MSHTA Rule v1

2024-11-07 01:45:21 +00:00 · 2017-04-13 01:08:30 +02:00 · 2017-04-13 01:08:30 +02:00 · c2ed7bd9df
commit c2ed7bd9df
parent 64caa8aedc
2 changed files with 18 additions and 1 deletions
--- a/rules/windows/sysmon/sysmon_office_shell.yml
+++ b/rules/windows/sysmon/sysmon_office_shell.yml
@ -1,4 +1,4 @@
-title: Microsoft Office Product Spawning Windows  Shell
+title: Microsoft Office Product Spawning Windows Shell
 status: experimental
 description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio.
 reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
--- a/rules/windows/sysmon/sysmon_susp_mshta.yml
+++ b/rules/windows/sysmon/sysmon_susp_mshta.yml
@ -0,0 +1,17 @@
+title: Suspicious MSHTA Child
+status: experimental
+description: Detects a Microsoft HTML Application Host execution a suspicious child process
+reference: https://twitter.com/wdormann/status/851615583099650049
+author: Florian Roth
+logsource:
+    product: windows
+    service: sysmon
+detection:
+    selection:
+        EventID: 1
+        ParentImage: '*\mshta.exe'
+    condition: selection
+falsepositives:
+    - unknown
+level: high
+