forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsuspicious_mshta_activities.yml
More file actions
48 lines (46 loc) · 2.17 KB
/
suspicious_mshta_activities.yml
File metadata and controls
48 lines (46 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
category:
- Adversary Tactics
channel: ESCU
creation_date: '2018-08-07'
description: Monitor and detect techniques used by attackers who leverage the mshta.exe
process to execute malicious code.
detections:
- detection_id: b89919ed-fe5f-492c-b139-95dqb161039e
name: Detect mshta.exe running scripts in command-line arguments
type: splunk
- detection_id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
name: Registry Keys Used For Persistence
type: splunk
- detection_id: dcfd6b40-42f9-469d-a433-2e53f7486664
name: Detect Prohibited Applications Spawning cmd.exe
type: splunk
id: 2b1800dd-92f9-47dd-a981-fdf13w1q5d55
maintainers:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
modification_date: '2018-08-07'
name: Suspicious MSHTA Activity
narrative: 'One common adversary tactic is to bypass application white-listing solutions
via the mshta.exe process, which executes Microsoft HTML applications with the .hta
suffix. In these cases, attackers use the trusted Windows utility to eproxy execution
of malicious files, whether an .hta application, javascript, or VBScript.\
One example of a notable mshta.exe attack was the Kovter malware (https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5)
that was implicated in ransomware and click-fraud attacks. Kovter utilized .hta
to execute a series of javascript commands, each progressively more dangerous. According
to the Mitre Parternship Network (https://attack.mitre.org/wiki/Technique/T1170),
FIN7 has leveraged mshta.exe, as has the MuddyWater group, who used it to execute
its POWERSTATS payload (which then used the utility to execute additional payloads).\
The searches in this story help you detect and investigate suspicious activity that
may indicate that an attacker is leveraging mshta.exe to execute malicious code.'
original_authors:
- company: Splunk
email: bpatel@splunk.com
name: Bhavin Patel
references:
- https://redcanary.com/blog/windows-registry-attacks-threat-detection/
- https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5
- https://attack.mitre.org/wiki/Technique/T1170
spec_version: 2
usecase: Advanced Threat Detection
version: '1.0'