1type: trigger
2name: sigmahq/proc_creation_win_mshta_susp_child_processes
3description: |
4 Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
5filter: |
6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && (evt.Parsed.ParentImage endsWith '\\mshta.exe' && (evt.Parsed.Image endsWith '\\cmd.exe' || evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe' || evt.Parsed.Image endsWith '\\wscript.exe' || evt.Parsed.Image endsWith '\\cscript.exe' || evt.Parsed.Image endsWith '\\sh.exe' || evt.Parsed.Image endsWith '\\bash.exe' || evt.Parsed.Image endsWith '\\reg.exe' || evt.Parsed.Image endsWith '\\regsvr32.exe' || evt.Parsed.Image endsWith '\\bitsadmin.exe' || evt.Parsed.OriginalFileName in ['Cmd.Exe', 'PowerShell.EXE', 'pwsh.dll', 'wscript.exe', 'cscript.exe', 'Bash.exe', 'reg.exe', 'REGSVR32.EXE', 'bitsadmin.exe']))
7blackhole: 2m
8
9labels:
10 service: windows
11 confidence: 1
12 spoofable: 0
13 classification:
14 - attack.t1218.005
15
16 label: "Suspicious MSHTA Child Process"
17 behavior : "windows:audit"
18 remediation: false
19
20scope:
21 type: ParentProcessId
22 expression: evt.Parsed.ParentProcessId
23
24
