SigmaHQ/rules/windows/process_creation/win_lethalhta.yml

24 lines
596 B
YAML
Raw Normal View History

title: MSHTA spwaned by SVCHOST as seen in LethalHTA
2019-11-12 22:12:27 +00:00
id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
status: experimental
description: Detects MSHTA.EXE spwaned by SVCHOST described in report
references:
- https://codewhitesec.blogspot.com/2018/07/lethalhta.html
2019-03-06 04:25:12 +00:00
tags:
- attack.defense_evasion
- attack.execution
- attack.t1170
author: Markus Neis
date: 2018/06/07
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: '*\svchost.exe'
Image: '*\mshta.exe'
condition: selection
falsepositives:
- Unknown
level: high