Remotely Hosted HTA File Executed Via Mshta.EXE
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Remotely Hosted HTA File Executed Via Mshta.EXE | Standard | Windows | Defense Evasion: System Binary Proxy Execution - Mshta (T1218.005) | Trouble |
About the rule
Rule Type
Standard
Rule Description
Mshta.exe is a native binary of Windows which executes Microsoft HTML Application (HTA) script code. It is abused by attackers to launch malicious HTA files. This rule detects the execution of Mshta.exe with an argument containing the "http" keyword and helps identify the execution of a remotely hosted malicious HTA file.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Persistence → Privilege Escalation → Defense Evasion → Execution of Mshta.exe → Execution of malware script
Impact
- Malware execution
- Defense evasion
- System compromise
Rule Requirement
Prerequisites
- Windows Event Viewer
Log in to a domain controller with domain admin credentials and open the Group Policy Management Console. Create or edit a Group Policy Object linked to the appropriate organizational unit. Enable auditing for process creation and process termination events, ensuring success events are logged. For enhanced process tracking enable the inclusion of command line information in process creation events. Finally, create a new registry key "Microsoft-Windows-Security-Auditing/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".
- Sysmon
Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add process creation events to the configuration file to capture all process creations. Finally, create a registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog".
Criteria
Action1: actionname = "Process started" AND (PROCESSNAME endswith "\mshta.exe" OR ORIGINALFILENAME = "MSHTA.EXE") AND COMMANDLINE contains "http://,https://,ftp://" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
Defense Evasion: System Binary Proxy Execution - Mshta (T1218.005)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.
When this rule is triggered, you're notified of the execution of Mshta.exe to launch a malicious HTA file. This enables you to identify malicious remote script executions in the system and detect attempts of defense evasion in the network.
Author
Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
This rule might be triggered when legitimate Mshta.exe files are executed to launch an application.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- System process audit: Continuously monitor system processes to identify the execution of Mshta.exe and detect attempts to launch malicious HTA files.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1042 | Disable Mshta.exe if not required. | |
M1038 | Enforce application control policies to block execution of Mshta.exe. |
