Mshta (f552a5a4-49dd-4ba6-9916-e631df4d4457)
This object contains information sourced from the Living Off The Land Binaries, Scripts and Libraries (LOLBAS) project, which is licensed under GNU General Public License v3.0.
Description: Used by Windows to execute html applications. (.hta)
Author: Oddvar Moe
Paths: * C:\Windows\System32\mshta.exe * C:\Windows\SysWOW64\mshta.exe
Resources: * https://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4 * https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct * https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/ * https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
Detection: * Sigma: proc_creation_win_mshta_susp_pattern.yml * Sigma: proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml * Sigma: proc_creation_win_mshta_lethalhta_technique.yml * Sigma: proc_creation_win_mshta_javascript.yml * Sigma: file_event_win_net_cli_artefact.yml * Sigma: image_load_susp_script_dotnet_clr_dll_load.yml * Elastic: defense_evasion_mshta_beacon.toml * Elastic: lateral_movement_dcom_hta.toml * Elastic: defense_evasion_suspicious_managedcode_host_process.toml * Splunk: suspicious_mshta_activity.yml * Splunk: detect_mshta_renamed.yml * Splunk: suspicious_mshta_spawn.yml * Splunk: suspicious_mshta_child_process.yml * Splunk: detect_mshta_url_in_command_line.yml * BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules * IOC: mshta.exe executing raw or obfuscated script within the command-line * IOC: General usage of HTA file * IOC: msthta.exe network connection to Internet/WWW resource * IOC: DotNet CLR libraries loaded into mshta.exe * IOC: DotNet CLR Usage Log - mshta.exe.log[LOLBAS Mshta]