← Back to Explore
sigmahighHunting
Suspicious MSHTA Child Process
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
Detection Query
selection_parent:
ParentImage|endswith: \mshta.exe
selection_child:
- Image|endswith:
- \cmd.exe
- \powershell.exe
- \pwsh.exe
- \wscript.exe
- \cscript.exe
- \sh.exe
- \bash.exe
- \reg.exe
- \regsvr32.exe
- \bitsadmin.exe
- OriginalFileName:
- Cmd.Exe
- PowerShell.EXE
- pwsh.dll
- wscript.exe
- cscript.exe
- Bash.exe
- reg.exe
- REGSVR32.EXE
- bitsadmin.exe
condition: all of selection*
Author
Michael Haag
Created
2019-01-16
Data Sources
windowsProcess Creation Events
Platforms
windows
Tags
attack.defense-evasionattack.t1218.005car.2013-02-003car.2013-03-001car.2014-04-003
Raw Content
title: Suspicious MSHTA Child Process
id: 03cc0c25-389f-4bf8-b48d-11878079f1ca
status: test
description: Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
references:
- https://www.trustedsec.com/july-2015/malicious-htas/
author: Michael Haag
date: 2019-01-16
modified: 2023-02-06
tags:
- attack.defense-evasion
- attack.t1218.005
- car.2013-02-003
- car.2013-03-001
- car.2014-04-003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\mshta.exe'
selection_child:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\bitsadmin.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wscript.exe'
- 'cscript.exe'
- 'Bash.exe'
- 'reg.exe'
- 'REGSVR32.EXE'
- 'bitsadmin.exe'
condition: all of selection*
falsepositives:
- Printer software / driver installations
- HP software
level: high