title: Suspicious MSHTA Process Patterns
author: Florian Roth
date: 2021/07/17
description: Detects suspicious mshta process patterns
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    Image: '*\mshta.exe'
  SELECTION_3:
    ParentImage:
    - '*\cmd.exe'
    - '*\powershell.exe'
  SELECTION_4:
    CommandLine:
    - '*\AppData\Local*'
    - '*C:\Windows\Temp*'
    - '*C:\Users\Public*'
  SELECTION_5:
    Image:
    - '*C:\Windows\System32*'
    - '*C:\Windows\SysWOW64*'
  SELECTION_6:
    CommandLine:
    - '*.htm*'
    - '*.hta*'
  SELECTION_7:
    CommandLine:
    - '*mshta.exe'
    - '*mshta'
  condition: (SELECTION_1 and SELECTION_2 and (((SELECTION_3 or SELECTION_4) or  not
    (SELECTION_5)) or  not (SELECTION_6 and SELECTION_7)))
falsepositives:
- Unknown
id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://en.wikipedia.org/wiki/HTML_Application
- https://www.echotrail.io/insights/search/mshta.exe
- https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
status: experimental
tags:
- attack.execution
- attack.t1106
ruletype: SIGMA