SigmaHQ/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml

35 lines
869 B
YAML
Raw Normal View History

2017-03-05 00:47:37 +00:00
title: MSHTA Spawning Windows Shell
2017-03-04 22:33:09 +00:00
status: experimental
description: Detects a Windows command line executable started from MSHTA.
reference: https://www.trustedsec.com/july-2015/malicious-htas/
author: Michael Haag
logsource:
product: windows
service: sysmon
2017-03-04 22:33:09 +00:00
detection:
selection:
EventID: 1
2017-04-16 10:01:03 +00:00
ParentImage: '*\mshta.exe'
2017-03-04 22:33:09 +00:00
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
2017-04-13 07:25:34 +00:00
- '*\reg.exe'
- '*\regsvr32.exe'
- '*\BITSADMIN*'
filter:
Commandline:
- '*/HP/HP*'
- '*\HP\HP*'
condition: selection and not filter
2017-09-12 21:54:04 +00:00
fields:
- CommandLine
- ParentCommandLine
2017-03-04 22:33:09 +00:00
falsepositives:
2017-04-13 07:25:34 +00:00
- Printer software / driver installations
2017-03-04 22:33:09 +00:00
level: high
2017-04-13 07:25:34 +00:00