Suspicious MSHTA Activity
Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2021-01-20
- Author: Bhavin Patel, Michael Haag, Splunk
- ID: 1e5a5a53-540b-462a-8fb7-f44a4292f5dc
The searches in this story help you detect and investigate suspicious activity that may indicate that an attacker is leveraging mshta.exe to execute malicious code.
Validate execution \
- Determine if MSHTA.exe executed. Validate the OriginalFileName of MSHTA.exe and further PE metadata. If executed outside of c:\windows\system32 or c:\windows\syswow64, it should be highly suspect.\
- Determine if script code was executed with MSHTA.
The objective of this step is meant to identify suspicious behavioral indicators related to executed of Script code by MSHTA.exe.\
- Parent process. Is the parent process a known LOLBin? Is the parent process an Office Application?\
- Module loads. Are the known MSHTA.exe modules being loaded by a non-standard application? Is MSHTA loading any suspicious .DLLs?\
- Network connections. Any network connections? Review the reputation of the remote IP or domain.
Retrieval of script code
The objective of this step is to confirm the executed script code is benign or malicious.
source | version: 2