedule:
cron_schedule: 0 * * * *
earliest_time: -70m@m
latest_time: -10m@m
search: '| tstats `security_content_summariesonly` count values(Processes.process) as process
values(Processes.parent_process) as parent_process min(_time) as firstTime
max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe
by Processes.user Processes.process_name Processes.parent_process_name Processes.dest |
`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`|
search (process=*vbscript* OR process=*javascript*)'
suppress:
suppress_fields: dest, process, parent_process_name
suppress_period: 86400s
eli5: Mshta.exe is a built-in Windows utility that can launch HTML files with .hta
extensions (HTML applications), javascript, or VBScript. The search detects this
behavior by looking for events where the process mshta.exe is executed with command-line
arguments that indicate that a script is invoked
entities:
- dest
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the process name, parent process, and command-line executions from your
endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the
Sysmon TA.
id: b89919ed-fe5f-492c-b139-95dqb161039e
investigations:
- id: fecf2918-670d-4f1c-872b-3d7317a41xf9
name: Get Registry Activities
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
name: Get Authentication Logs For Endpoint
type: splunk
- id: fecf2918-670d-4f1c-872b-3d7317a41bf9
name: Get Parent Process Info
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d55
name: Get Risk Modifiers For User
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
name: Get Process Info
type: splunk
- id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
name: Get Notable History
type: splunk
- id: fdcfb369-1725-4c24-824a-22972d7f0d65
name: Get Risk Modifiers For Endpoint
type: splunk
- id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
name: Get User Information from Identity Table
type: splunk
known_false_positives: Although unlikely, some legitimate applications may exhibit
this behavior, triggering a false positive.
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
mappings:
cis20:
- CIS 8
kill_chain_phases:
- Exploitation
mitre_attack:
- Execution
- Command-Line Interface
- Persistence
nist:
- PR.PT
- DE.CM
modification_date: '2018-12-03'
name: Detect mshta.exe running scripts in command-line arguments
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'