sigmahighHunting

Potential LethalHTA Technique Execution

Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process

MITRE ATT&CK

defense-evasion

Detection Query

selection:
  ParentImage|endswith: \svchost.exe
  Image|endswith: \mshta.exe
condition: selection

Author

Markus Neis

Created

2018-06-07

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://codewhitesec.blogspot.com/2018/07/lethalhta.html

Tags

attack.defense-evasionattack.t1218.005

Raw Content

title: Potential LethalHTA Technique Execution
id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
status: test
description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
references:
    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
author: Markus Neis
date: 2018-06-07
modified: 2023-02-07
tags:
    - attack.defense-evasion
    - attack.t1218.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        Image|endswith: '\mshta.exe'
    condition: selection
falsepositives:
    - Unknown
level: high