mshta
|
LOLBAS
Tags
| attack-pattern: | Data Javascript - T1059.007 Mshta - T1218.005 Mshta - T1170 |
Common Information
| Type | Value |
|---|---|
| UUID | cf98298c-0ffe-4b52-af12-904e91cbfe87 |
| Fingerprint | 948be1dcb08c7cc2 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Jan. 14, 2018, midnight |
| Added to db | Sept. 26, 2022, 9:31 a.m. |
| Last updated | Nov. 17, 2024, 11:40 p.m. |
| Headline | .. / Mshta.exe Star |
| Title | mshta | LOLBAS |
| Detected Hints/Tags/Attributes | 21/1/47 |
Source URLs
| Redirection | Url | |
|---|---|---|
| Details | Source | https://lolbas-project.github.io/lolbas/Binaries/Mshta/ |
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 1 | evi1cg.me |
|
| Details | Domain | 4128 | github.com |
|
| Details | Domain | 12 | oddvar.moe |
|
| Details | File | 456 | mshta.exe |
|
| Details | File | 36 | c:\windows\system32\mshta.exe |
|
| Details | File | 11 | c:\windows\syswow64\mshta.exe |
|
| Details | File | 1 | applocker_bypass_techniques.html |
|
| Details | File | 1 | msthta.exe |
|
| Details | File | 3 | c:\ads\file.txt |
|
| Details | Github username | 17 | redcanaryco |
|
| Details | Github username | 27 | sigmahq |
|
| Details | Github username | 17 | elastic |
|
| Details | Github username | 5 | splunk |
|
| Details | Github username | 3 | lolbas-project |
|
| Details | sha1 | 1 | 05c58b4892942c34bfa01e9ada88ef2663858e1c |
|
| Details | sha1 | 4 | 08ca62cc8860f4660e945805d0dd615ce75258c1 |
|
| Details | sha1 | 1 | f4ac416ef44862930730f8b7f16362b0e987bc71 |
|
| Details | sha1 | 1 | ff0f1a0222b5100120ae3e43df18593f904c69c0 |
|
| Details | sha1 | 1 | f8f643041a584621e66cf8e6d534ad3db92edc29 |
|
| Details | sha1 | 1 | cc241c0b5ec590d76cb88ec638d3cc37f68b5d50 |
|
| Details | sha1 | 1 | 82ec6ac1eeb62a1383792719a1943b551264ed16 |
|
| Details | sha1 | 1 | 08ed88bd88259c03c771c30170d2934ed0a8f878 |
|
| Details | sha1 | 2 | bee2a4cefa533f286c546cbe6798a0b5dec3e5ef |
|
| Details | sha1 | 2 | 18f63553a9dc1a34122fa123deae2b2f9b9ea391 |
|
| Details | MITRE ATT&CK Techniques | 59 | T1218.005 |
|
| Details | Url | 1 | https://evi1cg.me/archives/applocker_bypass_techniques.html#menu_index_4 |
|
| Details | Url | 1 | https://github.com/redcanaryco/atomic-red-team/blob/master/windows/payloads/mshta.sct |
|
| Details | Url | 1 | https://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2 |
|
| Details | Url | 3 | https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it |
|
| Details | Url | 1 | https://github.com/sigmahq/sigma/blob/05c58b4892942c34bfa01e9ada88ef2663858e1c/rules/windows/process_creation/win_susp_mshta_pattern.yml |
|
| Details | Url | 1 | https://github.com/sigmahq/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml |
|
| Details | Url | 1 | https://github.com/sigmahq/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_lethalhta.yml |
|
| Details | Url | 1 | https://github.com/sigmahq/sigma/blob/f4ac416ef44862930730f8b7f16362b0e987bc71/rules/windows/process_creation/win_shell_spawn_mshta.yml |
|
| Details | Url | 1 | https://github.com/sigmahq/sigma/blob/ff0f1a0222b5100120ae3e43df18593f904c69c0/rules/windows/process_creation/win_mshta_javascript.yml |
|
| Details | Url | 1 | https://github.com/sigmahq/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/file_event/sysmon_susp_clr_logs.yml |
|
| Details | Url | 1 | https://github.com/sigmahq/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml |
|
| Details | Url | 1 | https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml |
|
| Details | Url | 1 | https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml |
|
| Details | Url | 1 | https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml |
|
| Details | Url | 1 | https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/stories/suspicious_mshta_activity.yml |
|
| Details | Url | 1 | https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_renamed.yml |
|
| Details | Url | 1 | https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_spawn.yml |
|
| Details | Url | 1 | https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml |
|
| Details | Url | 1 | https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml |
|
| Details | Url | 3 | https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules |
|
| Details | Url | 2 | https://webserver/payload.sct |
|
| Details | Url | 2 | https://raw.githubusercontent.com/lolbas-project/lolbas/master/osbinaries/payload/mshta_calc.sct").exec |