|
| 1 | +# Detect suspicious Mshta usage |
| 2 | + |
| 3 | +This query was originally published in the threat analytics report, *Ursnif (Gozi) continues to evolve*. |
| 4 | + |
| 5 | +[Microsoft HTML Applications](https://docs.microsoft.com/previous-versions/ms536496(v=vs.85)), or *HTAs*, are executable files that use the same technologies and models as Internet Explorer, but do not run inside of a web browser. |
| 6 | + |
| 7 | +*[Mshta.exe](https://docs.microsoft.com/en-us/previous-versions/windows/embedded/aa940701(v%3dwinembedded.5))* is a Windows utility that provides a host for HTA files to run in. Although it has legitimate uses, attackers can use mshta.exe to run malicious Javascript or VBScript commands. The MITRE ATT&CK framework includes [Mshta](https://attack.mitre.org/techniques/T1170/) among its list of enterprise attack techniques. |
| 8 | + |
| 9 | +The following query detects when mshta.exe has been run, which might include illegitimate usage by attackers. |
| 10 | + |
| 11 | +## Query |
| 12 | + |
| 13 | +```Kusto |
| 14 | +// mshta.exe script launching processes |
| 15 | +DeviceProcessEvents |
| 16 | +| where Timestamp > ago(7d) |
| 17 | +and InitiatingProcessFileName =~ 'mshta.exe' |
| 18 | +and InitiatingProcessCommandLine contains '<script>' |
| 19 | +``` |
| 20 | + |
| 21 | +## Category |
| 22 | + |
| 23 | +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. |
| 24 | + |
| 25 | +| Technique, tactic, or state | Covered? (v=yes) | Notes | |
| 26 | +|-|-|-| |
| 27 | +| Initial access | | | |
| 28 | +| Execution | v | | | |
| 29 | +| Execution | v | The query will detect whenever mshta.exe has been run over the past seven days. This sort of activity, although suspicious, is not by itself actively harmful. Administrators should investigate further to determine if the event was malicious. | |
| 30 | +| Privilege escalation | | | |
| 31 | +| Defense evasion | | | |
| 32 | +| Credential Access | | | |
| 33 | +| Discovery | | | |
| 34 | +| Lateral movement | | | |
| 35 | +| Collection | | | |
| 36 | +| Command and control | | | |
| 37 | +| Exfiltration | | | |
| 38 | +| Impact | | | |
| 39 | +| Vulnerability | | | |
| 40 | +| Misconfiguration | | | |
| 41 | +| Malware, component | | | |
| 42 | + |
| 43 | +## Contributor info |
| 44 | + |
| 45 | +**Contributor:** Microsoft Threat Protection team |
0 commit comments